In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc"

Transcription

1 Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane Q4001, Australia Abstract. A new digital signature scheme and public key cryptosystem are proposed which use operations in a prime order subgroup of Z n for a composite number n. There are similarities with the best known digital signatures and public key cryptosystems (RSA and discrete logarithm based schemes) in terms of the mathematical structure. With regard to computational requirements the new schemes are competitive and, in particular, are more ecient than the best known schemes when averaged over both public and private key computations. 1 Introduction The best known and most widely used public key cryptosystems today base their security on the diculty of either the integer factorisation problem or the discrete logarithm problem. The RSA scheme [11] can be used to provide both digital signatures and public key encryption; its security relies on the diculty of factorising a modulus which is the product of two large primes. The algorithms of ElGamal [4] can also provide digital signatures and public key encryption; these rely on the diculty of nding discrete logarithms in the eld of integers modulo a large prime p. Subsequent renements have been made to the original ElGamal schemes, particularly to the signature scheme. For example, the Digital Signature Standard (DSS) algorithm combines ElGamal signatures with an idea of Schnorr [13] to increase eciency and provide short signatures. Even with modern processors, the RSA and ElGamal-type algorithms are often a computational burden. Considerable research has been devoted to methods for speeding up the algorithms and various renements are widely used. For example, by use of a small public exponent the RSA scheme can be arranged to be particularly ecient in operations with the public key, namely signature verication and encryption. DSS signatures use short exponents in order to improve eciency. While RSA signatures are more ecient for verication, the DSS algorithm turns out to be typically more ecient than RSA for signature generation. With regard to ElGamal encryption there has been less published research, but even here there are options to optimise the computation through use of small length exponents. The debate as to whether RSA or ElGamal-type algorithms are the most ecient can only be answered by reference to the particular environment in which implementation is to be placed.

2 In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type schemes both in terms of mathematical structure and in terms of computational requirements. Although the mathematical setting is quite familiar a novel trapdoor is used which constitutes the order of a particular element. An attractive feature in some applications is that public key and private key operations are both of roughly equal complexity; this applies to both the signature and the encryption scheme. For that reason they may be called balanced schemes. The schemes use a composite modulus and, like RSA, rely for their security on the diculty of integer factorisation. On the other hand the schemes use operations in a prime order subgroup of the integers, a feature shared with DSS and Schnorr signatures. The signature scheme is deterministic like RSA, while the encryption scheme is probabilistic like ElGamal-type schemes, thus requiring a random input. The computational requirements lie between those for RSA and ElGamal-type schemes. As well as being balanced, the total computation required for both signature generation and verication is less than either RSA or DSS, while the total computation for encryption and decryption is less than either RSA or ElGamal, even when `short' exponents are used in the latter. The next section describes the parameters that are used for the schemes. (The public and private keys are essentially the same for both digital signature and encryption.) Following this the digital signature scheme and public key encryption scheme are considered in turn, together with consideration of their computational requirements as well as the possible attacks upon them. 2 System Parameters The proposed algorithms make use of a composite modulus n as in the RSA algorithm [11]. The values p, q and r are primes that satisfy the following properties. { n = pq { rjp? 1 It is not computationally dicult to generate these parameters. For example, the methods used to generate so-called `strong' primes for RSA [7] may be suitably modied to generate p. For a practical implementation r should be chosen to be a random prime of around 160 bits, and the primes p and q should be of suitable size so that n is hard to factorise. Since r is a secret value it is important that r be chosen randomly within a large enough range that it cannot be found by an exhaustive search. An element g in Z n is chosen which has order r. This may be eciently accomplished by nding an element in Z n of order = lcm(p? 1; q? 1) and letting g = =r mod n. In turn may be found by using the Chinese remainder theorem to nd an element which equals 1 mod p and equals 2 mod q, where 1 and 2 are generators of Z p and Z q. The keys for the system are then as follows.

3 Public Key: (n; g) Private Key: r The private key r is the order of the public element g. Finding the private key from the public key alone is then the problem of nding the order of a specic element modulo n. In general this problem is random polynomial time equivalent to the factorisation problem [1]. It is not dicult to see that an oracle that returns the order of elements modulo n can be used to nd (n) which is sucient to factorise n. Clearly factorisation of the modulus leads to knowledge of p? 1, which can then be factorised (if n has been) to nd r. Thus nding the private key can be no harder than factorising the modulus. It is possible that knowledge that the order of g is of special form may help in nding r. However, it is worth noting that a very similar public key structure is used by Brickell and McCurley in their identication scheme [3]. Their scheme uses a prime modulus p and has an element of prime order q, where qjp? 1. The security of their scheme relies on the diculty of nding this unknown order as well as on nding discrete logarithms to the base. So far as is known to this author, the Brickell and McCurley scheme has not been successfully attacked. 3 The Signature Scheme 3.1 Signature Generation The signature of a message m is the value s: s = g d mod n where d = m?1 mod r. The signature exists unless m mod r = 0; although this happens with negligible probability, if desired the condition 0 < m < r may be imposed. 3.2 Signature Verication If s is a claimed signature of the message m by the holder of the public key (n; g), then it is checked whether s m mod n = g and if so the signature is accepted as genuine. Because g has order r it follows that when the signature is genuine, s m mod n = g m?1 m mod r mod n = g and so the verication succeeds.

4 3.3 Use of Hash Functions Signature verication requires knowledge of the message (this is sometimes called a signature scheme with appendix). It is thus natural to use the scheme in combination with a suitable one-way hash function with which m will be hashed before signing in order to limit the size of the exponent in verication. In order to avoid the possibility of collisions of messages it is desirable that the hash function used should have a 160-bit output and the Secure Hash Standard algorithm, SHA [5], currently appears to be a suitable choice. 4 Comparison with RSA and DSS Signatures The computational complexity of both signature generation and verication is determined by the length of the exponents. For signature generation the exponent has the same length as r which is suggested as 160 bits. For verication the exponent has the same length as m, or h(m) if h is the hash function used. If the SHS is used then h(m) is also 160 bits. Let us compare this with the complexity of both DSS and RSA (when a small public exponent is used). Table 1 shows comparitive gures for naive implementations of the three algorithms using the well-known square and multiply algorithm. In Table 1 it is assumed that the small public exponent is used for RSA signatures, and a 1024 bit modulus is employed. It can be seen that the new algorithm lies between the other two 1 and is better than RSA for signature generation and better than DSS for verication. It also deserves to be emphasised that DSS is a randomized algorithm and so requires a new random number to be generated for each signature. Generation of random numbers is not a trivial task. In the table the calculation of d = m?1 mod r in the proposed scheme has been ignored. (A similar calculation is also required for DSS signature generation.) The justication for this is that it should be a relatively small proportion of the calculation. A basic way to nd d is by calculating d = m r?1 mod r (although more ecient ways exist [9]) which requires on average 240 multiplications modulo r. The complexity of modular multiplication increases as the square of the modulus size and since the size of r is less than six times that of n, calculation of d would take under 3% of the total eort even with this basic method. There are various enhancements that can be made to speed up all the signature schemes shown in table 1. For example, DSS signature verication can be speeded up by simultaneous calculation of the two exponentiations involved, thereby reducing it to the equivalent of 5/4 exponentiations (see Algorithm of [9], attributed to Shamir). Another example is that both RSA and the proposed scheme can use the Chinese remainder theorem to speed up signature 1 For signature generation in DSS most of the computational eort can be expended in a pre-processing stage.

5 RSA DSS Proposed Signature Generation Signature Verication Signature Length Public Key Length Private Key Length Table 1. Computation (modular multiplications) and parameters (bits) for 1024 bit modulus with basic square-and-multiply algorithm. generation by making calculations modulo the two factors of n, thereby reducing the computation required by a factor of 4. Table 1 also compares the lengths of signatures and keys. It may be observed that DSS is much the best with regard to signature length. The proposed scheme compares quite well and, in particular, shares a useful property with the DSS of having a small private key. The public key for DSS is the longest but it should be noted that public keys may share the same prime modulus and base value, thereby reducing the marginal storage cost of a public key to 1024 bits. (On the other hand this is not without its security implications.) 5 Security of Signature Scheme Most practical signature schemes do not carry any proof of security. In particular, it is known neither whether breaking RSA signatures is equivalent to the factorisation problem, nor whether breaking DSS is equivalent to solving the discrete logarithm problem. The only apparent attacks on the proposed scheme are as hard as factorising the modulus n but, as for RSA and DSS, it is not proven whether there is not some more ecient attack. The following lemmas are easily proved. Lemma 1. Suppose messages m 1 and m 2 are congruent modulo r. Then the value s (0 < s < n) is a valid signature of m 1 if and only if s is a valid signature for m 2. Lemma 2. Two values s 1 and s 2 are valid signatures for the same message m if and only if s 1 and s 2 are congruent modulo n. Together these results reveal the structure of the signature space of the scheme. The only values less than n which are available for signatures are in the orbit of g. These values are in one-to-one correspondence with the messages from any residue set modulo r. This shows that the signatures are in a sense `well distributed' so that an attacker is not able, for example, to guess a signature value which is shared by dierent messages. In addition, since operations take place in a group of large prime order there are no possible problems with accidental use of smooth subgroups as discussed by Anderson and Vaudenay [2].

6 5.1 Forgery Attacks Most known signature schemes (including RSA and ElGamal-type signatures) are prone to existential forgery attacks when a hash function is not used prior to signing. In such attacks an unlimited number of signatures for random messages may be generated. For the proposed scheme a simple existential forgery is that the value s = 1 is the signature for the message m = g. Further random signatures seem hard to achieve. Selective forgery refers to the diculty of forging a signature of a message chosen in advance by the attacker. With use of a one-way hash functions this appears the only way to nd any valid signature. The attacker chooses a message m and is required to nd a value s with s m mod n = g. The ability to nd the signature s from knowledge of the public key alone is the same as breaking the RSA encryption algorithm for a given ciphertext g and public exponent m, with the side information that there is a factor of (n) of size 160 bits and the ciphertext generates a subgroup of that same size. It is unclear whether the side information is any help in factorising n. The similarity to the security of Brickell and McCurley's identication scheme [3] may again be noted. An adaptive chosen message attack makes use of signatures on chosen messages and is in general harder to resist than an attack using only the public key. Such an attack is no longer equivalent to an attack on RSA but would correspond to a situation where an attacker could choose the public RSA exponent and obtain the plaintext corresponding to the ciphertext g. There does not appear to be any obvious way that this helps an attacker. Another approach is to use a known signature to help nd the private key. If a solution z can be found for s = g z mod n then this is equivalent to the private key since s = g m?1 mod z mod n is a valid signature for m. Finding z is the discrete logarithm problem in the ring Z n. In the case where the base generates the whole of Z n the discrete logarithm problem is equivalent to factorising n (see reference [8] for example). The general problem of nding discrete logarithms in an arbitrary group has no known algorithm with running time faster than the square root of the input. Existence of such an algorithm would break the DSS as well as the proposed scheme. 6 The Public Key Cryptosystem It is not immediately obvious how to use the trapdoor used in the signature scheme to construct a public key encryption scheme. Unlike RSA it is not possible to simply turn around the digital signature verication procedure. For example, if a user were to calculate g m mod n then this cannot be undone, for the discrete logarithm problem with base g is hard even with knowledge of r, the order of g. However there is a way to achieve the aim by a process similar to ElGamal encryption in which a random `hint' is chosen which must be sent along with the message dependant part of the encryption. The public key for the system is the same as for the digital signature scheme while the private key is a slight variant.

7 Public Key: n; g Private Key: z = (r? 1)=2 =?2?1 mod r To encrypt a message m with 0 < m < n? 1 the sender nds the public key of the recipient and chooses a random value t of 160 bits. The ciphertext is then the pair (u; v) dened as follows u = g 2t mod n v = mg t mod n The recipient decrypts the pair (u; v) by the following calculation. m = u z v mod n Note that there is a generalisation of this process in which a random value s replaces the value 2. The value s may be chosen by the sender in the same way as t. Then u = g st and v = mg t. The ciphertext is the triple (s; u; t). In order to decrypt the receiver must now nd w =?s?1 mod r rst, then nd m = u w v. This variation is obviously less ecient for both encryption and decryption. It may possibly be more secure as well as providing more scope for randomising applications. 7 Comparison with Other Public Key Cryptosystems As for the signature scheme, the computational complexity of encryption and decryption is determined by the length of the exponents. For encryption the sender needs to calculate one modular exponentiation with a 160 bit exponent to obtain g t mod n plus two further multiplications to obtain u and v. For decryption the exponent is also 160 bits and one extra multiplication is required. One way of decreasing the computational requirement of the ElGamal system is to use short exponents (say of 160 bits) in the exponentiation. Van Oorschot and Wiener have discussed the issue of using such short exponents in the related Die-Hellman key exchange protocol [10]. They recommend that if small exponents are used the protocol should be set in a group of prime order and in this event they see no way to attack the protocol. A group of prime order can be constructed to lie inside the integers modulo p in a standard way by suitable selection of p. Let us compare this with the complexity of both ElGamal and RSA (when a small public exponent is used). Table 1 shows comparitive gures for naive implementations of the three algorithms using the well-known square and multiply algorithm. Two versions are given for ElGamal; one is the original algorithm and the other is a variation where small exponents of length 160 bits are used. When short exponents are used the modulus must be chosen carefully [10]. The gures neglect the public exponent in RSA and the generator in ElGamal, both of which may be chosen to be small. It can be seen that the new algorithm lies between the other two and is better than RSA for decryption and better

8 RSA ElGamal ElGamal with Proposed Short Exponents Encryption Eort Decryption Eort Public Key Length Private Key Length Ciphertext Length Table 2. Computation (modular multiplications) and parameters (bits) using 1024 bit modulus and basic square-and-multiply algorithm. than ElGamal for encryption. For the average between encryption the proposed algorithm appears better than either. Just as in the signature scheme various enhancements can be made to speed up all the schemes compared in table 2. Again, both RSA and the proposed scheme can use the Chinese remainder theorem to speed up decryption by making calculations modulo the two factors of n, thereby reducing the computation required by a factor of 4. When comparing the practical merits of the various schemes the lengths of the public keys and ciphertexts should also be noted. The new scheme is the same as ElGamal in this regard, suering a twofold expansion in the encrypted text. In this regard RSA is superior because ciphertexts are just one modulus length. The table shows that the proposed scheme and ElGamal are at a disadvantage compared with RSA with respect to public key length. As with DSS public keys, the marginal size of ElGamal public keys may be reduced to 1024 bits if it is assumed that all users share the same prime modulus and generator value. The proposed scheme is better than RSA with regard to the private key size, and the same as ElGamal with short exponents, since the private parameter is no bigger than r. 8 Security of Encryption The security of the proposed scheme is related to that of both RSA and El- Gamal. It should be noted that an eavesdropper is able to obtain m 2 mod n = v 2 u?1 mod n. This is not a problem, since it is well known that nding square roots modulo n is as hard as nding the factors of n [9]. However it means that the message m should not be a small integer value otherwise its square root may be obtained in ordinary integer arithmetic. In order to avoid this problem message should be padded in some standard way, such as is now widely accepted for RSA [12]. In section 2 the dicult of obtaining the private key z from the public parameters was discussed. It may be that there is a way to decrypt without actually obtaining z. If this is the case then an attacker can, with non-negligible probability, obtain the value g t mod n given the value g 2t mod n. Now this means that the attacker can nd specic square roots. As already mentioned, the ability to

9 nd square roots in Z n is well known to be equivalent to the ability to factorise n. But in this case it is a mistake to say that breaking the cryptosystem is the same as the ability to nd arbitrary square root modulo n. For example, suppose an attacker mounts a chosen ciphertext attack by choosing x at random and presenting (x 2 mod n; v) for decryption, for any v. The attacker is most unlikely to obtain another square root of x 2 mod n, but will obtain x?2z mod n. As the following lemma shows, this is a square root of x 2 mod n with negligible probability. Lemma 3. For any x in Z n with n chosen as in section 2 the following holds. (x?2z ) 2 x 2 mod n () ord(x 2 mod n) = r Proof First note that (x?2z ) 2 mod n = x 2?2r mod n. If ord(x 2 mod n) = r then x?2r mod n = 1 so (x?2z ) 2 x 2 mod n. On the other hand if x 2?2r x 2 mod n then x?2r mod n = 1 so that the order of x 2 mod n divides r. But since r is an odd prime this implies that ord(x 2 mod n) = r. 2 If ord(x 2 mod n) = r then ord(x) = r or 2r. As long as r 2 does not divide (p? 1)(q? 1) (which is true with overwhelming probability) the order of x can only be r if x is in the orbit of g, and can only be 2r if x is in the orbit of?g. Thus the chosen ciphertext attack will never succeed because the attacker will only receive a square root of x 2 mod n if x is in the orbit of g or?g and then it will equal x. It is easy to check that breaking the proposed cryptosystem is equivalent to breaking a particular case of a generalisation of ElGamal encryption in Z n. This is where the public key is (n; g; g z mod n) and encryption of m is the pair (g t mod n; g zt m mod n). For this case the pair (u; v) is decrypted by m = u?z v mod n. In general there is no known way to break the ElGamal cryptosystem without nding the secret z. As stated before, this appears to be a dicult problem. 9 Conclusion A new digital signature scheme and public key encryption scheme have been proposed based on well known algebraic structures but using a novel trapdoor. The schemes appears to be secure in comparison with the best known schemes, although proofs of security would be useful. In addition the schemes oer the following features which may prove advantageous. { Both the signature scheme and public key encryption scheme are `balanced' in the sense that public and private key computations are roughly equal. { Computations take place in a group of prime order which is believed to oer high security for discrete logarithms based systems. { The average computational requirements for signature generation plus signature verication are less than both RSA and DSS.

10 { The average computational requirements for public key encryption and decryption are less than both RSA and ElGamal. It is interesting to consider protocols in which the new signature and cryptosystem may be used as primitives. There may also be useful analogies to be found in elliptic curves or other groups. Acknowledgements I am very grateful to Wenbo Mao of Hewlett-Packard for many constructive critical comments. References 1. L. M. Adleman and K. S. McCurley, \Open Problems in Number Theoretic Complexity, II", Algorithmic Number Theory, Lecture Notes in Computer Science Vol.877, Springer-Verlag, R. Anderson and S. Vaudenay, \Minding Your p's and q's", Advances in Cryptology - Asiacrypt 96, Springer-Verlag, E. F. Brickell and K. S. McCurley, \An Interactive Identication Scheme Based on Discrete Logarithms and Factoring", Journal of Cryptology, 5, 1, pp.29-39, T. ElGamal, \A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, IT-31, 4, pp , FIPS 180-1, \Secure Hash Standard", US Department of Commerce/NIST, April FIPS 186, \Digital Signature Standard", US Department of Commerce/NIST, J. Gordon, \Strong RSA Keys", Electronics Letters, 20, June 7, 1984, pp U. Maurer and Y. Yacobi, \Non-interactive Public Key Cryptography", Advances in Cryptology - Eurocrypt 91, Springer-Verlag, 1991, pp A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, ARC Press, P. van Oorschot and M. Wiener, \On Die-Hellman Key Agreement with Short Exponents", Advances in Cryptology - Eurocrypt '96, Springer-Verlag, 1996, pp R. Rivest, A. Shamir, L.Adleman, \A Method for Obtaining Digital Signatures and Public Key Cryptosystems" Communications of the ACM, 21, pp , RSA Laboratories, \PKCS #1: RSA Encryption Standard", Version 1.5, November C. P. Schnorr, \Ecient Identication and Signatures for Smart Cards", Advances in Cryptology - Crypto 89, Springer-Verlag, 1990, pp

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

More information

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

More information

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks. By Abdulaziz Alrasheed and Fatima RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

More information

Asymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University

Asymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem

More information

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

More information

Cryptography: RSA and the discrete logarithm problem

Cryptography: RSA and the discrete logarithm problem Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature. Raj Jain. Washington University in St. Louis Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

More information

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,

More information

Public-Key Cryptography. Oregon State University

Public-Key Cryptography. Oregon State University Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

More information

LUC: A New Public Key System

LUC: A New Public Key System LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

More information

Advanced Maths Lecture 3

Advanced Maths Lecture 3 Advanced Maths Lecture 3 Next generation cryptography and the discrete logarithm problem for elliptic curves Richard A. Hayden rh@doc.ic.ac.uk EC crypto p. 1 Public key cryptography Asymmetric cryptography

More information

Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA. Review: Number Theory Basics Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

Digital Signatures. Good properties of hand-written signatures:

Digital Signatures. Good properties of hand-written signatures: Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

3. Applications of Number Theory

3. Applications of Number Theory 3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

More information

Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

More information

An Approach to Shorten Digital Signature Length

An Approach to Shorten Digital Signature Length Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based

More information

Title Goes Here An Introduction to Modern Cryptography. Mike Reiter

Title Goes Here An Introduction to Modern Cryptography. Mike Reiter Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

Public Key Cryptography and RSA

Public Key Cryptography and RSA Public Key Cryptography and RSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Introduction. Chapter 1

Introduction. Chapter 1 Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/crypto-book/ The copyright

More information

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

More information

Digital signatures. Informal properties

Digital signatures. Informal properties Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

More information

ETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it.

ETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it. Publicly Veriable Secret Sharing Markus Stadler? Institute for Theoretical Computer Science ETH Zurich CH-8092 Zurich, Switzerland Email: stadler@inf.ethz.ch Abstract. A secret sharing scheme allows to

More information

1 Public-Key Encryption in Practice

1 Public-Key Encryption in Practice CS 120/CSCI E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 16, 2006 Lecture Notes 15: Public-Key Encryption in Practice Recommended Reading. KatzLindell, Sections 9.4, 9.5.3 1 Public-Key

More information

Notes on Network Security Prof. Hemant K. Soni

Notes on Network Security Prof. Hemant K. Soni Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

More information

Chapter 9 Public Key Cryptography and RSA

Chapter 9 Public Key Cryptography and RSA Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key Private-Key Cryptography traditional private/secret/single

More information

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

More information

A Study on Asymmetric Key Cryptography Algorithms

A Study on Asymmetric Key Cryptography Algorithms A Study on Asymmetric Key Cryptography Algorithms ASAITHAMBI.N School of Computer Science and Engineering, Bharathidasan University, Trichy, asaicarrier@gmail.com Abstract Asymmetric key algorithms use

More information

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Elements of Applied Cryptography Public key encryption

Elements of Applied Cryptography Public key encryption Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

More information

Efficient on-line electronic checks

Efficient on-line electronic checks Applied Mathematics and Computation 162 (2005) 1259 1263 www.elsevier.com/locate/amc Efficient on-line electronic checks Wei-Kuei Chen Department of Computer Science and Information Engineering, Ching-Yun

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

More information

Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetric-key cryptography. Distinguish

More information

9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Public Key Cryptography. Basic Public Key Cryptography

Public Key Cryptography. Basic Public Key Cryptography Public Key Cryptography EJ Jung Basic Public Key Cryptography public key public key? private key Alice Bob Given: Everybody knows Bob s public key - How is this achieved in practice? Only Bob knows the

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information

A novel deniable authentication protocol using generalized ElGamal signature scheme

A novel deniable authentication protocol using generalized ElGamal signature scheme Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur

More information

Public-Key Cryptography RSA Attacks against RSA. Système et Sécurité

Public-Key Cryptography RSA Attacks against RSA. Système et Sécurité Public-Key Cryptography RSA Attacks against RSA Système et Sécurité 1 Public Key Cryptography Overview Proposed in Diffieand Hellman (1976) New Directions in Cryptography public-key encryption schemes

More information

ΕΠΛ 674: Εργαστήριο 3

ΕΠΛ 674: Εργαστήριο 3 ΕΠΛ 674: Εργαστήριο 3 Ο αλγόριθμος ασύμμετρης κρυπτογράφησης RSA Παύλος Αντωνίου Department of Computer Science Private-Key Cryptography traditional private/secret/single key cryptography uses one key

More information

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography

More information

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

More information

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information

More information

A SOFTWARE COMPARISON OF RSA AND ECC

A SOFTWARE COMPARISON OF RSA AND ECC International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138

More information

Signcryption or How to Achieve Cost(Signature & Encryption)

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition

More information

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

More information

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

More information

ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES. Daniela Bojan and Sidonia Vultur

ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES. Daniela Bojan and Sidonia Vultur ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES Daniela Bojan and Sidonia Vultur Abstract.The new services available on the Internet have born the necessity of a permanent

More information

Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography

Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl

More information

Public Key (asymmetric) Cryptography

Public Key (asymmetric) Cryptography Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

More information

Today ENCRYPTION. Cryptography example. Basic principles of cryptography

Today ENCRYPTION. Cryptography example. Basic principles of cryptography Today ENCRYPTION The last class described a number of problems in ensuring your security and privacy when using a computer on-line. This lecture discusses one of the main technological solutions. The use

More information

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document? Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

More information

Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

More information

Hybrid Signcryption Schemes with Insider Security (Extended Abstract)

Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/

More information

Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

More information

Klaus Hansen, Troels Larsen and Kim Olsen Department of Computer Science University of Copenhagen Copenhagen, Denmark

Klaus Hansen, Troels Larsen and Kim Olsen Department of Computer Science University of Copenhagen Copenhagen, Denmark On the Efficiency of Fast RSA Variants in Modern Mobile Phones Klaus Hansen, Troels Larsen and Kim Olsen Department of Computer Science University of Copenhagen Copenhagen, Denmark Abstract Modern mobile

More information

The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

More information

Crittografia e sicurezza delle reti. Digital signatures- DSA

Crittografia e sicurezza delle reti. Digital signatures- DSA Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes Y. Desmedt Aangesteld Navorser NFWO Katholieke Universiteit Leuven Laboratorium ESAT B-3030 Heverlee, Belgium A. M. Odlyzko

More information

To appear in Advances in Cryptology CRYPTO '97 Ecient Group Signature Schemes for Large Groups (Extended Abstract) Jan Camenisch Department of Computer Science Haldeneggsteig 4 ETH Zurich 8092 Zurich,

More information

Evaluation of Digital Signature Process

Evaluation of Digital Signature Process Evaluation of Digital Signature Process Emil SIMION, Ph. D. email: esimion@fmi.unibuc.ro Agenda Evaluation of digital signatures schemes: evaluation criteria; security evaluation; security of hash functions;

More information

Breaking RSA & Using Asymmetric Crypto

Breaking RSA & Using Asymmetric Crypto Breaking RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 15th April 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common Attacks

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

More information

CHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and

CHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and 79 CHAPTER 3 THE NEW MMP CRYPTO SYSTEM In this chapter an overview of the new Mixed Mode Paired cipher text Cryptographic System (MMPCS) is given, its three hard mathematical problems are explained, and

More information

Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems

Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems J. of Comp. and I.T. Vol. 3(1&2), 1-6 (2012). Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems RAJ KUMAR 1 and V.K. SARASWAT 2 1,2 Department of Computer Science, ICIS

More information

A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM

A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM Konuralp Journal of Mathematics Volume 4 No. 1 pp. 122 129 (2016) c KJM A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM EMİN AYGÜN AND ERKAM LÜY Abstract. The

More information

CRYPTOGRAPHY IN NETWORK SECURITY

CRYPTOGRAPHY IN NETWORK SECURITY ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

More information

Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

More information

Lecture Note 7 AUTHENTICATION REQUIREMENTS. Sourav Mukhopadhyay

Lecture Note 7 AUTHENTICATION REQUIREMENTS. Sourav Mukhopadhyay Lecture Note 7 AUTHENTICATION REQUIREMENTS Sourav Mukhopadhyay Cryptography and Network Security - MA61027 In the context of communications across a network, the following attacks can be identified: 1.

More information

A Proposal for Authenticated Key Recovery System 1

A Proposal for Authenticated Key Recovery System 1 A Proposal for Authenticated Key Recovery System 1 Tsuyoshi Nishioka a, Kanta Matsuura a, Yuliang Zheng b,c, and Hideki Imai b a Information & Communication Business Div. ADVANCE Co., Ltd. 5-7 Nihombashi

More information

Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin

More information

Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

More information

High-Speed RSA Implementation C etin Kaya Koc Koc@ece.orst.edu RSA Laboratories RSA Data Security, Inc. 100 Marine Parkway, Suite 500 Redwood City, CA 94065-1031 Copyright c RSA Laboratories Version 2.0

More information

Asymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin

Asymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetric-key crypto Intuition for El Gamal and RSA And intuition for attacks Digital

More information

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to Public-Key Cryptography Israel Koren ECE597/697 Koren Part.6.1

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

Digital Signatures. Meka N.L.Sneha. Indiana State University. nmeka@sycamores.indstate.edu. October 2015

Digital Signatures. Meka N.L.Sneha. Indiana State University. nmeka@sycamores.indstate.edu. October 2015 Digital Signatures Meka N.L.Sneha Indiana State University nmeka@sycamores.indstate.edu October 2015 1 Introduction Digital Signatures are the most trusted way to get documents signed online. A digital

More information

Applied Cryptology. Ed Crowley

Applied Cryptology. Ed Crowley Applied Cryptology Ed Crowley 1 Basics Topics Basic Services and Operations Symmetric Cryptography Encryption and Symmetric Algorithms Asymmetric Cryptography Authentication, Nonrepudiation, and Asymmetric

More information