In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamaltype sc


 Oscar Owen
 2 years ago
 Views:
Transcription
1 Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane Q4001, Australia Abstract. A new digital signature scheme and public key cryptosystem are proposed which use operations in a prime order subgroup of Z n for a composite number n. There are similarities with the best known digital signatures and public key cryptosystems (RSA and discrete logarithm based schemes) in terms of the mathematical structure. With regard to computational requirements the new schemes are competitive and, in particular, are more ecient than the best known schemes when averaged over both public and private key computations. 1 Introduction The best known and most widely used public key cryptosystems today base their security on the diculty of either the integer factorisation problem or the discrete logarithm problem. The RSA scheme [11] can be used to provide both digital signatures and public key encryption; its security relies on the diculty of factorising a modulus which is the product of two large primes. The algorithms of ElGamal [4] can also provide digital signatures and public key encryption; these rely on the diculty of nding discrete logarithms in the eld of integers modulo a large prime p. Subsequent renements have been made to the original ElGamal schemes, particularly to the signature scheme. For example, the Digital Signature Standard (DSS) algorithm combines ElGamal signatures with an idea of Schnorr [13] to increase eciency and provide short signatures. Even with modern processors, the RSA and ElGamaltype algorithms are often a computational burden. Considerable research has been devoted to methods for speeding up the algorithms and various renements are widely used. For example, by use of a small public exponent the RSA scheme can be arranged to be particularly ecient in operations with the public key, namely signature verication and encryption. DSS signatures use short exponents in order to improve eciency. While RSA signatures are more ecient for verication, the DSS algorithm turns out to be typically more ecient than RSA for signature generation. With regard to ElGamal encryption there has been less published research, but even here there are options to optimise the computation through use of small length exponents. The debate as to whether RSA or ElGamaltype algorithms are the most ecient can only be answered by reference to the particular environment in which implementation is to be placed.
2 In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamaltype schemes both in terms of mathematical structure and in terms of computational requirements. Although the mathematical setting is quite familiar a novel trapdoor is used which constitutes the order of a particular element. An attractive feature in some applications is that public key and private key operations are both of roughly equal complexity; this applies to both the signature and the encryption scheme. For that reason they may be called balanced schemes. The schemes use a composite modulus and, like RSA, rely for their security on the diculty of integer factorisation. On the other hand the schemes use operations in a prime order subgroup of the integers, a feature shared with DSS and Schnorr signatures. The signature scheme is deterministic like RSA, while the encryption scheme is probabilistic like ElGamaltype schemes, thus requiring a random input. The computational requirements lie between those for RSA and ElGamaltype schemes. As well as being balanced, the total computation required for both signature generation and verication is less than either RSA or DSS, while the total computation for encryption and decryption is less than either RSA or ElGamal, even when `short' exponents are used in the latter. The next section describes the parameters that are used for the schemes. (The public and private keys are essentially the same for both digital signature and encryption.) Following this the digital signature scheme and public key encryption scheme are considered in turn, together with consideration of their computational requirements as well as the possible attacks upon them. 2 System Parameters The proposed algorithms make use of a composite modulus n as in the RSA algorithm [11]. The values p, q and r are primes that satisfy the following properties. { n = pq { rjp? 1 It is not computationally dicult to generate these parameters. For example, the methods used to generate socalled `strong' primes for RSA [7] may be suitably modied to generate p. For a practical implementation r should be chosen to be a random prime of around 160 bits, and the primes p and q should be of suitable size so that n is hard to factorise. Since r is a secret value it is important that r be chosen randomly within a large enough range that it cannot be found by an exhaustive search. An element g in Z n is chosen which has order r. This may be eciently accomplished by nding an element in Z n of order = lcm(p? 1; q? 1) and letting g = =r mod n. In turn may be found by using the Chinese remainder theorem to nd an element which equals 1 mod p and equals 2 mod q, where 1 and 2 are generators of Z p and Z q. The keys for the system are then as follows.
3 Public Key: (n; g) Private Key: r The private key r is the order of the public element g. Finding the private key from the public key alone is then the problem of nding the order of a specic element modulo n. In general this problem is random polynomial time equivalent to the factorisation problem [1]. It is not dicult to see that an oracle that returns the order of elements modulo n can be used to nd (n) which is sucient to factorise n. Clearly factorisation of the modulus leads to knowledge of p? 1, which can then be factorised (if n has been) to nd r. Thus nding the private key can be no harder than factorising the modulus. It is possible that knowledge that the order of g is of special form may help in nding r. However, it is worth noting that a very similar public key structure is used by Brickell and McCurley in their identication scheme [3]. Their scheme uses a prime modulus p and has an element of prime order q, where qjp? 1. The security of their scheme relies on the diculty of nding this unknown order as well as on nding discrete logarithms to the base. So far as is known to this author, the Brickell and McCurley scheme has not been successfully attacked. 3 The Signature Scheme 3.1 Signature Generation The signature of a message m is the value s: s = g d mod n where d = m?1 mod r. The signature exists unless m mod r = 0; although this happens with negligible probability, if desired the condition 0 < m < r may be imposed. 3.2 Signature Verication If s is a claimed signature of the message m by the holder of the public key (n; g), then it is checked whether s m mod n = g and if so the signature is accepted as genuine. Because g has order r it follows that when the signature is genuine, s m mod n = g m?1 m mod r mod n = g and so the verication succeeds.
4 3.3 Use of Hash Functions Signature verication requires knowledge of the message (this is sometimes called a signature scheme with appendix). It is thus natural to use the scheme in combination with a suitable oneway hash function with which m will be hashed before signing in order to limit the size of the exponent in verication. In order to avoid the possibility of collisions of messages it is desirable that the hash function used should have a 160bit output and the Secure Hash Standard algorithm, SHA [5], currently appears to be a suitable choice. 4 Comparison with RSA and DSS Signatures The computational complexity of both signature generation and verication is determined by the length of the exponents. For signature generation the exponent has the same length as r which is suggested as 160 bits. For verication the exponent has the same length as m, or h(m) if h is the hash function used. If the SHS is used then h(m) is also 160 bits. Let us compare this with the complexity of both DSS and RSA (when a small public exponent is used). Table 1 shows comparitive gures for naive implementations of the three algorithms using the wellknown square and multiply algorithm. In Table 1 it is assumed that the small public exponent is used for RSA signatures, and a 1024 bit modulus is employed. It can be seen that the new algorithm lies between the other two 1 and is better than RSA for signature generation and better than DSS for verication. It also deserves to be emphasised that DSS is a randomized algorithm and so requires a new random number to be generated for each signature. Generation of random numbers is not a trivial task. In the table the calculation of d = m?1 mod r in the proposed scheme has been ignored. (A similar calculation is also required for DSS signature generation.) The justication for this is that it should be a relatively small proportion of the calculation. A basic way to nd d is by calculating d = m r?1 mod r (although more ecient ways exist [9]) which requires on average 240 multiplications modulo r. The complexity of modular multiplication increases as the square of the modulus size and since the size of r is less than six times that of n, calculation of d would take under 3% of the total eort even with this basic method. There are various enhancements that can be made to speed up all the signature schemes shown in table 1. For example, DSS signature verication can be speeded up by simultaneous calculation of the two exponentiations involved, thereby reducing it to the equivalent of 5/4 exponentiations (see Algorithm of [9], attributed to Shamir). Another example is that both RSA and the proposed scheme can use the Chinese remainder theorem to speed up signature 1 For signature generation in DSS most of the computational eort can be expended in a preprocessing stage.
5 RSA DSS Proposed Signature Generation Signature Verication Signature Length Public Key Length Private Key Length Table 1. Computation (modular multiplications) and parameters (bits) for 1024 bit modulus with basic squareandmultiply algorithm. generation by making calculations modulo the two factors of n, thereby reducing the computation required by a factor of 4. Table 1 also compares the lengths of signatures and keys. It may be observed that DSS is much the best with regard to signature length. The proposed scheme compares quite well and, in particular, shares a useful property with the DSS of having a small private key. The public key for DSS is the longest but it should be noted that public keys may share the same prime modulus and base value, thereby reducing the marginal storage cost of a public key to 1024 bits. (On the other hand this is not without its security implications.) 5 Security of Signature Scheme Most practical signature schemes do not carry any proof of security. In particular, it is known neither whether breaking RSA signatures is equivalent to the factorisation problem, nor whether breaking DSS is equivalent to solving the discrete logarithm problem. The only apparent attacks on the proposed scheme are as hard as factorising the modulus n but, as for RSA and DSS, it is not proven whether there is not some more ecient attack. The following lemmas are easily proved. Lemma 1. Suppose messages m 1 and m 2 are congruent modulo r. Then the value s (0 < s < n) is a valid signature of m 1 if and only if s is a valid signature for m 2. Lemma 2. Two values s 1 and s 2 are valid signatures for the same message m if and only if s 1 and s 2 are congruent modulo n. Together these results reveal the structure of the signature space of the scheme. The only values less than n which are available for signatures are in the orbit of g. These values are in onetoone correspondence with the messages from any residue set modulo r. This shows that the signatures are in a sense `well distributed' so that an attacker is not able, for example, to guess a signature value which is shared by dierent messages. In addition, since operations take place in a group of large prime order there are no possible problems with accidental use of smooth subgroups as discussed by Anderson and Vaudenay [2].
6 5.1 Forgery Attacks Most known signature schemes (including RSA and ElGamaltype signatures) are prone to existential forgery attacks when a hash function is not used prior to signing. In such attacks an unlimited number of signatures for random messages may be generated. For the proposed scheme a simple existential forgery is that the value s = 1 is the signature for the message m = g. Further random signatures seem hard to achieve. Selective forgery refers to the diculty of forging a signature of a message chosen in advance by the attacker. With use of a oneway hash functions this appears the only way to nd any valid signature. The attacker chooses a message m and is required to nd a value s with s m mod n = g. The ability to nd the signature s from knowledge of the public key alone is the same as breaking the RSA encryption algorithm for a given ciphertext g and public exponent m, with the side information that there is a factor of (n) of size 160 bits and the ciphertext generates a subgroup of that same size. It is unclear whether the side information is any help in factorising n. The similarity to the security of Brickell and McCurley's identication scheme [3] may again be noted. An adaptive chosen message attack makes use of signatures on chosen messages and is in general harder to resist than an attack using only the public key. Such an attack is no longer equivalent to an attack on RSA but would correspond to a situation where an attacker could choose the public RSA exponent and obtain the plaintext corresponding to the ciphertext g. There does not appear to be any obvious way that this helps an attacker. Another approach is to use a known signature to help nd the private key. If a solution z can be found for s = g z mod n then this is equivalent to the private key since s = g m?1 mod z mod n is a valid signature for m. Finding z is the discrete logarithm problem in the ring Z n. In the case where the base generates the whole of Z n the discrete logarithm problem is equivalent to factorising n (see reference [8] for example). The general problem of nding discrete logarithms in an arbitrary group has no known algorithm with running time faster than the square root of the input. Existence of such an algorithm would break the DSS as well as the proposed scheme. 6 The Public Key Cryptosystem It is not immediately obvious how to use the trapdoor used in the signature scheme to construct a public key encryption scheme. Unlike RSA it is not possible to simply turn around the digital signature verication procedure. For example, if a user were to calculate g m mod n then this cannot be undone, for the discrete logarithm problem with base g is hard even with knowledge of r, the order of g. However there is a way to achieve the aim by a process similar to ElGamal encryption in which a random `hint' is chosen which must be sent along with the message dependant part of the encryption. The public key for the system is the same as for the digital signature scheme while the private key is a slight variant.
7 Public Key: n; g Private Key: z = (r? 1)=2 =?2?1 mod r To encrypt a message m with 0 < m < n? 1 the sender nds the public key of the recipient and chooses a random value t of 160 bits. The ciphertext is then the pair (u; v) dened as follows u = g 2t mod n v = mg t mod n The recipient decrypts the pair (u; v) by the following calculation. m = u z v mod n Note that there is a generalisation of this process in which a random value s replaces the value 2. The value s may be chosen by the sender in the same way as t. Then u = g st and v = mg t. The ciphertext is the triple (s; u; t). In order to decrypt the receiver must now nd w =?s?1 mod r rst, then nd m = u w v. This variation is obviously less ecient for both encryption and decryption. It may possibly be more secure as well as providing more scope for randomising applications. 7 Comparison with Other Public Key Cryptosystems As for the signature scheme, the computational complexity of encryption and decryption is determined by the length of the exponents. For encryption the sender needs to calculate one modular exponentiation with a 160 bit exponent to obtain g t mod n plus two further multiplications to obtain u and v. For decryption the exponent is also 160 bits and one extra multiplication is required. One way of decreasing the computational requirement of the ElGamal system is to use short exponents (say of 160 bits) in the exponentiation. Van Oorschot and Wiener have discussed the issue of using such short exponents in the related DieHellman key exchange protocol [10]. They recommend that if small exponents are used the protocol should be set in a group of prime order and in this event they see no way to attack the protocol. A group of prime order can be constructed to lie inside the integers modulo p in a standard way by suitable selection of p. Let us compare this with the complexity of both ElGamal and RSA (when a small public exponent is used). Table 1 shows comparitive gures for naive implementations of the three algorithms using the wellknown square and multiply algorithm. Two versions are given for ElGamal; one is the original algorithm and the other is a variation where small exponents of length 160 bits are used. When short exponents are used the modulus must be chosen carefully [10]. The gures neglect the public exponent in RSA and the generator in ElGamal, both of which may be chosen to be small. It can be seen that the new algorithm lies between the other two and is better than RSA for decryption and better
8 RSA ElGamal ElGamal with Proposed Short Exponents Encryption Eort Decryption Eort Public Key Length Private Key Length Ciphertext Length Table 2. Computation (modular multiplications) and parameters (bits) using 1024 bit modulus and basic squareandmultiply algorithm. than ElGamal for encryption. For the average between encryption the proposed algorithm appears better than either. Just as in the signature scheme various enhancements can be made to speed up all the schemes compared in table 2. Again, both RSA and the proposed scheme can use the Chinese remainder theorem to speed up decryption by making calculations modulo the two factors of n, thereby reducing the computation required by a factor of 4. When comparing the practical merits of the various schemes the lengths of the public keys and ciphertexts should also be noted. The new scheme is the same as ElGamal in this regard, suering a twofold expansion in the encrypted text. In this regard RSA is superior because ciphertexts are just one modulus length. The table shows that the proposed scheme and ElGamal are at a disadvantage compared with RSA with respect to public key length. As with DSS public keys, the marginal size of ElGamal public keys may be reduced to 1024 bits if it is assumed that all users share the same prime modulus and generator value. The proposed scheme is better than RSA with regard to the private key size, and the same as ElGamal with short exponents, since the private parameter is no bigger than r. 8 Security of Encryption The security of the proposed scheme is related to that of both RSA and El Gamal. It should be noted that an eavesdropper is able to obtain m 2 mod n = v 2 u?1 mod n. This is not a problem, since it is well known that nding square roots modulo n is as hard as nding the factors of n [9]. However it means that the message m should not be a small integer value otherwise its square root may be obtained in ordinary integer arithmetic. In order to avoid this problem message should be padded in some standard way, such as is now widely accepted for RSA [12]. In section 2 the dicult of obtaining the private key z from the public parameters was discussed. It may be that there is a way to decrypt without actually obtaining z. If this is the case then an attacker can, with nonnegligible probability, obtain the value g t mod n given the value g 2t mod n. Now this means that the attacker can nd specic square roots. As already mentioned, the ability to
9 nd square roots in Z n is well known to be equivalent to the ability to factorise n. But in this case it is a mistake to say that breaking the cryptosystem is the same as the ability to nd arbitrary square root modulo n. For example, suppose an attacker mounts a chosen ciphertext attack by choosing x at random and presenting (x 2 mod n; v) for decryption, for any v. The attacker is most unlikely to obtain another square root of x 2 mod n, but will obtain x?2z mod n. As the following lemma shows, this is a square root of x 2 mod n with negligible probability. Lemma 3. For any x in Z n with n chosen as in section 2 the following holds. (x?2z ) 2 x 2 mod n () ord(x 2 mod n) = r Proof First note that (x?2z ) 2 mod n = x 2?2r mod n. If ord(x 2 mod n) = r then x?2r mod n = 1 so (x?2z ) 2 x 2 mod n. On the other hand if x 2?2r x 2 mod n then x?2r mod n = 1 so that the order of x 2 mod n divides r. But since r is an odd prime this implies that ord(x 2 mod n) = r. 2 If ord(x 2 mod n) = r then ord(x) = r or 2r. As long as r 2 does not divide (p? 1)(q? 1) (which is true with overwhelming probability) the order of x can only be r if x is in the orbit of g, and can only be 2r if x is in the orbit of?g. Thus the chosen ciphertext attack will never succeed because the attacker will only receive a square root of x 2 mod n if x is in the orbit of g or?g and then it will equal x. It is easy to check that breaking the proposed cryptosystem is equivalent to breaking a particular case of a generalisation of ElGamal encryption in Z n. This is where the public key is (n; g; g z mod n) and encryption of m is the pair (g t mod n; g zt m mod n). For this case the pair (u; v) is decrypted by m = u?z v mod n. In general there is no known way to break the ElGamal cryptosystem without nding the secret z. As stated before, this appears to be a dicult problem. 9 Conclusion A new digital signature scheme and public key encryption scheme have been proposed based on well known algebraic structures but using a novel trapdoor. The schemes appears to be secure in comparison with the best known schemes, although proofs of security would be useful. In addition the schemes oer the following features which may prove advantageous. { Both the signature scheme and public key encryption scheme are `balanced' in the sense that public and private key computations are roughly equal. { Computations take place in a group of prime order which is believed to oer high security for discrete logarithms based systems. { The average computational requirements for signature generation plus signature verication are less than both RSA and DSS.
10 { The average computational requirements for public key encryption and decryption are less than both RSA and ElGamal. It is interesting to consider protocols in which the new signature and cryptosystem may be used as primitives. There may also be useful analogies to be found in elliptic curves or other groups. Acknowledgements I am very grateful to Wenbo Mao of HewlettPackard for many constructive critical comments. References 1. L. M. Adleman and K. S. McCurley, \Open Problems in Number Theoretic Complexity, II", Algorithmic Number Theory, Lecture Notes in Computer Science Vol.877, SpringerVerlag, R. Anderson and S. Vaudenay, \Minding Your p's and q's", Advances in Cryptology  Asiacrypt 96, SpringerVerlag, E. F. Brickell and K. S. McCurley, \An Interactive Identication Scheme Based on Discrete Logarithms and Factoring", Journal of Cryptology, 5, 1, pp.2939, T. ElGamal, \A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, IT31, 4, pp , FIPS 1801, \Secure Hash Standard", US Department of Commerce/NIST, April FIPS 186, \Digital Signature Standard", US Department of Commerce/NIST, J. Gordon, \Strong RSA Keys", Electronics Letters, 20, June 7, 1984, pp U. Maurer and Y. Yacobi, \Noninteractive Public Key Cryptography", Advances in Cryptology  Eurocrypt 91, SpringerVerlag, 1991, pp A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, ARC Press, P. van Oorschot and M. Wiener, \On DieHellman Key Agreement with Short Exponents", Advances in Cryptology  Eurocrypt '96, SpringerVerlag, 1996, pp R. Rivest, A. Shamir, L.Adleman, \A Method for Obtaining Digital Signatures and Public Key Cryptosystems" Communications of the ACM, 21, pp , RSA Laboratories, \PKCS #1: RSA Encryption Standard", Version 1.5, November C. P. Schnorr, \Ecient Identication and Signatures for Smart Cards", Advances in Cryptology  Crypto 89, SpringerVerlag, 1990, pp
Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationPrinciples of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms
Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511517 HIKARI Ltd, www.mhikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationAsymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University
Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem
More informationThe Mathematics of the RSA PublicKey Cryptosystem
The Mathematics of the RSA PublicKey Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through
More informationCryptography: RSA and the discrete logarithm problem
Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationDigital Signature. Raj Jain. Washington University in St. Louis
Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse57111/
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 PublicKey Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown PublicKey Cryptography
More informationA Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0
A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,
More informationPublicKey Cryptography. Oregon State University
PublicKey Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secretkey cryptography Exchange the key
More informationLUC: A New Public Key System
LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of
More informationAdvanced Maths Lecture 3
Advanced Maths Lecture 3 Next generation cryptography and the discrete logarithm problem for elliptic curves Richard A. Hayden rh@doc.ic.ac.uk EC crypto p. 1 Public key cryptography Asymmetric cryptography
More informationPublic Key Cryptography and RSA. Review: Number Theory Basics
Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationDigital Signatures. Good properties of handwritten signatures:
Digital Signatures Good properties of handwritten signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is
More informationSECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationChapter 10 AsymmetricKey Cryptography
Chapter 10 AsymmetricKey Cryptography Copyright The McGrawHill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetrickey
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More information3. Applications of Number Theory
3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationAn Approach to Shorten Digital Signature Length
Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based
More informationTitle Goes Here An Introduction to Modern Cryptography. Mike Reiter
Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationTable of Contents. Bibliografische Informationen http://dnb.info/996514864. digitalisiert durch
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
More informationPublic Key Cryptography and RSA
Public Key Cryptography and RSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse57111/
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationIntroduction. Chapter 1
Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/cryptobook/ The copyright
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the reallife example where a person pays by credit card and signs a bill; the seller verifies
More informationDigital signatures. Informal properties
Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.
More informationETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it.
Publicly Veriable Secret Sharing Markus Stadler? Institute for Theoretical Computer Science ETH Zurich CH8092 Zurich, Switzerland Email: stadler@inf.ethz.ch Abstract. A secret sharing scheme allows to
More information1 PublicKey Encryption in Practice
CS 120/CSCI E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 16, 2006 Lecture Notes 15: PublicKey Encryption in Practice Recommended Reading. KatzLindell, Sections 9.4, 9.5.3 1 PublicKey
More informationNotes on Network Security Prof. Hemant K. Soni
Chapter 9 Public Key Cryptography and RSA PrivateKey Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications
More informationChapter 9 Public Key Cryptography and RSA
Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key PrivateKey Cryptography traditional private/secret/single
More informationPublic Key Cryptography. c Eli Biham  March 30, 2011 258 Public Key Cryptography
Public Key Cryptography c Eli Biham  March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known apriori to all the users, before they can encrypt
More informationA Study on Asymmetric Key Cryptography Algorithms
A Study on Asymmetric Key Cryptography Algorithms ASAITHAMBI.N School of Computer Science and Engineering, Bharathidasan University, Trichy, asaicarrier@gmail.com Abstract Asymmetric key algorithms use
More informationFinal Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket
IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationEfficient online electronic checks
Applied Mathematics and Computation 162 (2005) 1259 1263 www.elsevier.com/locate/amc Efficient online electronic checks WeiKuei Chen Department of Computer Science and Information Engineering, ChingYun
More informationCryptography and Network Security
Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA PrivateKey Cryptography traditional private/secret/single key cryptography uses one key shared
More informationChapter 10 AsymmetricKey Cryptography
Chapter 10 AsymmetricKey Cryptography Copyright The McGrawHill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetrickey cryptography. Distinguish
More information9 Modular Exponentiation and Cryptography
9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationMathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information
The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationPublic Key Cryptography. Basic Public Key Cryptography
Public Key Cryptography EJ Jung Basic Public Key Cryptography public key public key? private key Alice Bob Given: Everybody knows Bob s public key  How is this achieved in practice? Only Bob knows the
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationA novel deniable authentication protocol using generalized ElGamal signature scheme
Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme WeiBin Lee a, ChiaChun Wu a, WoeiJiunn Tsaur
More informationPublicKey Cryptography RSA Attacks against RSA. Système et Sécurité
PublicKey Cryptography RSA Attacks against RSA Système et Sécurité 1 Public Key Cryptography Overview Proposed in Diffieand Hellman (1976) New Directions in Cryptography publickey encryption schemes
More informationΕΠΛ 674: Εργαστήριο 3
ΕΠΛ 674: Εργαστήριο 3 Ο αλγόριθμος ασύμμετρης κρυπτογράφησης RSA Παύλος Αντωνίου Department of Computer Science PrivateKey Cryptography traditional private/secret/single key cryptography uses one key
More informationNetwork Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationIntroduction to Cryptography
Introduction to Cryptography Part 2: publickey cryptography JeanSébastien Coron January 2007 Publickey cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has
More informationImplementation and Comparison of Various Digital Signature Algorithms. Nazia Sarang Boise State University
Implementation and Comparison of Various Digital Signature Algorithms Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information
More informationA SOFTWARE COMPARISON OF RSA AND ECC
International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 97413 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationNumber Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition
More informationLecture Note 5 PUBLICKEY CRYPTOGRAPHY. Sourav Mukhopadhyay
Lecture Note 5 PUBLICKEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security  MA61027 Modern/Publickey cryptography started in 1976 with the publication of the following paper. W. Diffie
More informationThe RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm
The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm
More informationACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES. Daniela Bojan and Sidonia Vultur
ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES Daniela Bojan and Sidonia Vultur Abstract.The new services available on the Internet have born the necessity of a permanent
More informationAnnouncements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography
Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl
More informationPublic Key (asymmetric) Cryptography
PublicKey Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationToday ENCRYPTION. Cryptography example. Basic principles of cryptography
Today ENCRYPTION The last class described a number of problems in ensuring your security and privacy when using a computer online. This lecture discusses one of the main technological solutions. The use
More informationDigital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?
Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita Rotaru
More informationHybrid Signcryption Schemes with Insider Security (Extended Abstract)
Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationIndex Calculation Attacks on RSA Signature and Encryption
Index Calculation Attacks on RSA Signature and Encryption JeanSébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jeansebastien.coron,david.naccache}@gemplus.com
More informationKlaus Hansen, Troels Larsen and Kim Olsen Department of Computer Science University of Copenhagen Copenhagen, Denmark
On the Efficiency of Fast RSA Variants in Modern Mobile Phones Klaus Hansen, Troels Larsen and Kim Olsen Department of Computer Science University of Copenhagen Copenhagen, Denmark Abstract Modern mobile
More informationThe application of prime numbers to RSA encryption
The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered
More informationCrittografia e sicurezza delle reti. Digital signatures DSA
Crittografia e sicurezza delle reti Digital signatures DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationA chosen text attack on the RSA cryptosystem and some discrete logarithm schemes
A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes Y. Desmedt Aangesteld Navorser NFWO Katholieke Universiteit Leuven Laboratorium ESAT B3030 Heverlee, Belgium A. M. Odlyzko
More informationTo appear in Advances in Cryptology CRYPTO '97 Ecient Group Signature Schemes for Large Groups (Extended Abstract) Jan Camenisch Department of Computer Science Haldeneggsteig 4 ETH Zurich 8092 Zurich,
More informationEvaluation of Digital Signature Process
Evaluation of Digital Signature Process Emil SIMION, Ph. D. email: esimion@fmi.unibuc.ro Agenda Evaluation of digital signatures schemes: evaluation criteria; security evaluation; security of hash functions;
More informationBreaking RSA & Using Asymmetric Crypto
Breaking RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 15th April 2016 University Of Sydney Overview 1. CryptoBulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common Attacks
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA DiffieHellman Key Exchange Public key and
More informationCHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and
79 CHAPTER 3 THE NEW MMP CRYPTO SYSTEM In this chapter an overview of the new Mixed Mode Paired cipher text Cryptographic System (MMPCS) is given, its three hard mathematical problems are explained, and
More informationComparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems
J. of Comp. and I.T. Vol. 3(1&2), 16 (2012). Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems RAJ KUMAR 1 and V.K. SARASWAT 2 1,2 Department of Computer Science, ICIS
More informationA SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM
Konuralp Journal of Mathematics Volume 4 No. 1 pp. 122 129 (2016) c KJM A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM EMİN AYGÜN AND ERKAM LÜY Abstract. The
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIENCHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationMidterm Exam Solutions CS161 Computer Security, Spring 2008
Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext
More informationLecture Note 7 AUTHENTICATION REQUIREMENTS. Sourav Mukhopadhyay
Lecture Note 7 AUTHENTICATION REQUIREMENTS Sourav Mukhopadhyay Cryptography and Network Security  MA61027 In the context of communications across a network, the following attacks can be identified: 1.
More informationA Proposal for Authenticated Key Recovery System 1
A Proposal for Authenticated Key Recovery System 1 Tsuyoshi Nishioka a, Kanta Matsuura a, Yuliang Zheng b,c, and Hideki Imai b a Information & Communication Business Div. ADVANCE Co., Ltd. 57 Nihombashi
More informationApplied Cryptography Public Key Algorithms
Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin
More informationLukasz Pater CMMS Administrator and Developer
Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? Oneway functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign
More informationHighSpeed RSA Implementation C etin Kaya Koc Koc@ece.orst.edu RSA Laboratories RSA Data Security, Inc. 100 Marine Parkway, Suite 500 Redwood City, CA 940651031 Copyright c RSA Laboratories Version 2.0
More informationAsymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin
Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetrickey crypto Intuition for El Gamal and RSA And intuition for attacks Digital
More informationUNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to PublicKey Cryptography Israel Koren ECE597/697 Koren Part.6.1
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationDigital Signatures. Meka N.L.Sneha. Indiana State University. nmeka@sycamores.indstate.edu. October 2015
Digital Signatures Meka N.L.Sneha Indiana State University nmeka@sycamores.indstate.edu October 2015 1 Introduction Digital Signatures are the most trusted way to get documents signed online. A digital
More informationApplied Cryptology. Ed Crowley
Applied Cryptology Ed Crowley 1 Basics Topics Basic Services and Operations Symmetric Cryptography Encryption and Symmetric Algorithms Asymmetric Cryptography Authentication, Nonrepudiation, and Asymmetric
More information