PublicKey Cryptography

1
Lecture 6

• Public-Key Cryptography

2
This Week

• Public Key Cryptography
• Cryptography based on Factoring
• Cryptography based on Discrete Logarithm
• Secret Sharing
• Timestamping
• One-Time Signatures

3
Public Key Encryption
x
Plaintext
Encryption
Decryption
Plaintext
Y
x
Ek
Dk

• YeK(x) and xdK(Y)
• It is computationally infeasible to compute Dk
  from Ek.

4
Trapdoor One-Way Function

• ONE-WAY PROPERTY The public encryption function
  should be easy to compute however computing the
  inverse function (decryption) should be hard (for
  anyone other than the owner of the private key).
• Here is an example of a function which is
  believed to be one-way
• n is the product of two large primes p and q and
  let e a positive integer.
• Is this function sufficient to construct a public
  key cryptosystem?

5
Trapdoor (contd)

• Finding a one-way function is not sufficient to
  construct a public key cryptosystem.
• We do not want eK to be a one-way for the private
  key owner. Thus it is necessary he possesses a
  trapdoor, which consists of secret information
  that permits easy inversion of eK.
• When we find a trapdoor for the function f
  defined in the previous slide, this will lead to
  RSA Cryptosystem.

6
RSA (Key Generation)

• RSA gets its security from the difficulty of
  factoring large numbers.
• To generate the two keys, choose two large random
  prime numbers p and q. Compute the product npq
• Then randomly choose the encryption key e such
  that e and (p-1)(q-1) are relatively prime.
• Finally use the extended Euclidean algorithm to
  compute the decryption key d, such that
• The numbers e and n are the public key the
  number d is the private key.

7
RSA (contd)

• To encrypt a message m, first divide it into
  numerical blocks smaller than n. The encryption
  formula is simply
• To decrypt a message, take each encrypted block
  and compute
• Since

8
RSA Signatures

• Encryption and decryption commute, therefore RSA
  decryption of a message with added redundancy
  forms a signature.
• Anyone can verify the signature with the public
  key by testing whether after encryption the
  redundant part is intact.

9
Digital Signature

• Three security services it provides
• Authentication assurance of the identity of the
  signer.
• Integrity assurance that the message is not
  altered after it is signed.
• Non-repudiation blocking a senders false denial
  that he or she signed a particular message, thus
  enabling the receiver to easily prove that the
  sender actually did sign the message.

10
Digital Signatures
11
Homomorphism

• Neither RSA encryption nor signature is safe to
  use on its own.
• The reason is that encryption being an algebraic
  process, it preserves certain algebraic
  properties.
• For example if M1 M2M3 then C1 C2C3 and Sig1
  Sig2Sig3 (multiplicative homomorphism).
• There are a number of standards that try to stop
  attacks based on this property.

12
Discrete Logarithm Problem

• A primitive root modulo p is a number whose
  powers generate all the nonzero numbers mod p.
• For example 5 is a primitive root modulo 7.
• This means that given any y, we can always solve
  the equation y5x mod 7.
• Small examples can be solved by inspection, but
  for large prime number p, we do not know how to
  do this computation.
• So the mapping f x?gx mod p is a one-way
  function.

13
Diffie-Hellman Key Exchange
Source Dr. Kuhns notes
14
ElGamal Encryption
Source Dr. Kuhns notes
15
ElGamal Signature
Source Dr. Kuhns notes
16
Elliptic Curves

• So far we have considered the Discrete Logarithm
  problem in the finite field Zp, but it is also
  possible to consider the problem in other
  settings.
• We can implement existing public key algorithms
  including Diffie-Hellman using elliptic curves.
• The idea is essentially the same but the
  implementation is more complex.
• The benefit of using elliptic curves is shorter
  key sizes for the same level of security.

17
Selecting Key Size
From ECRYPT 2005 Report (see www.keylength.com)
18
Special-Purpose Signatures

• Blind Signatures Making signatures on a message
  without knowing what the message is.
• Possible application is e-cash.
• Threshold signatures Signing key can be split up
  among n principals so that any k out of n can
  sign a message.
• For kn the construction is easy.
• To implement business rules such as
• a check may be signed by any two of the seven
  directors.

19
Secret Sharing

• Adi Shamir uses polynomial equations in a finite
  field to construct a threshold scheme.
• Choose a prime p, which is both larger than the
  number of possible shadows and larger than the
  largest possible secret M.
• To share a secret, generate an arbitrary
  polynomial of degree m-1. For example if you want
  a (3,n)-threshold scheme (three shadows are
  necessary to reconstruct M), generate a quadratic
  polynomial
• The shadows are obtained by evaluating the
  polynomial at n different points

20
Timestamping

• In many situations, people need to certify that a
  document existed on a certain date.
• One solution based on one-way hash functions and
  digital signatures is as follows
• The originator produces a one-way hash of the
  document.
• He transmits the hash to trusted timestamping
  service (TTS).
• TTS appends the date and time he received the
  hash onto the hash and then digitally signs the
  result.
• TTS sends the signed hash with timestamp back to
  the originator.
• What might be the problem here?

21
One-time Signatures (OTS)

• Offers a viable alternative to public-key
  signatures.
• Secure
• Not depend on the difficulty of a mathematical
  problem.
• Efficient
• Based only on one-way functions.

22
One-time Signatures (contd)

• A message sender prepares for a digital signature
  by generating a random number r, which is
  retained as the private value.
• He then securely distributes the hash of r,
  h(r), where h is a hash function this represents
  the public value and is used by receivers as the
  signature certificate to verify the signature.
• The signature is sent by distributing the value
  r itself.
• Receivers verify that this message could only be
  sent by the sender by applying h to r to get
  h(r).
• In order to sign any 1-bit value, two random
  numbers (r1, r2) are needed this way, both h(r1)
  and h(r2) are pre-distributed but at most one of
  (r1,r2) is revealed as a signature.

23
Signing An Arbitrary-Length Message

• p out of n random numbers are sufficient to sign
  a b bit length message if the following
  inequality holds for a given n and p

24
Using OTS More Than Once

• One-Time Signatures has the well-known
  deficiency only one signature can be generated
  per one public key.
• Solutions
• On-line/Off-line Signatures
• Merkles Tree
• Problem Increased lengths of signatures
• Hash Chains
• Another method
• Server Assisted One-Time Signatures (SAOTS)

25
SAOTS - Setup

• Each user registers to a server, generates a
  one-time private key (random numbers) and a
  one-time public key (hash values).
• In a secure fashion, he distributes the one-time
  public key to the server.
• The server obtains a public key certificate from
  a CA for each registered user (if transparent
  SAOTS is used).

26
SAOTS - Operation
Originator
Receiver 1
VS
Receiver 2