chapter 2 literature review -...
TRANSCRIPT
5
CHAPTER 2
LITERATURE REVIEW
A detailed review of cryptography, existing encryption methods,
authentication methods, key distribution methods etc are included in this chapter.
Also, merits and demerits of various techniques in this field are dealt with in this
chapter. The preliminaries of symmetric and asymmetric encryptions are
explained in very simple manner.
2.1 Introduction
The primary use for cryptosystems is to enable two people, Raman and
Seetha, to communicate over an insecure channel in a manner that prevents an
opponent, Ravanan, from being able to understand the conversation. The scenario
is as shown in Figure 2.1.
Figure 2.1: Cryptographic System
6
To achieve this, Raman would convert his original message, the plaintext,
into a message which is only intelligible by Seetha, the cipher text. This process
is known as encryption. When Seetha receives the message she will decrypt the
cipher text to reveal the original message, that was sent. Because only Raman and
Seetha have the key to the encryption algorithm, Ravanan will be unable to
reconstruct the plaintext, even if he intercepts the cipher text. In addition the
encryption and decryption algorithms are used to convert between the plaintext
and cipher text and vice versa. A clear set of steps are needed to define how the
data is transferred between Raman and Seetha. This is called the protocol. The
protocols used in cryptosystems are implemented to ensure that the participants
achieve the desired goal of communication within the constraints of the
environment, whilst adhering to the assumptions made during the construction of
the components of the system.
Once the logic of the cryptosystem has been designed, the system needs to
be implemented. In most cases, this would mean that computers need to be
programmed to carry out the encryption and decryption, and that the computers
need to be instructed to communicate in strict accordance to the protocols
adopted. Thus a cryptosystem consists of cryptographic algorithms, protocols and
an implementation.
The security of any cryptosystem depends on all parts with which it is
built. The methods and techniques that are developed to attempt to compromise
the results of cryptography are referred to as cryptanalysis [A, Menezes 1996]. If
a hacker (Ravanan) wishes to break a cryptosystem, that is to affect the security
of the communication in an adverse way, then he could attack any combination of
the cryptographic algorithms, the protocol or the implementation. Cryptanalysis is
the study of the techniques used to break information security systems. The
attacks include attempting to extract the plaintext from a cipher text message
without having access to the encryption key, or attempting to recover the
7
encryption key when only the cipher text is known. Cryptanalysis can have
different modes of attacks like cipher text only attack, known plain text attack,
chosen plain text attack and chosen cipher text attack [Douglas R S 1995].
2.2 History of Cryptography
Cryptography has a long and fascinating history. The most comprehensive
non-technical account of the subject is Kahn's The Code Breakers [Kahn D 1967],
which traces cryptography from its initial and limited use by the Egyptians some
4000 years ago, to the twentieth century ,where it played a crucial role in the
outcome of both world wars. Published in 1967, Kahn's book covers those aspects
of the history which were most significant (up to that time) to the development of
the subject.
It is difficult to pinpoint the exact beginning of cryptography. However,
the inscriptions carved into the walls of the main chamber of the tomb of the
nobleman Khnumhotep II, provide the first example of deliberate transformation
of writing. The tomb was found in the town of Menet Khufu bordering on the
Nile in Egypt, and the inscriptions date to approximately 1900 BC. The intention
of the transformations performed by the scribe was not that of concealment, but
most likely to impart dignity and authority. Yet the presence of such intentional
transformations demonstrates that the fundamental concepts of cryptography were
beginning to develop within the culture. In tombs built after 1900 BC the
occurrence of transformations became more complicated, more contrived and
more prolific.
Several forms of secret writing were known and apparently practiced in
India. The Arthashastra is a classic work on state craft that is attributed to
Kautilya, and was written sometime between 321BC and 300BC. This work
8
reminds that of espionage communication with their spies via secret writing
[Stewart Gebbie 2002].
Since cryptography is used to protect a secret, it is to be expected that
unintended recipients would attempt to decipher the meaning of the encrypted
message. The first record of active cryptanalysis comes from the Arabs during the
700s. Formal techniques, such as letter frequency analysis, came into being only
during the past few hundred years. The information for the cryptography section
was mostly attributed to Ibn-ad-Duraihim, who lived during 1312 to 1361 and
held various teaching and official posts in Syria and Egypt [Stewart Gebbie
2002].
.
Early cryptosystems usually relied on transformations of the plaintext
message, being performed by the person composing the message. However, as the
complexity of the methods increased, it became desirable to create tools/machines
that would perform the cryptographic tasks.
The earliest known device, designed specifically for cryptography is the
Skytale. The tool was devised in the 5th century BC by the Spartans, the most
warlike of the Greeks, so as to augment their military system. The tool consists of
a wooden staff around which a strip of papyrus, leather or parchment is wrapped
in a close-packed manner. The secret message is written on the strip down the
length of the staff. The strip is then unwound and sent to the intended recipient.
The letters on the strip make no sense unless the strip is wrapped around a baton
of the same thickness.
Another ingenious system was the use of an astragal or disk, with holes in
it, one for each letter of the alphabet. A thread is passed from one hole to another,
spelling out the message. To recover the message the recipient would need to
9
work backwards as the thread is removed from the holes and then reverse the
resultant message.
Current cryptosystems use digital computers to carry out the thousands of
calculations needed for modern cryptographic transformations. In some cases
general purpose computers are insufficient, and dedicated hardware is developed
in order to handle the large quantity of data that is to be encrypted and decrypted.
The paper [Feistel H 1973] provides an early exposition of block cipher
ideas. The predominant practitioners of the art were associated with the military,
the diplomatic service and government in general. Cryptography was used as a
tool to protect national secrets and strategies.
The communications in the presence of adversaries is described concisely
by Rivest R L in Cryptography [Rivest R L 1990]. Beker and Piper in [Beker H
1982] provide an introduction to the encryption of analogue signals, in particular,
speech. Although in many cases physical means are employed to facilitate
privacy, cryptography plays the major role. Physical means of providing privacy
include fiber optic communication links, spread spectrum technology, and tamper
resistant hardware.
Steganography is that branch of information privacy, which attempts to
obscure the existence of data through some devices as invisible inks, secret
compartments, the use of subliminal channels, and the like. Kahn [Kahn D 1967]
provides a historical account of various steganographic techniques also.
Modern cryptography has come a long way from its origins. Prior to the
twentieth Century, encryption and decryption were performed by means of
transposition and substitution methods. In this method the sender and recipient
have precise knowledge of the cryptographic scheme used, i.e. how the letters are
10
permuted. This information is called the key and they must be kept secret because
it reveals all the information needed to decrypt an intercepted message.
Until 37 years ago, the framework, known as secret key cryptography or
symmetric key cryptography, was the only way to generate cipher text. Yet, with
the advent of computers and digital communication over insecure networks, a
different framework was required to provide efficient and practical security. In
1976, Whitfield Diffie and Martin Hellman published their ground breaking paper
“New Directions in Cryptography” [Diffie W 1976], which introduced the
concept of public key cryptography or asymmetric key cryptography .This
concept opened up a whole new field of research within the cryptographic
community.
2.3 Goals of Cryptography
The basic concepts of cryptography are treated quite differently by various
authors, some being more technical than others. Brassard [Brassard G 1988]
provides a concise, lucid, and technically accurate account. Schneier [Schneier B
1996] gives a less technical but very accessible introduction. Salomaa [Salomaa
A 1990], Stinson [Stinson D 2006], and Rivest [Rivest R L 1990] present more
mathematical approaches.
Cryptography is the study of mathematical techniques related to aspects of
information security such as confidentiality, data integrity, entity authentication
and data origin authentication. So the main goals of cryptography are privacy or
confidentiality, data integrity, authentication and non-repudiation.
Privacy or confidentiality is the service used to keep the content of
information secret from all but those authorized one to have it. Secrecy,
confidentiality and privacy are synonymous terms. There are number of
11
approaches to providing confidentiality through mathematical algorithms which
render data unintelligible [Santhosh Kumar 2010].
Data integrity refers to the unauthorized manipulation of data. Data
manipulation includes such things as insertion, deletion and substitution. It
ensures the ability of detecting data manipulation by unauthorized parties.
Authentication is a service related to identification. This function applies
to both entity authentication and data origin authentication. Two parties entering
into a communication should identify each other. Moreover, information
delivered over a channel should be authenticated as to origin of data, data content,
time sent etc.
Non-repudiation is a service which prevents an entity from denying
previous commitments or action. When disputes arise due to an entity denying
that certain actions are to be taken, a means to resolve the situation is necessary.
The term information security is much broader, encompassing such things
like authentication and data integrity. The basic terms of information security are
An information security service is a method to provide some specific
aspects of security. For example, integrity of transmitted date is a security
objective, and a method to ensure this aspect is an information security
service.
Breaking an information security service (which often involves more than
simply encryption) implies defeating the objective of the intended service.
A passive adversary is an adversary who is capable only of reading
information from an unsecured channel.
An active adversary is an adversary who may also transit, alert, or delete
information on an unsecured channel.
12
An encryption scheme is said to be breakable if a third party, without prior
knowledge of the key, can systematically recover plaintext from corresponding
cipher text within some appropriate time frame. An appropriate time frame will
be a function of the useful life span of the data being protected [Schneier B 1996].
2.4 Symmetric Key Systems
Symmetric-key encryption has a very long history, as recorded by Kahn
[Kahn 1967]. [Denning D E 1983] is a good source for many of the more well
known schemes such as the Caesar cipher, Vigenere and Beaufort ciphers, Rotor
machines (Enigma and Hagelin), Running key ciphers etc. Also Konheim
[Konheim A G 1981] give description about many schemes. Beker and Piper
[Beker H 1982] give an in-depth treatment, including cryptanalysis of several of
the classical systems used in World War II. Shannon's paper [Shannon C E 1949]
is considered the seminal work on secure communications. It is also an excellent
source for descriptions of various well-known historical symmetric-key ciphers.
Figure 2.2 gives a general idea behind a symmetric key cipher. Several
books discuss classic symmetric key ciphers. [Kahn D 1996] gives a thorough
history of these ciphers. [Stallings W 2008], [Forouzan BA 2010],[Jan C A 1998],
[Trappe W 2006] etc provide good accounts of technical details.
Monica Agarwal and Pradeep Mishra have [Monica Agarwal 2012]
beautifully done a comparative survey on different Symmetric Key Encryption
Techniques.
Encryption algorithms can be classified into two broad categories-
Symmetric and Asymmetric key encryption, is as shown in figure 2.3.
13
Figure 2.2: Symmetric Key Cipher System
In symmetric Cryptography, the key used for decryption is same as one
used for decryption. Thus the key distribution has to be made prior to the
transmission of information. The key plays a very important role in symmetric
cryptography, since their security directly depends on the nature of key. There are
various symmetric key algorithms such as DES, TRIPLE DES, AES, RC4, RC6,
BLOWFISH [Diaa Salama 2008].
Figure 2.3: Classification of Cryptography
14
DES was the first encryption standard designed in 1973 and was
recommended by NIST (National Institute of Standards and Technology) to be
the most efficient method for encryption of data in 1976. This was the most
widely used standard all across the world. [Tingyuan Nie 2009].
A comparison of popular encryption algorithms based on block size, key
size, number of rounds and attacks if occurred is shown on Table 2.1. It clearly
shows the supremacy of Blowfish algorithm over DES, AES and Triple DES on
the basis of key size and security. DES and other algorithms are vulnerable to
possible attacks but Blowfish algorithm has not been cracked till date.
Table 2.1: Comparison of DES, Triple DES, AES and Blow Fish algorithm
2.5 Mathematics of Symmetric Key Cryptography
Modern symmetric key Cryptography requires sets of integers and specific
operations defined on those sets. The combination of set and the operations that
are applied to the elements of set is called an algebraic structure. Figure 2.4
shows the common algebraic structures group, rings and fields. Algebaric
structures are well explained in very simple language by Forouzan B and
Mukopadyay [ Forouzan B 2010].
15
Figure 2.4 : Common Algebraic Structures
2.5.1. Group
Group (G) is set of elements with binary operation “•” that satisfies four
properties or axioms. A commutative group, also an abelian group, is a group in
which the operator satisfies the four properties of groups plus an extra property,
commutativity, which is shown in figure 2.5. The four properties of group plus
commutativity are defined as follows.
Clossure: If a and b are elements of G, c=a • b is also an element of
G. This means that the result of applying the operation on any two
elements in the set is another element in the set.
Associativity: If a, b and c are elements of G, Then (a • b) • c=a •
(b• c) other words, it does not matter the order in which we apply
the operation on more than two elements.
Commutativity: For all a and b in G, we have a • b=b • a. This
property needs to be satisfied only for commutative groups.
Existance identity: For all a in G, e • a = a • e = a there exists an
element, e called the identity element, such that
Existance of inverse: For each a in G, there exists an element a',
called inverse of a, such that a • a' = a' • a = e
16
Figure 2.5: Group
Although a group involves single operation, the properties imposed on
operation, allow the use of a pair of operations as long as they are inverse of each
other. For example, if the defined operation is addition, the group supports both
addition and subtraction, because subtraction is addition using the additive
inverse. This is also true for multiplication and division.
The set of residue integers with addition operator, G=< Zn, +>, is a
commutative group. We can perform addition and subtraction on the elements of
this set without moving out of the set. Let us check the properties
1. Closure is satisfied. The result of adding two integers in Zn is another
integer in Zn.
2. Associativity is satisfied. The result of (4+3)+2 is same as 4+(3+2).
3. Commutativity is satisfied. We have 3+5=5+3.
4. The identity element is zero, We have 3+0=0+3=3.
5. Every element has an additive inverse. The inverse of an element is its
complement. For example, the inverse of 3 is -3 and the inverse of -3 is
3.
17
The set Zn* with multiplication operator, G=< Zn
*,×> is also a commutative group
or abelian group. Because
1. Closure is satisfied. The result of multiplying two integers in Zn* is
another integer in Zn*.
2. Associativity is satisfied. The result of (4×3) ×2 is same as 4× (3×2).
3. Commutativity is satisfied. We have 3×5=5×3.
4. The identity element is 1, We have 3×1=1×3=3.
5. Every element has a multiplicative inverse which can be found according
to the extended Euclidean algorithm. For example, the inverse of 3 is 3-1
and the inverse of 3 is 3-1.
A group is called finite group, if the set has a finite number of elements:
otherwise it is an infinite group. The order of a group, G, is the number of
elements in the group. If the group is not finite, its order is infinite.
A very interesting concept in multiplicative group is that primitive root. In the
group G=< Zn*,×>, when the order of an element is the same as ø(n), that element
is called primitive root of the group. It has been proved that the group G=<
Zn*,×>, has primitive root only if n=2,4, pt, or 2 pt , in which p is an odd
prime(not 2) and t is an integer. If the group G=< Zn*,×> has any primitive root,
the number of primitive root is ø(ø(n)).
2.5.2 Ring
A Ring, denoted as R=<{},•, >, is an abelian structure with two operations.
The first operation must satisfy all five properties required for an abelian group.
The second operation must satisfy only the first two. In addition, the second
operation must be distributed over the first. A commutative ring is a ring in which
the commutative property is also satisfied for the second operation. A ring is
shown in figure 2.6.
18
2.5.3 Field
A Field denoted by F=<{…},•, > is commutative ring ,in which the second
operation satisfies all five properties defined for the first operation except that the
identity of the first operation (sometimes called zero element) has no inverse.
Figure 2.7 shows the field. [Durbin 2005],[Rosen K 2006] and [Dummit D 2004]
discuss algebraic structures thoroughly.
Figure 2.6 : Ring
19
Figure 2.7: Field
2.6 Public or Asymmetric Key Systems
Until 37 years ago, the secret key cryptography or symmetric key
cryptography was the only way to generate cipher text. Yet, with the advent of
computers and digital communication over insecure networks, a different
framework was required to provide efficient and practical security. In 1976,
Whitfield Diffie and Martin Hellman published their ground breaking paper
“New Directions in Cryptography” [Diffie W 1976] which introduced the concept
of public key cryptography or asymmetric key cryptography. This concept opened
up a whole new field of research within the cryptographic community.
In Asymmetric Key encryption, two different keys are used for encryption
and decryption- Public and Private. The public key is meant for general use so it
is available to anyone on the network. Anyone who wants to encrypt the plaintext
should know the Public Key of receiver. Only the authorized person can be able
20
to decrypt the cipher text through his own private key. Private Key is kept secret
from the outside world.
Figure 2.8 shows the general idea of Asymmetric Key Crypto system
which shows several important facts. First, it emphasizes the asymmetric nature
of the crypto system. The burden of providing security is mostly on the shoulders
of receiver ( Seetha in this case). Seetha needs to create two keys: one Private and
one Public. Seetha is responsible for distributing the public key to the community.
This can be done through public key distribution channel. Although this cahnnel
is not required to provide secrecy, it must provide authentication and integrity.
Second, asymmetric key cryptography means that Seetha and Raman cannot use
the same set of keys for two ways communication. Each entity in the community
should create its own private and public keys. The figure shows how Raman can
use Seetha’s public key to send encrypted messages to Seetha. If Seetha wants to
respond, Raman needs to establish his own private and public keys [Forouzan B
2010].
Unlike in symmetric key cryptography, plain text and cipher text are
treated as integers in asymmetric key cryptography. The message must be
encoded as integer before encryption; the integer must be decoded into the
message after decryption. Asymmetric key cryptography is normally used to
encrypt or decrypt small pieces of information such as cipher key for a symmetric
key cryptography.
The encryption and decryption in asymmetric key cryptography are
mathematical functions applied over the numbers representing the plain text and
cipher text. The cipher text can be thought of as C=ƒ(Kpub, P); The plain text can
be thought of as P= g (K private, C). The encryption function ƒ is used only for
encryption and decryption function g is used only for decryption. The function ƒ
needs to be trap door one way function to allow Seetha to decrypt but to prevent
Ravanan from doing so.
21
One-way and trapdoor one-way functions are the basis for public-key
Cryptography. The year 1976 marked a major turning point in the history of
cryptography. In several papers published in that year, Diffie and Hellman
introduced the idea of public-key cryptography and gave concrete examples of
how such a scheme might be realized. The first paper on public-key cryptography
was ‘Multiuser Cryptographic Techniques’ by Diffie and Hellman [Diffie W
1976], in 1976. Although the authors were not satisfied with the examples they
cited, the concept was made clear.
In their landmark paper, Diffie and Hellman [Diffie 1976] provided a more
comprehensive account of public-key cryptography and described the first viable
method to realize this elegant concept. Another good source for the early history
and development of the subject is Diffie [Diffie 1992].
Merkle independently discovered public-key cryptography, illustrating
how this concept could be realized by giving an elegant and ingenious example
now commonly referred to as the “Merkle Puzzle Scheme”[Merkle 1979]. In
1978 Rivest, Shamir, and Adleman [Rivest R L 1978] discovered the first
practical public key encryption and signature scheme, now referred to as RSA.
The RSA scheme is based on another hard mathematical problem, the
intractability of factoring large integers. This application of a hard mathematical
problem to cryptography revitalized efforts to find more efficient methods to
factor.
Another class of powerful and practical public key schemes was found by
ElGamal in 1985. These are also based on the discrete logarithm problem. One of
the most significant contributions provided by public-key cryptography is the
digital signature. In 1991 the first international standard for digital signatures was
adopted. It is based on the RSA public key scheme. In 1994 the U.S. Government
22
adopted the Digital Signature Standard, a mechanism based on the Elgamal
[ElGamal 1985] public key scheme. The search for new public key schemes,
improvements to existing cryptographic mechanisms, and proofs of security
continues at a rapid pace. Various standards and infrastructures involving
cryptography are being put in place. Security products are being developed to
address the security needs of an information intensive society.
Figure 2.8: Asymmetric Key Crypto System
2.7 Mathematics of Asymmetric Cryptography
Asymmetric cryptography is based on some topics in number theory,
including theories related to primes, factorization of composites into primes,
modular exponentiation and logarithm, Chinese remainder theorem etc.
2.7.1 Primes
Asymmetric key cryptography uses primes extensively. Positive integers
can be divided into three groups: the number 1, primes and composites as shown
in figure 2.9. A positive integer is a prime if and only if it is exactly divisible by
two integers, 1 and itself. A composite is a positive integer with more than two
23
devisors. The smallest prime is 2, which is divisible by 2(itself) and 1. Note that
integer 1 is not a prime according to the definition, because a prime must be
divisible by two different integers, no more, no less. The integer 1 is divisible
only by itself; it is not a prime. Two positive integers, a and b, are relatively
prime, or co prime, if gcd(a,b)=1. Note that integer 1 is relatively prime to any
integer.
Figure 2.9: Three groups of positive integers
Greek mathematician Eratosthenes devised a method to find all primes less
than n. The method is called the Sieve of Eratosthenes. Suppose we want to find
all prime less than 100. We write down all the numbers between 2 and 100. We
need to see if any number less than 100 is divisible by 2, 3, 5, 7 ( all the prime up
to the square root of ‘n’. Cross out all the numbers divisible by 2 except 2, cross
out all the numbers divisible by 3 except 3, cross out all the numbers divisible by
5 except 5, cross out all the numbers divisible by 7 except 7. The numbers left
over are primes.
Two mathematicians, Mersenne and Fermat, attempted to develop a
formula that could generate primes. Mersenne defined a formula Mp= 2p-1called
the Mersenne numbers that was supposed to enumerate all primes. Years later, it
was proven that not all numbers created by Mersenne formula are primes. Fermat
tried to find a formula to generate primes. The formula is Fn=22n+1. Fermat tested
24
the numbers up to F4, but it turned out that F5 is not a prime. No number greater
than F4 has been proven to be prime [ Forouzan B A 2010] .
Finding an algorithm to correctly and efficiently test a very large integer
and output a prime or composite has always been a challenge in number theory.
Such algorithms are classified into deterministic and probabilistic. Divisibility
algorithm and AKS Algorithm [Forouzan B A 2010, William S 2008] are some
of the deterministic algorithms. Divisibility Algorithm is infeasible if number of
bits in n (nb) is very large as its complexity is O(2nb). AKS (Agarwal, Kayal
,Saxena) algorithm is considered to be the standard primality test in mathematics
and computer science. The important probabilistic algorithms are Fermat’s test
and Miller Rabin Test [William S 2008]. Today one of the most popular primality
tests is a combination of divisibility test and Miller Rabin Test.
2.7.2 Euler’s Totient Function
Euler’s totient function n), also called Euler’s phi function plays a very
important role in cryptography. That function finds the number of integers that
are smaller than n and relatively prime to n.The set Zn* contains the numbers
that are smaller than n and relatively prime to n. The
of elements in this set. p)=p-1 if p is a prime, m×n)= m)× n) if
m and n pe)=pe-pe-1 if p is a prime.
2.7.3 Fermat’s Little Theorem
Fermat’s little theorem plays a very important role in number theory and
cryptography. Two versions of the theorem are introduced here.
First version: The first version says that if p is prime, a is an integer such
that p does not divide a, then a p-1 = 1mod p.
25
Second version: The second version removes the condition on a . It says
that if p is prime and a is an integer, then ap = a mod p.
Fermat’s Little theorem is helpful for quickly finding a solution to
exponentiation and multiplicative inverses. To find the 312 mod 11 we can use
Fermats little theorem
312 mod 11 = (311 ×3) mod 11 = 311 mod 11×3 mod 11= (3×3) mod 11=9
2.7.4 Euler’s Theorem
Euler’s Totient function can be thought of as a generalization of Fermat’s
Little Theorem. The modulus in the Fermat’s Theorem is a prime; the modulus of
in Euler’s theorem is an integer. Two versions of Euler’s Theorem were
introduced.
First version: The first version of Euler’s Theorem is similar to that of first
version of Fermat’s little theorem. If a and n are co prime, then a ) =1 mod n.
Second version: Second version removes the condition that a and n should be
co-prime. If n = p × q, a < n, and k an integer, then ak× =a mod n. The second
version of Euler’s theorem is used in the RSA Algorithm as discussed in section
2.10
2.7.5 Chinese Remainder Theorem
Let the numbers n1, n2, n3…. nk be positive integers which are relatively
prime in pair, i.e. gcd (ni, nj ) = 1 when i j. Furthermore, let n = n1, n2, n3… nk
and let x1, x2,… xk be integers.
Then the system of congruence
x = x1 mod n1
x = x2 mod n2
...
26
x1= xk mod nk
has a simultaneous solution x to all of the congruencies, and any two solutions are
congruent to one another modulo n. Furthermore there exists exactly one solution
for x between 0 and n-1. Chinese Remainder has lots of application in
cryptography. The Application of Chinese Remainder Theorem in RSA Crypto
chip is described in [ Johann 2000].
In 1982, Chinese remainder theorem was used to increase the speed of
decryption algorithm of RSA crypto system [Quisquarter J J 1989]. There two
smaller secret keys (dp, dq) are calculated from the original secret key(d),
decryption is done with these two keys and the result is combined with the help of
Chinese Remainder Theorem(CRT). It improves the performance of the basic
RSA decryption algorithm by 4.
2.7.6 Exponentiation and Logarithm
Exponentiation and logarithm are inverses of each other. The following
expression shows the relationship between them, in which a is called the base of
the exponentiation or logarithm.
Exponentiation: y= ax Logarithm : x = loga y
In cryptography, a common modular operation is exponentiation. For
example, y = ax mod n. RSA, which will be discussed in section 2.13, uses
exponentiation for both encryption and decryption with very large exponents.
Unfortunately, most computer languages have no operator that can efficiently
compute exponentiation, particularly, when the exponent is very large. So we use
a more efficient algorithm, fast exponentiation algorithm, which is discussed in
section 6.5, to compute exponentiation efficiently.
If we use exponentiation to encrypt or decrypt, the hacker can use
logarithm to attack. One method to attack is exhaustive search, which
27
continuously calculates y = ax mod n until it finds the value of given y. The
function that conduct exhaustive search for the computation of a modular
logarithm is as given below.
Modular logarithm(a,y,n)
{
for(x=1 to n-1)
{
if (y= ax mod n)
return x
}
return failure
}
The algorithm is inefficient. The bit operation complexity of the algorithm is
O(2nb) or exponential in nature. Here nb is number of bits in the binary
representation of exponent x
2.8 Symmetric Key Systems Vs. Public Key Systems
Symmetric-Key and Public-Key encryption schemes have various
advantages and disadvantages, some of which are common to both. Varghese
Paul has pointed out in his research thesis “Data security in fault tolerant hard real
time systems”, the differences between symmetric and asymmetric algorithms in
detail [Varghese 2002].
The primary advantage of Public-Key Cryptography is increased security
and convenience: Private Keys never need to be transmitted or revealed to
anyone. In a secret-key system, by contrast, the secret keys must be transmitted
28
(either manually or through a communication channel) since the same key is used
for encryption and decryption. A serious concern is that there may be a chance
that an intruder can discover the secret key during transmission.
Another major advantage of public-key systems is that they can provide
digital signatures that cannot be repudiated. Authentication via secret-key systems
requires the sharing of some secret and sometimes requires trust of a third party
as well. As a result, a sender can repudiate a previously authenticated message by
claiming the shared secret was somehow compromised by one of the parties
sharing the secret. For example, the Kerberos secret-key authentication system
involves a central database that keeps copies of the secret keys of all users; an
attack on the database would allow widespread forgery [William Stallings 2008].
Public-key authentication, on the other hand, prevents this type of repudiation;
each user has sole responsibility for protecting his or her private key. This
property of public-key authentication is often called non-repudiation.
A disadvantage of using public-key cryptography for encryption is speed.
There are many secret-key encryption methods that are significantly faster than
any currently available public-key encryption method.
Public-key cryptography may be vulnerable to impersonation, even if
users' private keys are not available. A successful attack on a certification
authority will allow an adversary to impersonate whomever he or she chooses by
using a public-key certificate from the compromised authority to bind a key of the
adversary's choice to the name of another user.
In some situations, public-key cryptography is not necessary and secret-
key cryptography alone is sufficient. These include environments where secure
secret key distribution can take place, for example, by users meeting in private. It
also includes environments where a single authority knows and manages all the
keys, for example, a closed banking system. Since the authority knows everyone's
29
keys already, there is not much advantage for some to be "public" and others to be
"private." Note, however, that such a system may become impractical if the
number of users becomes large; there are no such limitations exist in a public-key
system.
Public-key cryptography is usually not necessary in a single-user
environment. For example, if you want to keep your personal files encrypted, you
can do so with any secret key encryption algorithm using, say, your personal
password as the secret key. In general, public-key cryptography is best suited for
an open multi-user environment.
Public-key cryptography is not meant to replace secret-key cryptography,
but rather to supplement it, to make it more secure. The first use of public-key
techniques was for secure key establishment in a secret-key system; this is still
one of its primary functions.
The following sections (2.8.1, 2.8.2, 2.8.3 and 2.8.4) describe the
advantages and disadvantages of symmetric key systems and public key systems.
2.8.1 Advantages of Symmetric Key Systems
1. Symmetric-key ciphers can be designed to have high rates of data
throughput. Some hardware implementations achieve encrypts rates of
hundreds of megabytes per second, while software implementations may
attain throughput rates in the megabytes per second range.
2. Keys for Symmetric-key ciphers are relatively short.
30
3. Symmetric-key ciphers can be employed as primitives to construct various
cryptographic mechanisms including pseudorandom number generators,
hash functions and computationally efficient digital signature schemes.
4. Symmetric-key ciphers can be composed to produce stronger ciphers.
Simple transformations which are easy to analyze, but on their own weak,
can be used to construct strong product ciphers.
5. Symmetric-key encryption is perceived to have an extensive history,
although it must be acknowledged that the invention of rotor machines
earlier, much of the knowledge in this area has been acquired subsequent
to the invention of the digital computer, and, in particular, the design of the
Data Encryption Standard in the early 1970s
2.8.2 Disadvantages of Symmetric Key Systems
1. In a two party communication, the key must remain secret at both ends.
2. In a large network, there are many key pairs to be managed. Consequently,
effective key management requires the use of an unconditionally trusted
TTP
3. In a two-party communication between entities A and B, sound
cryptographic practice dictates that the key be changed frequently, and
perhaps for each communication session
4. Digital signature mechanisms arising from symmetric-key encryption
typically require either large keys for the public verification function or the
use of a TTP.
2.8.3 Advantages of Public Key Systems
1. Only the private key must be kept secret (authenticity of public keys must,
however, be guaranteed).
31
2. The administration of keys on a network requires the presence of only a
functionally trusted TTP as opposed to an unconditionally trusted TTP.
3. Depending on the mode of usage, a private key / public key pair may
remain unchanged for considerable periods of time, e.g., many sessions
(even several years).
4. Many public-key schemes yield relatively efficient digital signature
mechanisms. The key used to describe the public verification function is
typically much smaller than for the symmetric-key counterpart.
5. In a large network, the number of keys necessary may be considerably
smaller than in the symmetric-key scenario.
2.8.4 Disadvantages of Public Key systems
1 Throughput rates for the most popular public-key encryption methods are
several orders of magnitude slower than the best known symmetric key
schemes.
2 Key sizes are typically much larger than those required for symmetric key
encryption, and the size of public-key signatures is larger than that of tags
providing data origin authentication from symmetric key techniques.
3 No public key scheme has been proven to be secure (the same can be said
for block ciphers). The most effective public-key encryption schemes
found to date have their security based on the presumed difficulty of a
small set of number-theoretic problems.
4 Public key cryptography does not have as extensive a history as
symmetric- key encryption, being discovered only in the mid 1970s.
32
2.9 Cryptographic Hash Functions
A hash function is an easy to compute function h which compresses an
input x of arbitrary finite bit length, to an output h(x) of fixed length n. Hash
functions, also known as message digests, are important cryptographic primitives.
The selection of a secure hash function is necessary to create a secure digital
signature scheme. Here, security means a high level of collision resistance. Below
we discuss some methods of attack on hash function based systems.
A hash function is a function that takes some message of any length as
input and transforms it into a fixed-length output called a hash value, a message
digest, a checksum, or a digital fingerprint. A hash function is a function f : D
R, where the domain D = {0,1}* which means that the elements of the domain
consist of binary string of variable length; and the range R ={0,1}n for some n >=
1, which means that the elements of the range are binary string of fixed-length.
So, f is a function which takes as input a message M of any size and produces a
fixed-length hash result h of size n. A hash function f is referred to as
compression function when its domain D is infinite, in other word, when the
function f takes as input a fixed-length message and produces a shorter fixed-
length output [Joseph 2008].
A cryptographic hash function H is a hash function with additional security
properties:
1. H should accept a block of data of any size as input.
2. H should produce a fixed-length output no matter what the length of the input data is.
3. H should behave like random function while being deterministic and
efficiently reproducible. H should accept an input of any length, and
outputs a random string of fixed length. H should be deterministic and
33
efficiently reproducible in that whenever the same input is given, H should
always produce the same output.
4. Given a message M, it is easy to compute its corresponding digest h;
meaning that h can be computed in polynomial time O(n) where n is the
length of the input message, this makes hardware and software
implementations cheap and practical.
5. Given a message digest h, it is computationally difficult to find M such
that H(M) = h. This is called the one-way or pre-image resistance property.
It simply means that one should not be capable of recovering the original
message from its hash value.
6. Given a message M1, it is computationally infeasible to find another
message M2 M1 with H(M1) = H(M2). This is called the weak collision
resistance or second preimage resistance property.
7. It is computationally infeasible to find any pair of distinct messages
(M1,M2) such that H(M1) = H(M2). This is referred to as the strong
collision resistance property.
Property 7 implies both property 5 and 6.
Historically, the first designs for hash functions have been based on block
ciphers. Several successful proposals are still widely in use. A second approach
has been the use of modular arithmetic. After many failures, finally a satisfactory
solution has been developed within ISO/IEC SC27 [Bart 1997].
The most popular algorithms from the early nineties were certainly MD4
and MD5, both designed by R L Rivest [R L Rivest 1991], [R L Rivest 1992]. On
32-bit machines, they were about one order of magnitude faster than any other
cryptographic primitive (such as DES or other hash functions). Both algorithms
have been submitted to the RIPE consortium1, which was an EU-sponsored
project active between '88 and '92 with as goal to propose a portfolio of
34
recommended integrity primitives based on an open call for algorithms [Bart
1997].
All cryptographic hash functions need to create a fixed size digest out of
variable size message. Creating such function is best accomplished using
iteration. Instead of using a hash function with variable size input, a function with
fixed size is created and is used a necessary number of times. The fixed size input
function is referred to as a compression function. It compresses an n bit string to
create an m bit string where n is normally greater than m. The scheme is referred
to as iterated cryptographic hash functions. The Merkle- Damgard scheme is an
iterated hash function that is collision resistant if the compression function is
collision resistant [Forouzan BA 2010].
The Merkle –Damgard scheme is the basis for many cryptographic hash
functions today. There is a tendency to use two different approaches in designing
a hash function. In first approach the compression function is made from the
scratch. In second approach, a symmetric block cipher serves as compression
function. The example for first approach is Message Digest (MD) and Secure
Hash Algorithms (SHA). There are MD2, MD4 and MD5. The last version, MD5,
is a strengthened version of MD4 that divides the message into blocks of 512 bits
and creates a 128 bit digest. It turned out that a message digest of size 128 bits is
too small to resist collision attack.
The Secure Hash Algorithm is a standard that was developed by the
national Institute of Standards and Technology (NIST) and published as a Federal
Information Processing Standard (FIP 180). It is sometimes referred to as Secure
Hash Standards. The standard is mostly based on MD5. The new versions of SHA
are SHA-224, SHA-256, SHA-384 and SHA 512. Table 2.2. lists some of the
characteristics of these versions. RIPEMD and HAVAL are also examples for the
first approach.
35
Characteristics SHA-
1 SHA-224
SHA-256
SHA-384
SHA-512
Maximum Message size 264-1 264-1 264-1 2184-1 2184-1 Block size 512 512 512 1024 1024 Message Digest size 160 224 256 384 512 Number of rounds 80 64 64 80 80 Word Size 32 32 32 64 64
Table 2.2: Characteristics of Secure Hash Algorithms
SHA-512 is explained in detail in [Forouzan BA 2010]. An iterated
cryptographic hash function can use a symmetric key block cipher instead of
compression function. Several schemes for this approach have been proposed,
including the Rabin scheme, Davies-Meyer scheme, Matyas-Meyer-Oseas
scheme and Miyaguchi - Preneel scheme [Forouzan BA 2010]. Another
promising cryptographic hash function is Whirlpool, which is endorsed by
NESSIE (New European Schemes for Signatures, Integrity and Encryption).
Whirlpool is an iterated cryptographic hash function, based on the Miyaguchi-
Preneel scheme that uses a symmetric- key block cipher in place of compression
function. The block cipher is a modified AES cipher tailored for this purpose
[Bart 1993].
2.10 Message Integrity and Message Authentication
Message integrity is concerned with preventing the data being
manipulated. It involves not only the methods of detecting whether a stored or
transmitted message has been altered, but also whether the message has been
replayed (tapped) by an intruder and how this could be prevented.
The integrity of the message can be checked with the help of hash
functions. To preserve the integrity of the message, the message is passed through
36
an algorithm called cryptographic hash function, which is explained in section
2.9. The function creates a compressed image of the message that can be used like
a finger print. Figure 2.10 shows the role of cryptographic hash function in the
generation of message digest.
Figure 2.10: Message and Digest
To check the integrity of a message, or document, we run the
cryptographic hash function again and compare the new message digest with
previous one. If both are same, we are sure that the original message has not been
changed. Figure 2.11 shows the idea.
Figure 2.11: Checking integrity
Modification Detection Code (MDC) is a message digest that can prove
the integrity of the message: that the message has not been changed. If Raman
37
needs to send a message to Seetha and be sure that the message will not change
during transmission, Raman can create a message digest, MDC, and send both the
messge and MDC to Seetha. Seetha can create a new MDC from the message and
compare the received MDC and new MDC. If they are the same, the message has
not been changed. Figure 2.12 shows the idea.
Message authentication can be regarded as the combination of message
integrity and entity authentication. Both parties are able to verify each other’s
authenticity and whether the data are still undamaged.
Figure 2.12: Modification Detection Code (MDC)
By using Message Authentication Code (MAC), we achieve Message
authentication. The difference between MDC and MAC is that the second
includes a secret between Raman and Seetha- for example a secret key that
Ravanan does not posses. Figure 2.13 shows the idea.
38
Figure 2.13: Message Authentication Code (MAC)
Raman uses a hash function to create MAC from the concatenation of the
key and the message, h(k/m). He sends the message and the MAC to Seetha over
the insecure channel. Seetha separates the message from the MAC. She then
makes a new MAC from the concatenation of the message and the secret key.
Seetha then compares the newly created MAC with one received. If the two
MACs match, the message is authentic and has not been modified by an
adversary [Needham R 1978].
Note that there is no need to use two channels in this case. Both message
and the MAC can be sent on the same insecure channel. Ravanan can see the
message, but he cannot forge a new message to replace it because Ravanan
doesnot posses the secret key between Raman and Seetha. He is unable to create
the same MAC as Raman did.
39
2.11 Entity Authentication
Entity Authentication is technique designed to let one party prove the
identity of another party. An Entity can be a person, a process, a client or a server.
The entity whose identity needs to be proved is called claimant; the party that
tries to prove the identity of the claimant is called the verifier.
In entity authentication, the claimant must identify herself to the verifier.
This can be done with one of three kinds of witness: something known
(Password), something possessed (Challenge Response), or something inherent
(Zero knowledge). [Forouzan 2010].
2.11.1 Password
The simplest and oldest method of entity authentication is the password
based authentication, where the password is something that the claimant knows.
A password is used when a user needs to access a system to use the system
resources (Login). Each user has a user identification that is public, and a
password that is private. We can divide these authentication schemes into two
groups: the fixed password and one time password. A fixed password is a
password that is used over and over again for every access. There are several
methods in fixed password authentication.
In the very rudimentary approach, the system keeps a table or a file that is
sorted by user identification. To access the system resources, the user sends user
identification and password, in plain text, to the system. The system uses the
identification to find the password in the table. If the password sent by the user
matches the password in the table, access is granted; otherwise it is denied. Figure
2.14 shows this approach.
40
Figure 2.14: Password File
This approach is subjected to several kinds of attack like Eavesdropping,
Stealing a password, Accessing password file and guessing password etc.
[Stinson 2006].
A more secure approach is to store the hash of the password (Instead of the
plain text password) in the password file. Any user can read the contents of the
file, but, because of the hash function is a one way function, it is almost
impossible to guess the value of the password. Figure 2.15 shows the situation.
Dictionary attack is the attack possible on this approach.
41
Figure 2.15: Hashing the Password
The third approach is called salting the password. When the password
string is created, a random string called the salt is concatenated to the password.
The salted password is then hashed. The id, the salt and hash are then stored in
the file. When a user asks for access, the system extracts the salt, concatenates it
with the received password, makes a hash out of the result, and compares it with
the hash stored in the file. If there is a match access is granted: otherwise, it is
denied. Figure 2.16 shows the idea. Salting makes dictionary attack more
difficult. Salting is very effective if the salt is a very long random number.
In fourth approach, two identification techniques are combined. A good
example of this type of authentication is the use of an ATM card with PIN. This
card belongs to the category of “something possess” and the PIN belongs to the
category of something known.
42
Figure 2.16: Salting the Password
A one-time password is a password that is used only once. This kind of
password makes eavesdropping and salting useless. Three approaches are used
here. In first approach, a list of passwords is kept in the system. In second, the
password are sequentially updated and in third, sequentially updated passwords
are hashed [Forouzan 2010]
2.11.2 Challenge Response
In challenge- response authentication, the claimant proves that he knows a
secret without actually sending it. Challenge response authentication can use
symmetric key ciphers, keyed hash functions, asymmetric key ciphers and digital
signature.
Using symmetric key encryption there are three approaches to challenge
response authentication. The first approach is called nonce challenge where a
verifier sends a nonce, a random number used only once, to challenge the
claimant. A nonce must be time – varying; every time it is created, it different.
43
The claimant responds to the challenge using the secret key shared between the
claimant and verifier. Fig 2.17 shows this Approach.
Figure 2.17: Nonce Challenge
The second Approach is called Time-Stamp Challenge, where the time-
varying value is a time-stamp, which obviously changes with time. In this
approach the challenge message is the current time send from the verifier to the
claimant. The third approach is called bidirectional authentication. The idea is
shown in figure 2.18.
Figure 2.18: Bidirectional Authentication
44
Instead using encryption/ decryption for entity authentication, we can also
use a keyed hash function (MAC). One advantage of this scheme is that it
preserves the integrity of the challenge and response messages and at the same
time uses a secret, the key
Instead of symmetric key cipher, we can use an asymmetric key cipher for
entity authentication. Here the secret must be the private key of the claimant. The
claimant must show that she owns the private key related to the public key that is
available to everyone. This means that the verifier must encrypt the challenge
using public key of claimant: the claimant then decrypts the message using her
private key. The response to the challenge is the decrypted challenge.
Entity authentication can also be achieved using a digital signature. When
digital signature is used for entity authentication, the claimant uses her private
key for signing. There are two approaches. In first approach, verifier uses a plain
text challenge and claimant signs the response. In second approach, claimant and
verifier authenticate each other.
2.11.3 Zero Knowledge
In Zero knowledge authentications, the claimant does not reveal anything
that might endanger the confidentiality of the secret. The claimant proves to the
verifier that she knows a secret without revealing it. The interaction is so
designed that they cannot lead to revealing or guessing the secret. There are some
protocols like Fiat Shamir protocol, Feige-Fiat-Shamir protocol and Guillou-
Quisquater protocol, which uses zero knowledge technique for authentication
[Forouzan B A 2010, William S 2008].
45
2.11.4 Biometrics
Biometrics is the measurement of physiological or behavior features for
identifying a person using something inherent to her. We can divide the biometric
techniques two broad categories: physiological and behavioral. Physiological
techniques measure the physical traits of human body for verification and
identification. Behavioral techniques measure some traits in human behavior.
Figure 2.19 shows several common techniques under each category.
Figure 2.19: Biometrics
46
2.12 Modular Arithmetic
Given a positive integer n and any non negative integer a, if we divide a by
n, we get an integer quotient q and an integer remainder r that obey the following
relationship.
a = qn + r 0 r < n; q = [a/n]
If a is an integer and n is a positive integer, we define a mod n to be the
remainder when a is divided by n. The integer n is called the modulus. The output
r is called residue. Thus for any integer a, we can always write
a = [a/n] × n + (a mod n)
Two integers a and b are said to be congruent modulo n, if a mod n = b
mod n
We say that a nonzero b divides a if a = mb for some m, where a, b and m
are integers. That is b divides a if there is no remainder on division. The notation
b/a is commonly used to mean d divides a. Also if b/a, we say that b is a divisor
a.
As figure 2.20 shows the modulo operator (mod) takes as integer a from the set Z
and positive modulus n. The operator creates a nonnegative residue r. We can say
a mod n = r.
47
Figure 2.20: Division relation and modulo operator
The result of the modulo operator with modulus n is always an integer between 0
and n-1 . In other words, the result of a mod n is always a negative integer less
than n. We can say that the modulo operator creates a set, which in modular
arithmetic is referred to as the set of least residues modulo n, or Zn. However, we
need to remember that although we have only one set of integers (Z), we have
infinite instances of the set of residues (Zn), one for each value of n. Fig 2.21
shows the set Zn and three instances, Z2, Z6, and Z11.
Figure 2.21: Some Zn sets
48
Congruence
In cryptography, we often used the concept of congruence instead of
equality. Mapping from Z to Zn is not one -to-one. Infinite members of Z can map
to one member of Zn. For example, the result of 2 mod 10=2 , 12 mod 10 = 2, 22
mod 2=2 and so on. In modular arithmetic, integers like 2,12 and 22 are called
congruent mod 10. To show that two integers are congruent, we use the
congruence operator ( ). We add the phrase (mod n) to the right side of the
congruence to define the value of modulus that makes the relationship valid. For
example, we write: 2 12 (mod 10) , 13= 23 mod 10 etc. Figure 2.22 shows the
idea of congruence.
The congruence operator looks like an equality operator, but there are
differences. First, an equality operator maps a member of Z to itself; The
congruence operator maps a member from Z to member of Zn. Second, the
equality operator is one to one; the congruence operator is many to one.
The phrase (mod n) that we insert at the right hand side of the congruence
operator is just an indication of the destination set (Zn). We need to add
this phrase to show what modulus is used in the mapping. The symbol mod
used here does not have the same meaning as the binary operator. In other
words, the symbol mod in 12 mod 10 is an operator; The phrase (mod n) in
2 12 (mod 10) means that the destination set is Z10.
49
Figure 2.22: Concept of congruence
Properties of Congruence
Congruence have the following properties.
a = b (mod n) if n / (a-b)
a = b (mod n) implies b = ( a mod n)
a = b (mod n ) and b = c (mod n ) imply a = c (mod n )
Residue classes
A residue class [a] or [a]n is the set of integers congruent modulo n. In
other words, it is the set of all integers such that x a (mod n). For example, if n
= 5, we have five sets [0],[1],[2],[3], and [4] as shown below.
[0]={…, -15,-10,-5,0,5,10,15,…}
50
[1]={…,-14,-9,-4,1,6,11,16…}
[2]={…,-13,-8,-3,2,7,12,17,…}
[3]={…,-12,-7,-5,3,8,13,18…}
[4]={…,-11,-6,-1,4,9,14,19…}
The integers in the set [0] are all reduced to 0, when we apply the
modulo 5 operation on them. The integers in set [1] are all reduced to 1 when we
apply the modulo 5 operation, and so on. In each set, there is one element called
the least residue. In the set [0], this element is 0; in the set of [1], this element is
1; and so on. The set of all these least residues is what we have shown as
Z5={0,1,2,3,4}. In otherwords, the set Zn is the set of all least residue modulo n.
Operations in Zn
The binary operations (Addition, Subtraction and multiplication) that we
discussed for the set Z can also be defined for the set Zn. The result may need to
be mapped to Zn using the mod operator as shown in figure 2.23.
Figure 2.23 : Binary operations in Zn
51
Actually two sets of operations are used here. The first set is one of the
binary operators (+ ,- ,×); the second is the mod operator. We need to use
parenthesis to emphasize the order of operations. As figure 2.23 shows, the input
(a and b) can be members of Zn or Z.
Properties of modular arithmetic
The following are the properties of modular arithmetic.
[(a mod n) + (b mod n)] mod n= (a + b) mod n
[(a mod n )- (b mod n)] mod n= (a - b) mod n
[(a mod n)×(b mod n)]= (a × b) mod n
Figure 2.24 shows the process before and after applying the above
properties. Although the figure shows that the process is longer if we apply the
above properties, we should remember that in cryptography we are dealing with
very large integers.
For example, if we multiply a very large integer by another very large
integer, we will have an integer that is too large to be stored in the computer.
Applying the above properties make the first two operands smaller before
multiplication operation is applied. In other word, the properties allow us to work
with smaller numbers.
52
Figure 2.24: Properties of mod Operator
Inverses
When we are working in modular arithmetic, we often need to find the
inverse of a number relative to an operation. We are normally looking for an
additive inverse (relative to addition operation) or a multiplicative inverse
(relative to multiplication operation)
In Zn, two members a and b are additive inverses of each other if
a + b 0 (mod n)
In Zn, the additive inverse of a can be calculated as b = n - a.
53
In Zn , two members a and b are multiplicative inverses of each other if
a × b 1 mod n
For example, if the modulus is 10, then the multiplicative inverse of 3 is 7.
In other words, we have (3×7) mod 10 =1. It can be proved that a has
multiplicative inverse in Zn if and only if gcd(n, a)=1. In this case, a and n are
said to be relatively prime.
2.13 RSA Algorithm
The most commonly used public key algorithm is the RSA, named for its
inventors (Rivest, Shamir and Adleman). Behrouz A Forouzan explained the
concept of RSA in a very simple and understandable manner [Forouzan 2010].
RSA uses two exponents e and d, where e is public and d is private.
Suppose M is the palin text and C is the cipher text. The equation C = Me
mod n is used to create the cipher text C and M = Cd mod n is used to retrieve
the plaintext M from the cipher text. The modulus n , a very large number, is
created during the key generation process. RSA uses modular exponentiation for
encryption/ decryption; to attack RSA Algorithm is to be calculated.
Modular exponentiation is feasible in polynomial time using fast exponentiation
algorithm. However modular logarithm is very hard to solve. The complexity of
operations in RSA is as shown in figure 2.13.1.
54
Figure 2.13.1: Complexity of Operations in RSA
An RSA public-key / private-key pair can be generated by the following steps:
Key generation
1. Select two prime numbers p and q .
2. Calculate Here n is used as the modulus for the public keys
3. Find out Euler’s totient function n) = (p-1)×(q-1)
4. Select an integer e such that 1 < e < (n) and gcd(e, (n) = 1) e is
released as the public key exponent.
5. Find d = e -1 mod
i.e., d is the multiplicative inverse of e mod This is more clearly
stated as solve for d given (de) mod = 1.This is often computed using
the extended Euclidean algorithm. Here d is private key
6. Public key = (e, n) Private key = (d, n)
55
After key generation the tuple (e,n) is announced as public key and d is
kept as private key. To be secure the recommended size for each prime p or q is
512 bits (almost 154 decimal digits). This makes the size of n, the modulus,1024
bits(309 digits).
Encryption
RSA_Encryption(M,e,n)
{ C FastExponentiation(M, e, n) //Calculation of C = Me mod n
return C
}
Anyone can send a message to Seetha encypted with her public key e with
the help of the formula C = Me mod n. Encryption in RSA can be done using fast
exponentiation algorithm with polynomial time complexity. The size of the plain
text M must be less than n.
Decryption
RSA_Decryption(C, d, n)
{ M FastExponentiation(C, d, n) //Calculation of M = Cd mod n
return M
}
The above algorithm can be used to decrypt the cipher text message.
Decryption can also be done in polynomial time complexity. The size of the
cipher text is less than n. An example of Encryption and decryption in RSA is as
shown in figure 2.26.
56
Figure 2.26: Encryption and Decryption in RSA
Attacks on RSA
Satish N. Chalurkar, Nilesh Khochare , B. B.Meshram have made a very
good survey on modular attack on RSA [Satish N 2011]. The serious security
weakness in RSA is described well in [Majid Bakhtiari 2012]. No devastating
attacks on RSA have been yet discovered. Several attacks have been predicted
based on the weak plaintext, weak parameter selection or inappropriate
implementation.
Factorization attack: The security of RSA is based on the idea that the
modulus is so large that it is infeasible to factor it in reasonable time. Seetha
selects p and q and calculate n = p × q. Although n is public, p and q are secret. If
Ravanan can factor n and obtain p and q, he can calculate = (p-1) × (q-1).
Ravanan then can calculate d = e-1 because e is public. The private
exponent d is the trapdoor that Ravanan can use to decrypt any encrypted
message. There are many factorization algorithms, but none of them can factor a
large integer with polynomial time complexity. To be secure, RSA presently
requires that n should be more than 300 decimal digits, which means that the
modulus must be at least 1024 bits. Even using largest and fastest computer
57
available today, factoring an integer of this size would take an unfeasibly long
period of time.
Chosen cipher text Attack: Assume that Raman creates the cipher text C =
Me mod n and sends C to Seetha. Assume that Seetha will decrypt an arbitrary
cipher text for Ravanan, other than C. Ravanan intercepts C and uses the
following steps to find M.
Choose a random integer X from Zn*
Calculate Y=C × X e mod n
Send Y to Seetha for decryption and calculate Z = Y d mod n
Calculate M as follows
Z = Y d mod n = (C× X e )d mod n = (Cd× X ed ) mod n = (Cd× X ) mod n
Z =(M× X ) mod n
M = Z×X-1 mod n ( Ravanan can use extended Euclidian Algorithm to find the
multiplicative inverse of X
Encryption Exponent Attack: Having a low public exponent will reduce
encryption and signature validation computing costs. However, too low of an e is
also insecure. Today’s standard e is set at 216 + 1. This is a large enough value
to avoid attacks and needs only 17 mod multiplications for Me mod n using
repeated squares. But if a very small e is used instead, it can be subjected to
attacks such as Broadcast Attack. If the same M is encrypted with many users
<e,n> keys and broadcasted out, Ravanan can collect each one and compute M.
If all users have the same e, then Ravanan needs to collect at least e messages.
For example ,if e=3:
58
C1 = M3 mod n1, C2= M3 mod n2, C3 = M3 mod n3 M < { n1, n2, n3} thus M3 < n1n2n3
Using CRT C1C2C3 = M3 mod n1n2n3, thus taking cube root of C1C2C3
gives M. Stronger attacks are also known on a small e. If you pad M in the above
scenario to make it unique for each message, then the broadcast attack fails. But
Hastad shows if the padding scheme is a public, fixed polynomial function it
doesn’t defend from the attack. Franklin-Reiter found an attack on two related
messages encrypted with same modulus in time quadratic to e. And Coppersmith
took it farther to show an attack on same messages that used a short, random pad
(1/9th the size of M). So using a small e is not wise. To defend against all the low
public exponent attacks, large e such as the standard 216 + 1 should be used. A
good randomized pad also helps make random M’s to remove relationship
amongst messages.
Attacks on decryption Exponent: Two forms of attack can be launched on
decryption exponent: revealed decryption exponent attack and low decryption
exponent attack. It is obvious that Ravanan can find the decryption exponent d ,
he can decrypt the current encrypted message. However, the attack does not stop
here. If Ravanan knows the value of d, he can use the probabilistic algorithm to
factor n and find the value of p and q. Consequently if Seetha changes only the
compromised decryption exponent but keeps the same modulus n, Ravanan will
be able decrypt the future messages because she has the factorization of n. This
means that if Seetha finds out that the decryption exponent is compromised, she
needs to choose a new value for p and q, calculate n, and create totally new
private and public keys. Low decryption exponent attack is taken place due the
choice of low value for d by Seetha. Weiner showed that if d < 1/3 n ¼, a special
type of attack based on continuous factorization can make vulnerable the security
of RSA.
59
Plaintext attack: The Known-Plaintext Attack (KPA) is an attack
model for cryptanalysis where the attacker has samples of both
the plaintext (called a crib), and its encrypted version (ciphertext). These can be
used to reveal further secret information such as secret keys .Plain text attack on
RSA can be divided into short message attack, cyclic attack and unconcealed
message attack. In short message attack, if Ravanan knows the set of possible
plain text, he then knows one or more piece of information in addition to the fact
that the cipher text is the permutation of plain text. Ravanan can encrypt all of the
possible messages until the result is same as the cipher text intercepted. So, short
messages must be padded with random bits at the front and end to thwart this type
of attack. The cyclic attack is based in the fact that if the cipher text is a
permutation of the plain text, the continuous encryption of the cipher text will
eventually results in plain text. The attack based on permutation relationship
between plain text and cipher text is called unconcealed message attack.
Modulus attack: The idea of the common modulus is that in a session of
RSA with several users there is a trusted entity which defines a modulus n and
provides for each user a pair of public and private valid RSA keys defined
modulo n), but not the factorization of N. That is, each user Ui gets the public
key (ei , n ) and the private key (di, n). Simmons [G. J. Simmons1983] showed
that, without needing to factor the modulus, if the same plain text is encrypted
and sent to two users with co-prime public exponents, any other user can decrypt
the corresponding cypher text.
Implementation attack: Timing attacks and Power cryptanalysis have been
shown to analyze the computation of RSA decryption to derive the private key d,
one bit at a time. For example the “repeated squaring algorithm” does a round of
computation for each bit of d. If the bit is 1, then an additional multiplication
mod n is performed. Thus, analyzing the timing / power to determine the
60
operations can give away d. To prevent, fix the algorithm to provide the same
timing and power for each bit of d regardless of 0 or 1.
The paper [Majid Bakhtiari 2012] has shown that RSA cryptosystem has at
least two similar secret key in domain of n for all of cipher texts and infinite
similar secret key are exist out of domain of n. Also this paper proved that the
maximum security level of RSA is not equal to bit-length of n and for any length-
bit of p and q and shown that the security level of RSA cryptosystem is smaller
from digit length in comparison to each of two selected prime numbers.
2.14 Rabin System
Rabin Crypto System is a variation of RSA System. It is also based on
factoring problem. The Rabin crypto system can be thought of as RSA crypto
system in which the value of e and d are fixed; e = 2 and d = 1/2. In other words,
the encryption is C=M2 (mod n) and the decryption is M = C1/2 mod n). The public
key in the Rabin System is n; the private key is the tuple(p, q). Everyone can
encrypts the message using n ; only seetha can decrypt the message using p and q.
Decryption of the message is infeasible for Ravanan because he doesn’t know the
value of p and q. Fig 2.27 shows the encryption, decryption and key generation
of Rabin System. Here if Seetha is using RSA, she can keep d and n and discard
p, q and Ø(n) after key generation. If Seetha is using Rabin crypto system, she
needs to keep p and q.
61
Figure 2.27: Encryption, Decryption and Key Generation in Rabin system
Key generation
Seetha uses the following steps to create her public key and private key.
Although the two primes , p and q, can be in the form 4k + 1 or 4k + 3 (k is an
integer), the decryption process becomes more difficult if the first form is used. It
is recommended to use the second form, 4k+3 to make decryption for Raman
much easier.
Rabin_Key_generation
{
Choose two large primes p and q in the form 4k+3 and p q
62
n = p × q
public_key n // To be announced publicly
private_key (q, n) //to be kept secret
return public_key and private_key
}
Encryption
Anyone can send message to Seetha using her public key. The encryption
process is shown in the algorithm.
Rabin_Encryption(n,M) //n is the public key and M is the plain text from Zn*
{
C M2 mod n //C is the cipher text
return C
}
Although the plaintext M can be chosen from set Zn, we have defined the
set to be in Zn* to make the decryption easier. Encryption in the Rabin crypto
system is very simple. The operation needs only one multiplication, which can be
done quickly. This is beneficial when resources are limited.
63
Decryption
Rabin_Decryption(p,q,C) // C is the cipher text; p and q are private keys
{
a1 + C(p+1)/4 mod p
a2 - C(p+1)/4 mod p
b1 + C(q+1) mod q
b2 - C(q+1) mod q
// The Chinese Remainder algorithm is called four times
M1 = Chinese_Remainder(a1,b1,p,q)
M2 = Chinese_Remainder(a1,b2,p,q)
M3 = Chinese_Remainder(a2,b1,p,q)
M4 = Chinese_Remainder(a2,b2, p,q)
return M1,M2,M3 and M4
}
The decryption is based on quadratic congruence. Because the received
cipher text is the square of the plain text, it is guaranteed that C has roots in Zn*.
The Chinese Remainder Theorem is used to find the four square roots. The most
important point about Rabin system is that it is not deterministic. The decryption
has four answers. It is up to the receiver of the message to choose one of the four
as the final answer [A. Menezes 1996].
64
Rabin System is secure as long as p and q are large numbers. The
complexity of the Rabin system is at same level as factoring a large number n into
its two prime factors p and q. In other words, the Rabin system is secure as RSA.
2.15 ElGamal crypto system
In 1984 Taher ElGamal presented a cryptosystem. It relies on the
assumption that the DL cannot be found in feasible time, while the inverse
operation of the power can be computed efficiently.
If p is a very large prime number, e1 is primitive root in the group G =
<Zp*, ×> and r is an integer , then e2 = e1 r mod p is easy to compute using the fast
exponentiation algorithm, but given e1 and e2, and p, it is infeasible to calculate r
=log e1 e2 mod p (discrete logarithm problem). Figure 2.28 shows the key
generation, encryption and decryption in ElGamal crypto system.
Key generation
ElGamal_Key_Generation
{
Select a large prime p
Select d be a member of Group G = <Zp*, ×> such that 1 d p-2
select e1 to be a primitive root in Group G = <Zp*, ×>
e2 e1 d mod p
public_key ( e1, e2, p) //To be announced publicly
private_key d // To be kept secret
65
return private_key and private_key
}
Encryption
Anyone can send a message to Seetha using his public key.By using fast
exponentiation algorithm encryption in ElGamal system can also be done in
polynomial time complexity.
ElGamal_Encryption(e1,e2,p,M)
{
Selelct a random integer r in the group G = <Zp*, ×>
C1=e1r mod p
C2=M × e2 r mod p
return C1 and C2 // C1 and C2 are cipher text
}
Decryption
The following algorithm can be used to decrypt the cipher text message.
The complexity of decryption is also polynomial.
ElGamal_Decryption(d,p,C1,C2) //C1 and C2 are cipher texts
{
M [ C2 (C1d)-1] mod p
66
return M //M is the plain text
}
Figure 2.28 : Key Generation,Encryption and Decryption in ElGamal System
Attacks on ElGamal System
Two Attacks have been mentioned for ElGamal system in the literature:
attack based on low modulus and known plain text attack.
Low modulus attack: If the value of p is not large enough. Ravanan can
use some efficient algorithms to solve discrete logarithm problem to find d or r. If
p is small Ravanan can easily find d = log e1 e2 mod p and store it to decrypt any
67
messge sent to Seetha. This can be done once and used as long as Seetha uses the
same keys. Ravanan can also use the value of C1 to find random number r used by
Raman in each transmission r = log e1C1 mod p. Both of these cases emphasize
that security of ElGamal cryptosystem depends on the infeasibility of solving a
discrete logarithm problem with a very large modulus. It is recommended that p
be at least 1024 bits (300 decimal digits).
Known plain text Attack: If Raman uses the same random number
exponent r, to encrypt M and M' , Ravanan discovers M' if he knows M. Assume
that C2 = M×(e2 r )mod p and C2' = M'×(e2 r ) mod p. Ravanan finds M' using
the following steps.
(e2r) = C2×M-1 mod p
M' = C2'× (e2r)-1 mod p
It is recommended that Raman use a fresh value of r to thwart the known
plaintext attacks.
2.16 Elliptical Curve System
Elliptic Curve Cryptography (ECC) is considered as a marvelous technique
with low key size for the user, and have a hard exponential time challenge for an
intruder to break into the system. In ECC a 160-bit key provides the same security
as compared to the traditional crypto system RSA [Rivest R L1978] with a 1024-
bit key, thus lowers the computer power. Therefore, ECC offers considerably
greater security for a given key size.
The security due to ECC relies on the difficulty of Elliptic Curve Discrete
Logarithm Problem. Let P and Q be two points on an elliptic curve such that kP =
Q, where k is a scalar. Given P and Q, it is computationally infeasible to obtain k.
If k is sufficiently large, k is the discrete logarithm of Q to the base P. Hence the
68
main operation involved in ECC is related to the point multiplication i.e.
multiplication of a scalar k with any point P on the curve to obtain another point
Q on the curve.
The elliptical curve arithmetic is explained in a simple manner by Tarun
Narayan Shankar and G. Sahoo [Tarun 2009]. Several methods have been used to
encrypt and decrypt using elliptic curves. The common one is to simulate the
ElGamal crypto system using elliptic curve over GF(p) or GF(2n) as shown in
figure 2.29.
Generating public and private keys
Choose E(a,b) with an elliptic curve over GF(p) or GF(2n)
Choose a point on the curve e1(x1,y1).
Choose an integer d.
Calculate e2(x2, y2) = d × e1(x1, y1). Note that multiplication here means
multiple addition of points.
Announce E(a, b), e1(x1,x1) and e2(x2,y2) as his public key, she keeps d as
private key.
Encryption
Raman selects P a point on the curve, as his plain text M. He then
calculates a pair of points on the text as cipher text:
C1= r×e1
C2 = M + r × e2
69
Here an algorithm is required to find a one to one correspondence between
symbols (or block of text ) and the point on the curve.
Decryption
Seetha , after receiving C1 and C2, calculate M, the plain text using formula M =
C2-(d×C1).The minus sign means adding with inverse.
Figure 2.29: ElGamal CryptoSystem using Elliptic Curve
Attacks on ECC
If r is known , M = C2 - (r×e2) can be used to find the point M related to
the plain text. But to find r, the equation C1 = r×e1 is to be solved. This means ,
given two points on the curve C1 and e1, Ravanan must find multiplier that
creates C1 starting from e1. This is referred to as elliptical curve discrete
logarithm problem and the only one method available to solve it is Pollard Rho
algorithm, which is infeasible if r is large and p in GF(p) or GF(2n) is large.
70
If d is known to Ravanan, he can use the equation M = C2-(d×C1) to find
the point M related to the plain text. Because e2= d×e1, this is the same type of
problem. Ravanan knows the value of e1and e2: he needs to find out the multiplier
of d.
2.17 Key Distribution using Public key Algorithm
Diffie and Hellman proposed a protocol that enabled two parties, having
no prior communication, to jointly establish a secret key over an insecure channel
[W Diffie 1992].
One of the major roles of public key cryptography has been to address the
problem of key distribution. There are actually two distinct aspects to the use of
public key cryptography in this regard
The distribution of public keys
The use of public key encryption to distribute secret keys
Several techniques such as public announcement, publicly available directory,
public key authority, public certificates etc have been proposed for the key
distribution of public key [William S 2008].
Public Announcement of Public Keys: On the face of it, the point of
public-key encryption is that the public key is public. Thus, if there is some
broadly accepted public-key algorithm, such as RSA, any participant can send his
or her public key to any other participant or broadcast the key to the community
at large (figure 2.30). Although this approach is convenient, it has a major
weakness. Anyone can forge such a public announcement. That is, some user
could pretend to be user A and send a public key to another participant or
broadcast such a public key.
71
Figure 2.30: Uncontrolled public key
Publicly Available Directory: A greater degree of security can be achieved
by maintaining a publicly available dynamic directory of public keys.
Maintenance and distribution of the public directory would have to be the
responsibility of some trusted entity or organization ( 2.31). Such a scheme
would include the following elements:
The authority maintains a directory with a {name, public key} entry for
each participant.
Each participant registers a public key with the directory authority.
Registration would have to be in person or by some form of secure
authenticated communication.
A participant may replace the existing key with a new one at any time,
either because of the desire to replace a public key that has already been
used for a large amount of data, or because the corresponding private key
has been compromised in some way.
Periodically, the authority publishes the entire directory or updates to the
directory. For example, a hard-copy version much like a telephone book
could be published, or updates could be listed in a widely circulated
newspaper.
72
Participants could also access the directory electronically. For this purpose,
secure, authenticated communication from the authority to the participant
is mandatory
This scheme is clearly more secure than individual public announcements, but
still has vulnerabilities. If an opponent succeeds in obtaining or computing the
private key of the directory authority, the opponent could authoritatively pass out
counterfeit public keys and subsequently impersonate any participant and
eavesdrop on messages sent to any participant. Another way to achieve the same
end is for the opponent to tamper with the records kept by the authority.
Figure 2.31: Publicly available directory
Public-Key Authority: Stronger security for public-key distribution can be
achieved by providing tighter control over the distribution of public keys from the
directory. As before, the scenario assumes that a central authority maintains a
dynamic directory of public keys of all participants. In addition, each participant
reliably knows a public key for the authority, with only the authority knowing the
corresponding private key. However this is not perfect as the public-key authority
could be somewhat of a bottleneck in the system. The reason for this is that a user
must appeal to the authority for a public key for every other user that it wishes to
73
contact. Also the directory of names and public keys maintained by the authority
is vulnerable to tampering.
Public-Key Certi : An alternative approach to the above is the use of
certi ing a
public-key authority. Each certi containing a public key and other
information, is created by a certi is given to the participant
with the matching private key. A participant conveys its key information to
another by transmitting its certi the
certi
particular scheme:
Any participant can read a certi mine the name and public key
of the certi
Any participant can verify that the certi
authority and is not counterfeit.
Only the certi
Any participant can verify the currency of the certi
Once public keys have been distributed, secure communication that thwart
eavesdropping, tampering or both is possible. Public key encryption provides for
the distribution of secret keys to be used for conventional encryption. Different
methods are there for the distribution of secret keys using public key
cryptography. A simple secret key distribution was put forward by Merkle
[Merkle 1979] as illustrated in figure 2.32
74
Figure 2.32: Simple use of public key to establish session key
If Raman wishes to communicate with Seetha, The following procedure is
employed.
Raman generates a public / private key pair{PUr, PRr} and transmits a
message to Seetha consisting of PUr and an identifier of Raman IDr.
Seetha generates secret key ,Ks, and transmits it to Ramam, encrypted with
Raman’s public key
Raman computes D(PRr,E(PUr,Ks)) to recover the secret key.Because only
Raman can decrypt the message, only Raman and Seetha know the identity
of Ks.
Raman discards PUr and PRr and Seetha discards PUr
Raman and Seetha can now securely communicate using conventional
encryption and the session keys Ks. At the completion of exchange, both Raman
and Seetha discard Ks. This protocol is insecure against man in the middle attack.
75
A protocol suggested in [Needam R 1978] provides protection of keys
against both passive and active attack while maintaining both confidentiality and
authentication. The procedure is illustrated in the figure 2.33.
Figure 2.33: Public key distribution of secret keys
Raman uses Seetha’s public key to encrypt a message to Seetha containing
an identifier of Raman (IDr) and nonce (N1), which is used to identify this
transaction uniquely.
Seetha sends a message to Raman encrypted with PUr and containing
Raman’s nonce (N1) as well as a new nonce generated by Seetha (N2).
Raman returns N2, encrypted using Seetha’s public key, to assure Seetha
that its correspondent is Raman.
Raman selects a secret key Ks and sends M=E(Pus, E(PRr,Ks)) to Seetha.
B Computes D(PUr, D(PRs,M)) to recover the secret key.
76
Yet another way to use public key encryption to distribute key is a
hybrid approach, which retains the use of a Key Distribution Centre (KDC) that
shares a secret master key with each user and distributes secret session keys
encrypted with master key.
The question of key exchange was one of the addressed
by a cryptographic protocol. This was prior to the invention of public key
cryptography. The Di e-Hellman Key Agreement Protocol (1976) was the
practical method for establishing a shared secret over an unsecured
communication channel which is shown figure 2.34. The point is to agree on a
key that two parties can use for a symmetric encryption, in such a way that an
eavesdropper cannot obtain the key.
Steps in the algorithm:
Raman and Seetha agree on a prime number p and a base g.
Raman chooses a secret number a, and sends Seetha (ga mod p).
Seetha chooses a secret number b, and sends Raman (gb mod p).
Raman computes ((gb mod p) a mod p).
Seetha computes ((ga mod p) b mod p).
Both Raman and Seetha can use this number as their key. Notice that p and g
need not be protected.
Example
Raman and Seetha agree on p = 23 and g = 5.
Raman chooses a = 6 and sends 5 6 mod 23 = 8.
77
Seetha chooses b = 15 and sends 5 15 mod 23 = 19.
Raman computes 19 6 mod 23 = 2.
Seetha computes 8 15 mod 23 = 2.
Then 2 is the shared secret.
Clearly, much larger values of a, b, and p are required. An eavesdropper
cannot discover this value even if he or she knows p and g and can obtain each of
the messages.
Figure 2.34 : Diffie Hellman protocol
Suppose p is a prime of around 300 digits, and a and b at least 100 digits each.
Discovering the shared secret given g, p, ga mod p and gb mod p would take
longer than the lifetime of the universe, using the best known algorithm. This is
called the discrete logarithm problem.
2.18 Hybrid cryptography
A hybrid cryptosystem is a protocol using multiple ciphers of different
types together, each to its best advantage. One common approach is to generate a
78
random secret key for a symmetric cipher, and then encrypt this key via an
asymmetric cipher using the recipient's public key. The message itself is then
encrypted using the symmetric cipher and the secret key. Both the encrypted
secret key and the encrypted message are then sent to the recipient. The recipient
decrypts the secret key first, using his / her own private key, and then uses that
key to decrypt the message.
Figure 2.35: Hybrid Crypto System
Figure 2.35 shows the block diagram of a hybrid crypto system which takes
the advantages of both shared secret and public key algorithms. That means it
combines both the symmetric key algorithm and asymmetric-key algorithm to
take the advantage of the higher speed of symmetric ciphers and the ability of
asymmetric ciphers to securely exchange keys.