UNIT III 3.1DISCRETE LOGARITHMS

Transcription

1 UNIT III Discrete Logarithms Computing discrete logs Diffie-Hellman key exchange ElGamal Public key cryptosystems Hash functions Secure Hash - MD5 Digital signatures RSA ElGamal Digital signature scheme. 3.1DISCRETE LOGARITHMS Discrete logarithms are fundamental to a number of public-key algorithms, including Diffie- Hellman key exchange and the digital signature algorithm (DSA). Discrete logs (or indices) share the properties of normal logarithms, and are quite useful. As with ordinary positive real numbers, the logarithm function is the inverse of exponentiation. The logarithm of a number is defined to be the power to which some positive base (except 1) must be raised in order to equal that number. If working with modulo arithmetic, and the base is a primitive root, then an integral discrete logarithm exists for any residue. However whilst exponentiation is relatively easy, finding discrete logs is not, in fact is as hard as factoring a number. This is an example of a problem that is "easy" one way (raising a number to a power), but "hard" the other (finding what power a number is raised to giving the desired answer). Problems with this type of asymmetry are very rare, but are of critical usefulness in modern cryptography. the inverse problem to exponentiation is to find the discrete logarithm of a number modulo p that is to find i such that b = a i (mod p) this is written as i = dlog a b (mod p) if a is a primitive root then it always exists, otherwise it may not, eg. x = log 3 4 mod 13 has no answer x = log 2 3 mod 13 = 4 by trying successive powers whilst exponentiation is relatively easy, finding discrete logarithms is generally a hard problem Table 3.1, which is directly derived from Table 8.3, shows the sets of discrete logarithms that can be defined for modulus 19.

2 3.2 COMPUTING DISCRETE LOGS Discrete logs (or indices) share the properties of normal logarithms, and are quite useful. However whilst exponentiation is relatively easy, finding discrete logs is not, in fact is as hard as factoring a number. It is the inverse problem to exponentiation, and is an example of a problem that is "easy" one way (raising a number to a power), but "hard" the other (finding what power a number is raised to giving the desired answer). Problems with this type of asymmetry are very rare, but are of critical usefulness in modern cryptography. Input: p - prime number, a- primitive root of p, b - a residue mod p. Goal: Find k such that a k = b( mod p). (In other words, find the position of y in the large list of {a, a 2,..., a q-1 }. 14 is a primitive root of 19.

3 The powers of 14 (mod 19) are in order: For example L 14 (5) = 10 mod 19, because = 5( mod 19). the inverse problem to exponentiation is to find the discrete logarithm of a number modulo p that is to find x where a x = b mod p written as x=log a b mod p or x=ind a,p (b) if a is a primitive root then always exists, otherwise may not x = log 3 4 mod 13 (x st 3 x = 4 mod 13) has no answer x = log 2 3 mod 13 = 4 by trying successive powers whilst exponentiation is relatively easy, finding discrete logarithms is generally a hard problem 3.3 DIFFIE-HELLMAN KEY EXCHANGE The purpose of the algorithm is to enable two users to exchange a key securely that can then be used for subsequent encryption of messages. The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithms. First, we define a primitive root of a prime number p as one whose power generate all the integers from 1 to (p-1) i.e., if a is a primitive root of a prime number p, then the numbers a mod p, a 2 mod p, a p-1 mod p are distinct and consists of integers from 1 to (p-1) in some permutation. For any integer b and a primitive root a of a prime number p, we can find a unique exponent i such that b a i mod p, where 0 i (p-1) The exponent i is referred to as discrete logarithm. With this background, we can define Diffie Hellman key exchange as follows: There are publicly known numbers: a prime number q and an integer that is primitive root of q. suppose users A and B wish to exchange a key. User A selects a random integer X A < q and computes Y A = XA mod q. Similarly, user B independently selects a random integer X B < q and computes Y B = XB mod q. Each side keeps the X value private and makes the Y value available publicly to the other side. User A computes the key as and User B computes the key as K = (Y B ) XA mod q K = (Y A ) XB mod q

4 These two calculations produce identical results. K = (Y B ) XA mod q = ( XB mod q) XA mod q = ( XB ) XA mod q = ( XA ) XB mod q = ( XA mod q) XB mod q = (Y A ) XB mod q The result is that two sides have exchanged a secret key. The security of the algorithm lies in the fact that, while it is relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete logarithms. For large primes, the latter task is considered infeasible. (Y B ) X Fig3.1: Diffie Hellman Key exchange The protocol depicted in figure is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as follows: 1. Darth prepares for the attack by generating two random private keys X D1 and X D2 and then computing the corresponding public keys Y D1 and Y D2. 2. Alice transmits Y A to Bob. 3. Darth intercepts Y A and transmits Y D1 to Bob. Darth also calculates K2 = (Y A ) XD2 mod q. 4. Bob receives Y D1 and calculates K1 = (Y D1 ) XE mod q. 5. Bob transmits X A to Alice. 6. Darth intercepts X A and transmits Y D2 to Alice. Darth calculates K1 =D1 mod q. 7. Alice receives Y D2 and calculates K2 = (Y D2 ) XA mod q.

5 At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice is compromised in the following way: 1. Alice sends an encrypted message M: E(K2, M). 2. Darth intercepts the encrypted message and decrypts it, to recover M. 3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply wants to eavesdrop on the communication without altering it. In the second case, Darth wants to modify the message going to Bob. The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This vulnerability can be overcome with the use of digital signatures and public-key certificates Analog of Diffie-Hellman Key Exchange Key exchange using elliptic curves can be done in the following manner. First pick a large integer q, which is either a prime number p or an integer of the form 2 m and elliptic curve parameters a and b. This defines the elliptic group of points E q (a, b). Next, pick a base point G = (x 1, y 1 ) in E p (a, b) whose order is a very large value n. The order n of a point G on an elliptic curve is the smallest positive integer n such that ng = O. E q (a, b) and G are parameters of the cryptosystem known to all participants. 1. A selects an integer n A less than n. This is A's private key. A then generates a public key P A = n A x G; the public key is a point in Eq(a, b). 2. B similarly selects a private key n B and computes a public key P B. 3. A generates the secret key K = n A x P B. B generates the secret key K = n B x P A. 3.4 ELGAMAL CRYPTOSYSTEM Along with RSA, there are other public-key cryptosystems proposed. Many of them are based on different versions of the Discrete Logarithm Problem. ElGamal cryptosystem, called Elliptic Curve Variant, is based on the Discrete Logarithm Problem. It derives the strength from the assumption that the discrete logarithms cannot be found in practical time frame for a given number, while the inverse operation of the power can be computed efficiently. Let us go through a simple version of ElGamal that works with numbers modulo p. In the case of elliptic curve variants, it is based on quite different number systems.

6 Generation of ElGamal Key Pair Each user of ElGamal cryptosystem generates the key pair through as follows: Choosing a large prime p. Generally a prime number of 1024 to 2048 bits length is chosen. Choosing a generator element g. o This number must be between 1 and p 1, but cannot be any number. oit is a generator of the multiplicative group of integers modulo p. This means for every integer m co-prime to p, there is an integer k such that g k =a mod n. For example, 3 is generator of group 5 (Z5 = {1, 2, 3, 4}). N 3 n 3 n mod Choosing the private key. The private key x is any number bigger than 1 and smaller than p 1. Computing part of the public key. The value y is computed from the parameters p, g and the private key x as follows: y = g x mod p Obtaining Public key. The ElGamal public key consists of the three parameters (p, g, y). For example, suppose that p = 17 and that g = 6 (It can be confirmed that 6 is a generator of group Z17). The private key x can be any number bigger than 1 and smaller than 71, so we choose x = 5. The value y is then computed as follows: y = 6 5 mod 17 = 7 Thus the private key is 62 and the public key is (17, 6, 7).

7 Encryption and Decryption The generation of an ElGamal key pair is comparatively simpler than the equivalent process for RSA. But the encryption and decryption are slightly more complex than RSA. ElGamal Encryption Suppose sender wishes to send a plaintext to someone whose ElGamal public key is (p, g, y), then: Sender represents the plaintext as a series of numbers modulo p. To encrypt the first plaintext P, which is represented as a number modulo p. The encryption process to obtain the ciphertext C is as follows: o Randomly generate a number k; o Compute two values C1 and C2, where: C1 = g k mod p C2 = (P*y k ) mod p o o Send the ciphertext C, consisting of the two separate values (C1, C2), sent together. Referring to our ElGamal key generation example given above, the plaintext P = 13 is encrypted as follows: Randomly generate a number, say k = 10 Compute the two values C1 and C2, where: C1 = 6 10 mod 17 C2 = (13*7 10 ) mod 17 = 9 ElGamal Decryption Send the ciphertext C = (C1, C2) = (15, 9). To decrypt the ciphertext (C1, C2) using private key x, the following two steps are taken: Compute the modular inverse of (C1) x modulo p, which is (C1) -x, generally referred to as decryption factor.

8 o Obtain the plaintext by using the following formula: C2 (C1) -x mod p = Plaintext In our example, to decrypt the ciphertext C = (C1, C2) = (15, 9) using private key x = 5, the decryption factor is 15-5 mod 17 = 9 Extract plaintext P = (9 9) mod 17 = 13. ElGamal Analysis In ElGamal system, each user has a private key x. and has three components of public key: prime modulus p, generator g, and public Y = g x mod p. The strength of the ElGamal is based on the difficulty of discrete logarithm problem. The secure key size is generally > 1024 bits. Today even 2048 bits long key are used. On the processing speed front, Elgamal is quite slow, it is used mainly for key authentication protocols. Due to higher processing efficiency, Elliptic Curve variants of ElGamal are becoming increasingly popular. 3.5 HASH FUNCTIONS A variation on the message authentication code is the one way hash function. As with MAC, a hash function accepts a variable size message M as input and produces a fixed-size output, referred to as hash code H(M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is also referred to as a message digest or hash value. There are varieties of ways in which a hash code can be used to provide message authentication, as follows: to that of internal error control strategy. Because encryption is applied to the entire message plus the hash code, confidentiality is also provided. N Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden for those applications that do not require confidentiality.

9 Fig.3.3.1: Basic Use of Hash Functions c) Only the hash code is encrypted, using the public key encryption and using the sender s private key. It provides authentication plus the digital signature. d) If confidentiality as well as digital signature is desired, then the message plus the public key encrypted hash code can be encrypted using a symmetric secret key.

10 e) This technique uses a hash function, but no encryption for message authentication. This technique assumes that the two communicating parties share a common secret value S. The source computes the hash value over the concatenation of M and S and appends the resulting hash value to M. f) Confidentiality can be added to the previous approach by encrypting the entire message plus the hash code. Fig3.3.2: Basic Use of Hash Functions A hash value h is generated by a function H of the form h = H(M) where M is a variable-length message and H(M) is the fixed-length hash value. The hash value is appended to the message at the source at a time when the message is assumed orknown to be correct. The receiver authenticates that message by recomputing the hashvalue. 3.7 HASH FUNCTIONS In recent years, there has been considerable effort, and some successes, in developing cryptanalytic attacks on hash functions. To understand these, we need to look at the overall structure of a typical secure hash function, and is the structure of most hash functions in use today, including SHA and Whirlpool.

11 Fig.3.7.1: General Structure of Secure Hash Code The hash function takes an input message and partitions it into L fixed-sized blocks of b bits each. If necessary, the final block is padded to b bits. The final block also includes the value of the total length of the input to the hash function. The inclusion of the length makes the job of the opponent more difficult. Either the opponent must find two messages of equal length that hash to the same value or two messages of differing lengths that, together with their length values, hash to the samevalue. The hash algorithm involves repeated use of a compression function, f, that takes two inputs (an n-bit input from the previous step, called the chaining variable, and a b-bit block) and produces an n-bit output. At the start of hashing, the chaining variable has an initial value that is specified as part of the algorithm. The final value of the chaining variable is the hash value. Often, b > n; hence the term compression. The hash function can be summarized as follows: CV o CV i = IV = initial n-bit value = f(cv i-1, Y i-1 ) 1 i L H(M) = CV L where the input to the hash function is a message M consisting of the blocks Y o, Y 1,..., Y L-1. The structure can be used to produce a secure hash function to operate on a message of any length. Message Authentication Codes There is much more variety in the structure of MACs than in hash functions, so it is difficult to generalize about the cryptanalysis of MACs. Further, far less work has been done on developing such attacks.

12 3.8 SECURE HASH ALGORITHM SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme , also Internet RFC3174 based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications SHA-512 Overview SHA-512 Compression Function heart of the algorithm processing message in 1024-bit blocks consists of 80 rounds -bit buffer -bit value Wt derived from the current message block

13 3.8.3 SHA-512 Round Function SHA-512 -Individual Round Function

14 3.9 MD5 MD5 is the current, and very widely used, member of Rivest s family of hash functions. MD5 message digest algorithm The MD5 message-digest algorithm was developed by Ron Rivest at MIT. Until the last few years, when both brute-force and cryptanalytic concerns have arisen, MD5 was the most widely used secure hash algorithm. MD5 logic. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit message digest. The input is processed in 512-bit blocks. The processing consists of the following steps: Step 1: Appending padding bits. The massage is padded so that its length in bits is congruent to 448 modulo 512 (length 448 mod 512). That is, the length of the padded message is 64 bits less than an integer multiple of 512 bits. Padding is always is added, even if the message is already of the desired length. For example, if the message is 448 bits long, it is padded by 512 bits to a length of 960 bits. Thus, the number of padding bits is in the range of 1 to 512. The padding consists of a single 1-bit followed by the necessary number of 0-bits. Message digest generation using MD5

15 Step 2: Append length. A 64-bit representation of the length in bits of the original message (before the padding) is appended to the result of step 1 (least significant byte first). If the original length is greater than 2 64, then only the low-order 64 bits of the length are used. Thus, field contains the length of the original message, modulo The outcome of the first two steps yields a message that is an integer multiple of 512 bits in length. In figure below, expended message is represented as the sequence of 512-bit blocks Y0, Y1,, YL 1, so that the total length of the expanded message is L 512 bits. Equivalently, the result is a multiple of bit words. Let M [0 N 1]denote the words of the resulting message, with N an integer multiple of 16. Thus, N = L 16. Step 3: Initialize MD buffer. A 128-bit buffer is used to hold intermediate and final results of the hash function. The buffer can be represented as four 32-bit registers (A, B, C, D). These registers are initialized to the following 32-bit integers (hexadecimal values): A = B = EFCDAB8 C = 98BADCF D = E These values are stored in little-endian format, which is the least significant byte of a word in the low-address byte position. As 32-bit strings, the initialization values (in hexadecimal) appears as follows: Word A: Word B: AB 45 CD 67 EF Word C: FE DC BA 98 Word D:

16 MD5 processing of a single 512-bit block (MD5 compression function) Step 4: Process message in 512-bit (16-word) blocks. The heart of the algorithm is a compression algorithm that consists of four rounds of processing; this module is labeled HMD5. The four rounds have the similar structure, but each uses a different primitive logical function, referred to as F, G, H, and I in the specification. Each round takes as input the current 512-bit block being processed (Yq) and the 28-bit buffer value ABCD and updates the contents of the buffer. Each round also makes use of one-fourth of a 64-element table T[1 64], constructed from the sine function. The ith element of T, denoted T[i], has the value equal to the integer part of 2 32 abs(sin(i)), where I is in radians. Step 5: Output. After all L 512-bit blocks have been processed, the output from the Lth stage is the 160-bit message digest.

17 We can summarize the behavior of MD5 as follows: CV0 = IV CV q +1 = SUM 32 (CV q, RF I [Y q, RF H [Y q, RF G [Y q, RF F [Y q, CV q ]]]]) MD = CVL where IV - initial value of the ABCD buffer, defined in step 3 Y q - the qth 512-bit block of the message L - the number of blocks in the message (including padding and length fields) CVq - chaining variable processed with the qth block of the message RF x - round function using primitive logical function x MD - final message digest value SUM 32 - addition modulo 2 word of the pair of inputs 3.9 DIGITAL SIGNATURES The digital signatures provide the ability to: verify author, date & time of signature

18 authenticate message contents be verified by third parties to resolve disputes hence include authentication function with additional capabilities Digital Signature Properties must depend on the message signed must use information unique to sender-to prevent both forgery and denial must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge sage for existing digital signature be practical save digital signature in storage 3.10 DIRECT DIGITAL SIGNATURES involve only sender & receiver assumed receiver has sender s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender s private-key Arbitrated Digital Signatures involves use of arbiter A o validates any signed message then dated and sent to recipient requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are confidentiality - to protect session keys timeliness - to prevent replay attacks published protocols are often found to have flaws and need to be modified Replay Attacks

19 where a valid signed message is copied and later resent simple replay repetition that can be logged repetition that cannot be detected backward replay without modification countermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce) Using Symmetric Encryption as discussed previously can use a twolevel hierarchy of keys usually with a trusted Key Distribution Center (KDC) o each party shares own master key with KDC o KDC generates session keys used for connections between parties o master keys used to distribute these to them can refine use of KDC but can t have final exchange of nonces, vis: o A->KDC: IDA IDB N1 o KDC -> A: EKa [Ks IDB N1 EKb [Ks IDA] ] o A -> B: EKb [Ks IDA] EKs [M] does not protect against replays problematic could rely on timestamp in message, though delays make this Using Public-Key Encryption have a range of approaches based on the use of public-key encryption need to ensure have correct public keys for other parties using a central Authentication Server (AS) various protocols exist using timestamps or nonces if confidentiality is major concern, can use: A->B: EPUb [Ks] EKs [M] has encrypted session key, encrypted message if authentication needed use a digital signature with a digital certificate: A->B: M EPRa [H(M)] EPRas [T IDA PUa]

20 with message, signature, certificate 3.11 DIGITAL SIGNATURE STANDARD (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS (2000) includes alternative RSA & elliptic curve signature variants 3.12 DIGITAL SIGNATURE ALGORITHM(DSA) creates a 320 bit signature with bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes Fig : Digital Signatures - Overvies

21 DSA Key Generation have shared global public key values (p,q,g): choose q, a 160 bit choose a large prime p = 2L where L= 512 to 1024 bits and is a multiple of 64 and q is a prime factor of (p-1) choose g = h(p-1)/q where h<p-1, h(pp-11)//q (mod p) > 1 users choose private & compute public key: choose x<q compute y = gx (mod p) DSA Signature Creation to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (gk(mod p))(mod q) s = (k-1.h(m)+ x.r)(mod q) sends signature (r,s) with message M DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s-1(mod q) u1= (H(M).w)(mod q) u2= (r.w)(mod q) v = (gu1.yu2(mod p)) (mod q) if v=r then signature is verified

22 RSA AND ELGAMAL SCHEMES A COMPARISON Let us briefly compare the RSA and ElGamal schemes on the various aspects. RSA It is more efficient for encryption. It is less efficient for decryption. For a particular security level, lengthy keys are required in RSA. It is widely accepted and used. ElGamal It is more efficient for decryption. It is more efficient for decryption. For the same level of security, very short keys are required. It is new and not very popular in market.