slavanya.weebly.com file · web viewunit 3. discrete logarithms. computing discrete logs....
TRANSCRIPT
UNIT 3 Discrete Logarithms Computing discrete logs Diffie-Hellman key exchange ElGamal Public key cryptosystems Hash functions Secure Hash Birthday attacks MD5 Digital signatures RSA ElGamal DSA
Discrete Logarithms:
Computing Discrete Logs:
The Pohlig- Hellman algorithm:
Baby step, Giant Step:
Index calculus:
Computing Discrete Logs mod 4:
Diffie - Hellman Key Exchange: First proposed public-key algorithm by Diffie & Hellman in 1976 Practical method for public exchange of a secret key Number of commercial products employs this key exchange technique. Purpose of this algorithm is to enable two users to exchange a key securely that can then be
used for subsequent encryption of messages. The security of Diffie Hellman lies in the fact that, while it is relatively easy to calculate
exponentials modulo a prime, it is very difficult to compute discrete logarithms.Key exchange algorithm:
1. All users agree on global parameters: q àLarge prime integer α à Primitive root of q, α <q
2. User A key generation: xa < q à Select private key xa ya = αxa mod q à Compute the public key ya
3. User B key generation: xb < q à Select private key xb yb = αxb mod q à Compute the public key yb
4. Generation of secret key by user A K = (Yb)Xa mod q
5. Generation of secret key by user B K = (Ya)Xb mod q
Example:Users Alice & Bob who wish to swap keys:
Choose q=353 and α=3 Select random secret keys:
A chooses xa=97B chooses xb=233
Compute public keys:Ya=397 mod 353 = 40 (Alice)Yb=3233 mod 353 = 248 (Bob)
Compute shared session key as:
K= ybxa mod 353 = 24897mod 353= 160 (Alice)
K= yaxb mod 353 = 40233mod 353= 160 (Bob)
ElGamal Public key cryptosystems:It is possible to design a system whose security relies on the difficulty of computing discrete logarithms. This was done by Elgamal in 1985.
Hash functions: A variation on the message authentication code is the one-way hash function. A hash function accepts a variable-size message M as input and produces a fixed-size output,
referred to as a hash code H (M). Unlike a MAC, a hash code does not use a key but is a function only of the input message. The hash code is also referred to as a message digest or hash value. The hash code is a function of all the bits of the message and provides an error-detection
capability: A change to any bit or bits in the message results in a change to the hash code.
Figure 3.4 a The message plus concatenated hash code is encrypted using symmetric encryption. Because only A and B share the secret key, the message must have come from A and has not been
altered. The hash code provides the required authentication. Encryption is applied to the entire message plus hash code, confidentiality is also provided.
Figure 3.4 b Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden
for those applications that do not require confidentiality.
Figure 3.4 c Only the hash code is encrypted, using public-key encryption and using the sender's private key.
This provides authentication. It also provides a digital signature, because only the sender could have produced the encrypted
hash code.
Figure 3.4 d If confidentiality as well as a digital signature is desired, then the message plus the private-key-
encrypted hash code can be encrypted using a symmetric secret key. Figure 3.4. Basic Uses of Hash Function
Figure 3.4 e It is possible to use a hash function but no encryption for message authentication. The technique assumes that the two communicating parties share a common secret value S. A computes the hash value over the concatenation of M and S and appends the resulting hash
value to M. Because B possesses S, it can re compute the hash value to verify. Because the secret value itself is not sent, an opponent cannot modify an intercepted message and
cannot generate a false message.
Figure 3.4 f Confidentiality can be added to the approach of (3.4 e) by encrypting the entire message
plus the hash code.
Requirements for a Hash Function: The purpose of a hash function is to produce a "fingerprint" of a file, message, or other block of data. To be useful for message authentication, a hash function H must have the following properties:
1. H can be applied to a block of data of any size.2. H produces a fixed-length output.3. H( x ) is relatively easy to compute for any given x , making both hardware and software
implementations practical.4. For any given value h , it is computationally infeasible to find x such that H( x ) =h . This is
sometimes referred to in the literature as the one-way property.5. For any given block x , it is computationally infeasible to find y x such that H(y ) = H( x ).
This is sometimes referred to as weak collision resistance.6. It is computationally infeasible to find any pair ( x, y ) such that H( x ) = H( y ). This is
sometimes referred to as strong collision resistance.
Simple Hash Functions: Input is processed one block at a time in an iterative fashion to produce an n -bit hash function One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block. This can be expressed as follows:
C i = b i1 b i2 ... bim
C i = i th bit of the hash code, 1 i n
M = number of n -bit blocks in theinput
b ij = i th bit in j th block
= XOR operation With more predictably formatted data, the function is less effective. A simple way to improve matters is to perform a one-bit circular shift, or rotation, on the hash value
after each block is processed. The procedure can be summarized as follows:
o Initially set the n -bit hash value to zero.o Process each successive n -bit block of data as follows:
Rotate the current hash value to the left by one bit. XOR the block into the hash value.
This has the effect of "randomizing" the input more completely and overcoming any regularity that appear in the input.
Although the second procedure provides a good measure of data integrity, it is virtually useless for data security when an encrypted hash code is used with a plaintext message.
Although a simple XOR or rotated XOR (RXOR) is insufficient if only the hash code is encrypted.
Secure Hash Algorithm:
SHA-1 Logic: This algorithm takes as input a maximum length of less than 264 bits. And produces as output a 160 message digest. Input is processed in 512 bit blocks.
Processing consists of the following steps:Step 1: Append padding bits:
1. The message is padded so that its length is congruent to 448 mod 512 (length mod 512 = 448)2. Padding is always added, even if the message is already of the desired length.3. Thus the number of padding bits is in the range 1 to 512.4. The padding consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2: Append length:1. 64 bit representation of the length of the original message (before padding) is appended to the
result of step 1.2. This field contains the length of the original message mod 264
Step 3: Initialize MD buffer:
1. A 160 bits buffer is used to hold intermediate value and final results of the hash function.2. The buffer can be represented as five 32 bit registers (A, B, C, D, E)
A= 67452301B = EFCDAB89C= 98BADCFED= 10324576E =C3D2E1F0
3. The values are stored in big-endian format, which is the most significant byte of a word in the low address byte position.
Word A= 67 45 23 01Word B= EF CD AB 89Word C= 98 BA DC FEWord D= 10 32 45 76Word E= C3 D2 E1 F0
Step 4: Processing message in 512 bit blocks:1. Heart of the algorithm is a compression function that consists of four rounds of
processing of 20 steps.2. Four rounds have a similar structure, but each uses a different primitive logical function,
referred to as f1, f2, f3 and f4.3. Each round takes as input the current 512 bit block being processed (Yq) and the 160 bit
buffer value ABCDE and updates the contents of the buffer.4. Each round also makes use of an additive constant Kt for 80 steps.5. In fact only 4 distinct constants are used.
STEP NO HEXADECIMAL0≤ t ≤ 19 Kt = 5A81799920 ≤ t ≤ 39 Kt = 6ED9EBA140 ≤ t ≤ 59 Kt = 8F1BBCDC60 ≤ t ≤ 79 Kt = CA62C1D6
6. Output of the fourth round is added to the input to the first round (CVq) to produce CVq+1
Step 5: Output:1. After all L 512 blocks have been processed, the output from the Lth stage is the 160 bit message
digest.2. We can summarize the behavior of SHA-1as follows:
CV0= IVCVq+1= SUM32[CVq, ABCDEq] MD= CVL
WhereIV= initial value of the ABCDE bufferABCDEq= qth 512 bit block of the messageL = number of blocks in the messageCVq = chaining variable processed with the qth block of the messageMD = final message digest valueSUM32 = addition mod 232 performed separately on each word of the pair of inputs
SHA-1 Compression Function: Each round has 20 steps of the form: A, B, C, D, E = E + f(t, B, C, D) + S5(A) + Wt + Kt), A, S30(B), C, DWhere
A, B, C, D, E àrefers to the 5 words of the buffert à step number 0 to 79f(t, B, C, D) à primitive logical functions for step tSk à circular left shift of the 32 bit argument by k bitsWt à 32 bit word derived from the current 512 bit blockKt à additive constant, 4 distinct values are used+ à Addition modulo 232
1. Each primitive function takes three 32 bit words as input and produces a 32 bit word output.2. Each function performs a set of bitwise logical operations
Step Function Name Function Value0-19 f1 = f(t, B, C, D) (b ∧ c) ∨(b’∧d)20-39 f2 = f(t, B, C, D) b ⊕ c ⊕ d40-59 f3 = f(t, B, C, D) (b ∧ c) ∨(b ∧ d) ∨(c ∧
d)60-79 F4 = f(t, B, C, D) b ⊕ c ⊕ d
1. The 32 bit values of the Wt is derived from the 512 bit message 2. The first 16 values of Wt are taken directly from the 16 words of the current block.3. The remaining values are defined as follows:
Wt = S1 (Wt-16 ⊕ Wt-14 ⊕ Wt-8 ⊕ Wt-3) In the first 16 steps of processing, the value of Wt is equal to the corresponding word in the
message block. For the remaining 64 steps, the value of Wt consists of the circular left shift by one bit of the
XOR of four of the preceding values of Wt.
Comparison of SHA-1 and MD5 SHA-1 harder for brute force (160 vs 128 bit) SHA-1 is slower (80 vs 64 steps) SHA-1 uses big-endian (vs. little-endian) Both are simple and compact MD5 is more vulnerable SHA-1 flaws discovered, currently impractical
Birthday Attacks: For example, if an encrypted hash code C is transmitted with the corresponding
unencrypted message M, then an opponent would need to find an M ' such that H( M ') = H( M ) to substitute another message and fool the receiver.
On average, the opponent would have to try about 2 63 messages to find one that matches the hash code of the intercepted message.
A different sort of attack is possible, based on the birthday paradox. Yuval proposed the following strategy:
1. The source, A, is prepared to "sign" a message by appending the appropriate m -bit hash code and encrypting that hash code with A's private key.
2. The opponent generates 2 m/2 variations on the message, all of which convey essentially the same meaning.
3. The opponent prepares an equal number of messages, all of which are variations on the fraudulent message to be substituted for the real one.
4. The two sets of messages are compared to find a pair of messages that produces the same hash code. The probability of success, by the birthday paradox, is greater than 0.5.
5. If no match is found, additional valid and fraudulent messages are generated until a match is made.
6. The opponent offers the valid variation to A for signature. This signature can then be attached to the fraudulent variation for transmission to the intended recipient.
7. Because the two variations have the same hash code, they will produce the same signature; the opponent is assured of success even though the encryption key is not known.
The generation of many variations that convey the same meaning is not difficult. For example, the opponent could insert a number of "space-space-backspace" character pairs between
words throughout the document. Variations could then be generated by substituting "space-backspace-space" in selected instances. Alternatively, the opponent could simply reword the message but retain the meaning.
MD5 Message Digest Algorithm: MD5 message digest algorithm was developed by Ron Rivest.
MD5 logic: The algorithm takes a variable length of input and produces a 128 bit message digest. The input is processed 512 bit blocks.
Processing of MD5 consists of the following steps:
Step 1: Append padding bits:1. Message is padded so that its length in bits is congruent to 448 mod 512. i.e., length mod 512
=4482. Padding is always added, even if the message is already of the desired length.3. For example, if the message is 448 bit long, it is padded by 512 bits to a length of 960 bits.4. Thus the number of padding bits is in the range 1 to 512.5. The padding consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2: Append length:1. 64 bit representation of the length of the original message (before padding) is appended to the
result of step 1.2. This field contains the length of the original message mod 264
The outcome of the first 2 steps yields a message that is an integer multiple of 512 bits. The expanded message is represented as the sequence of 512 bit blocks Y0, Y1, ..,YL-1, so that
the total length of the expanded message is L * 512 bits. The result is a multiple of sixteen 32 bits words.
Step 3: Initialize MD buffer:1. A 128 bits buffer is used to hold intermediate value and final results of the hash function.2. The buffer can be represented as four 32 bit registers (A, B, C, D)
A= 67452301
B = EFCDAB89C= 98BADCFED= 10324576
3. The values are stored in little-endian format, which is the least significant byte of a word in the low address byte position.
Word A= 01 23 45 67Word B= 89 AB CD EFWord C= FE DC BA 98Word D= 76 45 32 10
Step 4: Processing message in 512 bit blocks:1. Heart of the algorithm is a compression function that consists of four rounds of processing of 16
steps.2. Four rounds have a similar structure, but each uses a different primitive logical function, referred
to as F, G, H and I.3. Each round takes as input the current 512 bit block being processed (Yq) and the 128 bit buffer
value ABCD and updates the contents of the buffer.4. Each round also makes use of one fourth of a 64 element table T[1…64], constructed from the
sine function.5. T[i] has the value equal to the integer part of 232 * abs(sin(i)), where I is in radians.6. Output of the fourth round is added to the input to the first round (CVq) to produce CVq+1
Step 5: Output:1. After all L512 blocks have been processed, the output from the Lth stage is the 128 bit message
digest.2. We can summarize the behavior of MD5 as follows:
CV0= IVCVq+1= SUM 32[CVq, RFI, (Yq, RFH (Yq, RFG(Yq, RFF( Yq, CVq))))]MD= CVL-1
WhereIV= initial value of the ABCD buffer
Yq= qth 512 bit block of the messageL = number of blocks in the messageCVq = chaining variable processed with the qth block of the messageRFI = round function using primitive logical function IMD = final message digest valueSUM32 = addition mod 232 performed separately on each word of the pair of inputs
MD5 Compression Function: Each round has 16 steps of the form: A = b+((a + g(b, c, d)+x[k]+t[i])<<<s)Where
a, b, c, d àrefer to the 4 words of the bufferg à one of the primitive functions F, G, H, I<<<s à circular shift of the 32 bit argument by s bitX[k] àM [q *16 + k] = kth 32 bit word in the qth 512 bit block of the message.T[i] àith 32 bit word in matrix T+ à Addition modulo 232
1. One of the four primitive logical functions is used for each of the four rounds of the algorithm.2. Each primitive function takes three 32 bit words as input and produces a 32 bit word output.3. Each performs a set of bitwise logical operations.
The logical operators (AND, OR, NOT, XOR) are represented by the symbols. Function F: If b then c else d. Function G: If d then b else c Function H: Produces parity bit
1. The array of 32 bit words X[0…15] holds the value of the current 512 bit input block being processed.
2. Within a round, each of the 16 words of X[i] is used exactly once.3. In the first round, the words are used in their original order. The following permutations are
defined for rounds 2 through 4:
4. Each byte of the buffer is updated four times during the round.
Digital signatures: Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. Several forms of dispute between
the two are possible. In situations where there is not complete trust between sender and receiver, something more than
authentication is needed. The most attractive solution to this problem is the digital signature. The digital signature is analogous to the handwritten signature.
Properties of Digital signature: It must verify the author and the date and time of the signature. It must to authenticate the contents at the time of the signature. It must be verifiable by third parties, to resolve disputes.
On the basis of these properties, we can formulate the following requirements for a digital signature:
1. Signature must be a bit pattern that depends on the message being signed.2. Signature must use some information unique to the sender, to prevent both forgery and denial.3. It must be relatively easy to produce the digital signature.4. It must be relatively easy to recognize and verify the digital signature.5. It must be computationally infeasible to forge a digital signature, either by constructing a new
message for an existing digital signature or by constructing a fraudulent digital signature for a given message.
6. It must be practical to retain a copy of the digital signature in storage.A variety of approaches has been proposed for the digital signature function. These approaches fall into two categories:
1. Direct 2. Arbitrated.
Direct Digital Signature: Direct digital signature involves only the communicating parties (source, destination). It is assumed that the destination knows the public key of the source. A digital signature may be formed by encrypting the entire message with the sender's private key
or by encrypting a hash code of the message with the sender's private key. Confidentiality can be provided by further encrypting the entire message plus signature with
either public-key encryption symmetric encryption. In case of dispute, some third party must view the message and its signature.
All direct schemes described so far share a common weakness. o The validity of the scheme depends on the security of the sender's private key. o If a sender later wishes to deny sending a particular message, the sender can claim that
the private key was lost or stolen and that someone else forged his or her signature. o Another threat is that some private key might actually be stolen from X at time T. o The opponent can then send a message signed with X's signature and stamped with a time
before or equal to T.
Arbitrated Digital Signature:The problems associated with direct digital signatures can be addressed by using an arbiter.
Every signed message from a sender X to a receiver Y goes first to an arbiter A, who subjects the message and its signature to a number of tests to check its origin and content.
The message is then dated and sent to Y with an indication that it has been verified to the satisfaction of the arbiter.
The arbiter plays a sensitive and crucial role in this sort of scheme, and all parties must have a great deal of trust that the arbitration mechanism is working properly.
RSA signatures:
Elgamal Signature Scheme:
complicated. Therefore, the signature scheme appears to be secure, as long as discrete logs mod p are difficult to compute.
Digital Signature Standard NIST has published Federal Information Processing Standard FIPS 186, known as the Digital
Signature Standard (DSS). DSS makes use of the Secure Hash Algorithm (SHA) and presents a new digital signature
technique, the Digital Signature Algorithm (DSA). The latest version also incorporates digital signature algorithms based on RSA and on elliptic
curve cryptography.
DSS Approach: DSS uses an algorithm that is designed to provide only the digital signature function. Unlike
RSA, it cannot be used for encryption or key exchange. In RSA approach, the message to be signed is input to a hash function that produces a secure hash
code of fixed length. This hash code is then encrypted using the sender's private key to form the signature. Both the
message and the signature are then transmitted. The recipient takes the message and produces a hash code. The recipient also decrypts the signature using the sender's public key. If the calculated hash code matches the decrypted signature, the signature is accepted as valid.
Two Approaches to Digital Signatures
In the sender end, DSS approach also makes use of a hash function. The hash code is provided as input to a signature function along with a random
number k generated for this particular signature. The signature function also depends on the sender's private key PRa and a set of parameters
known to a group of communicating principals. We can consider this set to constitute a global public key PUG. The result is a signature consisting of two components, labeled s and r. At the receiving end, the hash code of the incoming message is generated. This plus the signature is input to a verification function. The verification function also depends on the global public key as well as the sender's public key
PUa .
The output of the verification function is a value that is equal to the signature component r if the signature is valid.
Digital Signature Algorithm: DSA is based on the difficulty of computing discrete logarithms There are three parameters that are public and can be common to a group of users. A 160-bit prime number q is chosen. Next, a prime number p is selected with a length between 512 and 1024 bits such that q divides
(p-1). Finally, g is chosen to be of the form h( p -1)/q mod p, where h is an integer between 1 and (p -1)
with the restriction that g must be greater than 1.
Digital Signature Algorithm (DSA):Global Public-Key Components
P prime number where 2 L- 1 < p < 2 L, for 512 L 1024& L a multiple of 64.
Q prime divisor of (p-1), where 2 159 < q < 2 160 ; i.e., bit length of 160 bits
G = h(p -1)/ q mod p
User's Private Key
X random or pseudorandom integer with 0 < x < q
User's Public Key
Y = g x mod p
User's Per-Message Secret Number
K = random or pseudorandom integer with 0 < k < q
Signing
R = ( g k mod p ) mod q
S = [ k -1 (H(M) + xr )] mod q
Signature = (r, s)
Verifying
W = (s') -1 mod q
u1 = [ H(M ') w ] mod q
u2 =(r') w mod q
V = [( gu1 yu2 ) mod p ] mod q
TEST : v = r'
M = message to be signed
H( M ) = hash of M using SHA-1
M', r',s' = received versions of M, r, s
With these numbers in hand, each user selects a private key and generates a public key. The private key x must be a number from 1 to (q- 1) and should be chosen randomly. The public key is calculated from the private key as y = gx mod p.
To create a signature, a user calculates two quantities, r and s, that are functions of Public key components ( p, q, g )User's private key (x)Hash code of the message, H (M)
Additional integer k that should be generated randomly and be unique for each signing.At the receiving end, verification is performed using the formulas. The receiver generates a quantity v that is a function of Public key componentsSender's public keyHash code of the incoming message. If this quantity matches the r component of the signature, then the signature is validated.
DSS Signing and Verifying