Handout 8 Summary of this handout: Asymmetric Cryptography Public - - PDF document

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 15 November, 2012

Handout 8

Summary of this handout: Asymmetric Cryptography — Public Key Cryptography — Diffie-Hellman Key Exchange — ElGamal — Cramer-Shoup — Discrete Logarithms — Subgroups

IV. Asymmetric Ciphers and Public Key Cryptography

So far we have been talking about symmetric key cryptography only, where all the communicating parties need to be in possession of the same key in order to encrypt and decrypt messages. As we have seen, one major problem of symmetric ciphers is key distribution as well as key management. These problems can be overcome by using asymmetric ciphers. The idea of asymmetric cryptography algorithms is that Alice encrypts a message with one key and Bob can encrypt it with a different key without having any knowledge of Alice’s key. and ideally Alice and Bob should be able to communicate without ever exchanging keys first. This can be achieved by means of public key cryptography, where each participant has two keys: a private key and a public key, and can use someone’s public key to encrypt a message and only the person with the right private key can decrypt it. Since the majority of asymmetric ciphers are public key ciphers both expressions have become synonymous by now.

• 61. An Analogy

We first have a look at a well known analogy about sending secret messages, in order to illustrate the basic idea of asymmetric ciphers. Suppose Alice and Bob do not trust the postal service and want to send a message secretly by using a box and padlocks. With a symmetric key system, Alice first puts the secret message in a box, and then locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice’s key to open the box, and reads the message. Bob can then use the same padlock to send his secret reply. Obviously Alice and Bob have to exchange at some point the keys to the padlock. And they can not do this via the postal service as this would comprise their secret.

Alice Bob

To see that an exchange of key is not mandatory to exchange the secret message securely picture the following scenario of an asymmetric key system. Alice puts her secret message in a box, padlocks it and sends it to Bob. When the box arrives, Bob adds his own padlock and sends the box back to Alice. When Alice receives the box, it is now secured by two padlocks. She removes her own padlock, leaving just Bob’s padlock to secure the box. Finally she sends the box back to Bob. Bob can now open the box to retrieve the message. At no point was the secrecy of the message compromised nor was it necessary to exchange keys.

Alice Bob

16

Finally in an public key system the exchange of messages is even easier. Again Bob and Alice have separate padlocks. Firstly, Alice asks Bob to send his open padlock to her through regular mail, keeping its key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice’s open padlock to lock the box before sending it back to her. Again no keys had to be exchanged. However, it is crucial now that nobody is able to forge a copy of Bob’s key given Bob’s padlock alone.

Alice Bob

• 62. A Formal View

Let us put the two last cases in the the above analogy into our formal cipher notation. The operations of padlocks and keys correspond to the operations of a cipher. I.e., closing the padlock is encryption and

• pening the padlock is decryption.

We first consider the general asymmetric case with the two padlocks. We have two ciphers (EA, DA) and (EB, DB), where A, B are Alice’s and Bob’s keys, respectively. We get the following chain of messages: EA(M) → EB(EA(M)) → DA(EB(EA(M))) = EB(M) → DB(EB(M)) = M The crucial point here is the equation DA(EB(EA(M))) = EB(M). This will only hold if we have encryption functions EB and EA that commute (or if DA and EB commute). We know from our sym- metric ciphers, that this property does in general not hold. So in order to make the asymmetric scenario work, one has to carefully design the encryption functions. Now consider the public key scenario. Let B be the key Bob sends to Alice (open padlock in our analogy). We will call B a public key. Let B be the key he keeps secret (the actual key for the padlock in our analogy). We will call B Bob’s private key. Then Bob makes B public and, upon receiving a message encrypted with B decrypts it with B:

• B → E

B(M) → DB(E B(M))

Obviously it is important for the design of the encryption function that it can be inverted with a different

• key. Again this is in general not possible with the symmetric ciphers we have seen so far. Moreover, it is

crucial that there is no way for Eve to infer B from B, even though she knows the basic working of the encryption and decryption scheme. This is a complication that we did not have for symmetric ciphers. In a symmetric cipher we could use essentially any key (we preferred randomly generated ones of course) and en-/decryption would work. In a public key cipher, however, the right choice of public and private key are crucial and can not be left to chance, but have to be done systematically using a generation algorithm. Hence public key ciphers consist of three important components:

• A key generator G.
• An encryption function E.
• A decryption function D.
• 63. Trapdoor One-way Functions

When designing functions for public key ciphers it is important that they are easy to compute given the public key but that they are invertible alone when one has knowledge of the private key. In particular the inversion should be independent from the public key. 17

We have already discussed one-way functions in point 44 in handout 7. A one-way function is a function that is easy to compute but hard to invert. We have seen their uses as hash-functions, where inversion was not only not wanted, but also in general impossible to compute. (Recall that hash functions compress arbitrary length messages to a fixed length hash value.) Thus simple one-way functions are not useful for encryption, since their decryption is nearly always impossible to compute. However, there are certain types of one-way function that are hard to invert unless some secret information, a so called trapdoor, is

• known. This type of function is called trapdoor one-way function or trapdoor permutation.

Here are some possible candidate functions: Discrete Logarithm Problem: Let g be a generator in Z∗

• p. For h ∈ Z∗

p find x ∈ N such that gx ≡

h(mod p). [gx can be computed efficiently.] Diffie-Hellman Problem: Let g be a generator in Z∗

• p. Given a = gx and b = gy, find c ∈ Z∗

p such that

c = gxy. [Again the exponentiations can be computed efficiently.] Integer Factorisation: Let n be a large integer number. Find the prime factors of n. [Multiplying primes together is easy.]

• 64. A Historical Note

It was a long upheld paradigm that cryptography was only possible symmetrically, i.e. with some prior exchange of a key. However, in 1976 Whitfield Diffie and Martin Hellman from Stanford published a first asymmetric key cryptosystem. It was a method of public key agreement, which came to be known as Diffie-Hellman key exchange, and was the first published practical method for establishing a shared secret key over an unprotected communications channel without using a prior shared secret. The work was influenced by Ralph Merkle’s work on public key distribution, whose technique became known as Merkle’s Puzzles, and was published in 1978. Inspired by this work, Rivest, Shamir and Adleman from MIT, invented in 1977 the first public key cipher. The authors published their work in 1978, and the algorithm appropriately came to be known as RSA. In 1997 GCHQ in the UK publicly announced that they were aware of public key cryptography several years before Diffie and Hellman published their paper. Indeed the first invention of asymmetric key algorithms was by James H. Ellis, Clifford Cocks, and Malcolm Williamson at GCHQ in the early 1970s; they invented both the Diffie-Hellman key exchange, as well as a special case of RSA. We will follow the historical order and first have a look at the Diffie-Hellman key exchange protocol before having a look at some public key ciphers.

IV.1 Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange was invented by Wittfield Diffie and Martin Hellman in 1976. Using this protocol it is possible for Alice and Bob to agree on a secret value in the presence of Eve observing their entire communication. It is an asymmetric algorithm since there is no need for a trusted third party Trent or for the exchange of any secret information anytime before the exchange. The main idea of the protocol is to agree on a key given as an integer by using discrete exponentiation. Thus its security is based on the hardness of the discrete logarithm problem. The algorithm was originally proposed for Z∗

p for a large prime p but is today usually used in subgroups Gq of Z∗

• p. The protocol has

essentially 5 steps, where the first is a public initialisation:

• 1. Alice and Bob agree (publicly) on a prime number p (i.e., on Z∗

p) and on an element g ∈ Z∗ p that

generates the the finite group Gq.

• 2. Alice picks a random positive integer a and sends ga to Bob.
• 3. Bob picks a random positive integer b and sends gb to Alice.
• 4. Alice computes the key K = (gb)a = gba.
• 5. Bob computes the key K = (ga)b = gab.

18

Observe that in steps 4 and 5 we exploit the commutativity of discrete exponentiation, similar to our padlock example. Eve knows g and p. She also can observer ga and gb. However, due to discrete exponentiation being a

• ne-way function, she cannot infer the key K = gab Here is an overview of the protocol:

Source: Wikipedia

Example:

• 1. Alice and Bob agree to use a prime number p = 23 and base g = 5.
• 2. Alice chooses a secret integer a = 6, then sends Bob (ga mod p): 56 = 15625 ≡ 8(mod 23).
• 3. Bob chooses a secret integer b = 15, then sends Alice (gb mod p): 515 = 30517578125 ≡

19(mod 23).

• 4. Alice computes (gb mod p)a mod p: 196 = 47045881 ≡ 2(mod 23).
• 5. Bob computes (ga mod p)b mod p: 815 = 35184372088832 ≡ 2(mod 23).

After the Diffie-Hellman key exchange both Alice and Bob have agreed on the key 2. In the above example I have given the full integers of the exponentiations only as an illustration. When we solve the problem we of course do NOT carry out the exponentiations explicitly. Instead, we construct the subgroup generated by the given generator and simply count the elements until we have the result of the exponentiation in question. Here is an example for 815: The subgroup for generated by 8 in Z∗

23 is

{80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 810} = {1, 8, 18, 6, 2, 16, 13, 12, 4, 9, 3} Starting from 81 = 8 we can now simply count the next 15 elements. At 810 we restart from the beginning, i.e, with 80 = 811 = 1. The 15th generated element is then 2.

IV.2 ElGamal

The ElGamal algorithm is an asymmetric key encryption algorithm for public key cryptography which is based on the same principles as Diffie-Hellman key agreement, i.e., it uses discrete exponentiation and its security therefore relies on the hardness of the discrete logarithm problem. It was invented by Taher Elgamal in 1984 and is, for instance, used in the GNU implementation of the PGP protocol. Similar to Diffie-Hellman ElGamal can be defined over any cyclic group Gq as subgroups of Z∗

• p. However, in

concrete implementations one generally takes p to be a prime number of around 1024 bits and q to be of around 160 bits such that q divides p − 1. ElGamal then consists of three components: the key generator G, the encryption algorithm E, and the decryption algorithm D. The key generator G generates a key for Alice as follows:

• Generate primes p and q as well as an element g ∈ Z∗

p that generates the subgroup Gq.

19

• Choose a random x from {0, . . . , q − 1}.
• Compute h = gx mod p.
• Publish the public key

K = (Gq, q, g, h).

• Retain the private key K = x.

To encrypt a message M to Alice using her public key K = (Gq, q, g, h), Bob uses the following encryption algorithm E:

• M is considered to be an element of G
• Choose a random y from {0, . . . , q − 1}, then calculate c1 = gy and c2 = M · hy.
• The ciphertext is then C = (c1, c2).

Bob now sends the ciphertext C = (c1, c2) to Alice who can decrypt the message with the following decryption algorithm D using her secret key K = x:

• Compute M = c2 · c−x

1 , where c−x 1

= (c1−1)x is the xth exponent of the inverse of c1 in Gq. Here is a quick verification that the decryption algorithm really produces the original message: c2 · cx

1 = M · hy · g−xy = M · gxy · g−xy = M

Notice, that we assume the message M to be an element of Gq. Should the message however be to large it is split into several pieces and each piece is encrypted independently. Example: As a very simple example we take p = 11, q = 5, and g = 3. The group generated by g is then G5 = {1, 3, 9, 5, 4}. We assume also that Bob wants to send the message 10. Key generation algorithm G:

• Choose random x = 2.
• h = gx = 32 = 9.
• Public key

K = ({1, 3, 9, 5, 4}, 5, 3, 9).

• Private key K = 2.

Encryption algorithm E:

• Choose random y = 4.
• Set c1 = gy = 34 = 4.
• Set c2 = M · hy = 10 · 94 = 6
• Ciphertext is C = (c1, c2) = (4, 6)

Decryption algorithm D:

• Compute M = c2 · c−2

1 . Since c1−1 = 4−1 = 3 we have c−2 1

= 9 and M = 6 · 9 = 10. 20

IV.3 Cramer-Shoup

The ElGamal public key algorithm is vulnerable to chosen-ciphertext attacks, i.e., attacks where the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Choosing the ciphertexts carefully and adapting them can lead to information about the key used. The Cramer-Shoup algorithm avoids this by using a cryptographic hash function H. Cramer-Shoup public key encryption was developed in 1998 and is for example used in IBM’s ACE package. Similar to ElGamal its security is based on the hardness of the discrete logarithm problem. The key generator G works as follows:

• Generate primes p and q, and the subgroup Gq of Z∗
• p. Choose randomly two generators g1 and g2
• f Gq.
• Choose six random values (x1, x2, y1, y2, z1, z2) from {0, . . . , q − 1}.
• Compute c = gx1

1 gx2 2 , d = gy1 1 gy2 2 , and h = gz1 1 gz2 2 .

• Publish the public key

K = (Gq, q, g1, g2, c, d, h).

• Retain the private key K = (x1, x2, y1, y2, z1, z2).

The encryption algorithm E encrypts a message M under public key K = (Gq, q, g1, g2, c, d, h) as follows:

• M is considered to be an element of Gq
• Choose a random k from {0, . . . , q − 1} then calculate:

– u1 = gk

1, u2 = gk 2

– e = hk · M – α = H(u1, u2, e), where H is the hash function – v = ck · dkα

• Ciphertext is C = (u1, u2, e, v).

The decryption algorithm D decrypts a ciphertext C = (u1, u2, e, v) with the secret key K = (x1, x2, y1, y2, z1, z2) as follows:

• Compute α = H(u1, u2, e) and verify that ux1

1 · ux2 2 · (uy1 1 · uy2 2 )α = v. If this test fails, further

decryption is aborted and the output is rejected.

• Otherwise, compute the plaintext as M = e · (uz1

1 uz2 2 )−1.

Observe that H will only produce the right result if the same value of k was used in all three variables. But neither k nor x1, x2, y1, y2 are known to the cryptanalyst. Here is a quick verification that the decryption algorithm really produces the original message: uz1

1 uz2 2 = gkz1 1

gkz2

2

= hk , and M = e · h−k As for ElGamal a given message might not fit into Gq. It is then split into several blocks and each block is encrypted independently. 21

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 15 November, 2012

Mathematics 5 – Discrete Logarithm and Subgroups

In this handout we look at some basic group theory that is necessary to understand some of the public key ciphers. We first recall a few facts from previous mathematics handouts:

• Recall that Zn was the set of all residue classes modulo a positive integer n. I.e., Zn = {0, 1, . . . , n−

1} where we omit the special notations for residue classes. (Mathematics 2)

• Recall that we could define arithmetic on Zn, i.e., addition, subtraction, and multiplication via

their corresponding operations on Z modulo n. (Mathematics 2)

• Recall that for a prime p, Zp was a finite field. That meant in particular, that (Z∗

p, ·) was a group,

where Z∗

p = {1, . . . , p − 1}.

(Mathematics 3)

• Recall that every element x ∈ Z∗

p has an inverse element x−1 such that x · x−1 = x−1 · x =

1. (Mathematics 3) For the remainder of this handout we restrict ourselves to (Z∗

p, ·), where p is a prime number.

Inverses in Z∗

p

We first have a brief look at inverse elements in Z∗

• p. We take the concrete example of Z∗

5 = {1, 2, 3, 4}

and write down its multiplication table. We can then easily read of the inverses for each element of Z∗

5:

Z∗

5

1 2 3 4 1 1 2 3 4 2 2 4 1 3 3 3 1 4 2 4 4 3 2 1 1−1 = 1 2−1 = 3 3−1 = 2 4−1 = 4 Multiplying with an inverse can be viewed as division modulo p.

Discrete Exponentiation

We have now defined all simple arithmetic functions on Z∗

• p. As a next step we will define discrete

exponentiation as an iterated multiplication. Let n be a non-negative integer, i.e. n ∈ N, and let g ∈ Z∗

p,

we can then define gn iteratively via multiplication as gn = g · . . . · g

• n

∈ Z∗

p this is equivalent to the modulo computation in Z: g · . . . · g

• n

modp together with the obvious rules for exponents, i.e. let n, m ∈ N and g ∈ Z∗

p then

• 1. g0 = 1
• 2. gn · gm = g(n+m)
• 3. (gn)m = gnm

Example: For 3 ∈ Z∗

5 we get 33 = 3 · 3 · 3 = 4 · 3 = 2, which we can also express as a modulo

computation in Z: 33 = 27 ≡ 2(mod 5) We can also define the exponent for inverse elements such that for a g ∈ Z∗

p and n ∈ N we have

g−n = (g−1)n = (gn)−1 with gn · g−n = 1. Example: For 3 ∈ Z∗

5 we get 3−3 = (33)−1 = 2−1 = 3 or 3−3 = (3−1)3 = (2−1)3 = 3.

Discrete exponentiation gives rise to more efficient way of computing the inverse of an element in Z∗

p

using the following theorem: Theorem 10 (Fermat’s Little Theorem) For any g ∈ Z∗

p we have gp−1 ≡ 1 (mod p)

x

We can use this fact to compute the inverse of g simply as gp−2. Example: The inverse of 3 modulo 5 by 35−2 = 27 ≡ 2(mod 5). Finally define the discrete logarithm for g, h ∈ Z∗

p as that x ∈ N such that gx ≡ h(mod p).

The discrete logarithm problem is then the problem of finding a solution to the modulo equation gx ≡ h(mod p). This is a computationally hard problem.

Generated Subgroups

We can now use the discrete exponentiation operation to introduce the concept of generated groups and

• subgroups. We start with the following important fact:

Theorem 11 For every prime p there exists some g ∈ Z∗

p such that Z∗ p = {1 = g0, g, g2, g3, . . . , gp−2}.

An element g with this property is called a generator of Z∗

p.

In other words, if g is a generator of Z∗

p, then for every h ∈ Z∗ p there exists some i ∈ {0, . . . , p − 2},

such that h = gi. Example: The element 3 is a generator of Z∗

7 since {1, 3, 32, 33, 34, 35, 36} = {1, 3, 2, 6, 4, 5} = Z∗ 7 .

However, not every element of Z∗

7 is a generator. The number 2, for example, is not a generator of Z∗ 7 ,

since we we have {1, 2, 22, 23, 24, 25, 26} = {1, 2, 4} = Z∗

7.

While 2 ∈ Z∗

7 does not generate Z∗ 7, the set it generates is a subgroup in Z∗

• 7. More formally we define a

subgroup as follows: Definition 12 Let G be a group. A subset S ⊆ G a subgroup, if S is a group with the operation of G. We note that every subgroup of G shares unit element and inverses with G. That is, for a ∈ S its inverse a−1 ∈ S is the same as a−1 ∈ G. Every element g ∈ Z∗

p generate a subgroup. We call the size of the subgroup the g generates the order of

g and we denote a subgroup generated by g with g. If g is a generator of Z∗

p we have g = Z∗ p.

Example: Generate all subgroups of Z∗

5: 1 = {1}, 2 = {2, 4, 3, 1}, 3 = {3, 4, 2, 1}, 4 = {4, 1}

We conclude with the following important theorem of Lagrange: Theorem 13 (Lagrange) For all g ∈ Z∗

p we have that the order of g divides p − 1.

This fact is frequently exploited in public key ciphers, where computations are performed in a subgroup Gq of Z∗

p, where q is a prime number and q divides p − 1, the order of Z∗ p.

Computing Discrete Exponentiation with Subgroups

Finally I present a method that exploits generated subgroups in order to compute results for discrete exponentiations with large exponents, avoiding the actual modulo calculation, which might involve very large integers. Assume we have Z∗

7 and want to compute the exponent 316 (which is 43046721 mod 7 and not really

feasible to compute by hand). We compute the subgroup generated by 3. Since 3 is a generator of Z∗

7,

this will be the entire group. However, for our purpose it is important, that we denote the elements of the group in the order they are actually generated: 3 = {30, 31, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} We can now compute 316 by simply counting the elements in the set. We start with 31 = 3 and the next 16 elements by cyclically restarting at 30 whenever we have reached 35. I.e., we get: 31, 32, 33, 34, 35, 36 = 30, 37 = 31, 38 = 32, . . . , 315 = 33, 316 = 34 and hence get 316 = 4. xi