Review of Secret Key (Symmetric)

Cryptography
• Confidentiality
– stream ciphers (uses PRNG)
– block ciphers with encryption modes
• Integrity
– Cryptographic hash functions
– Message authentication code (keyed hash functions)
• Limitation: sender and receiver must share the same
key
– Needs secure channel for key distribution
– Impossible for two parties having no prior relationship
– Needs many keys for n parties to communicate

Fall 2010/Lecture 31 1
Public Key Encryption Overview
• Each party has a PAIR (K, K-1) of keys:
– K is the public key, and used for encryption
– K-1 is the private key, and used for decryption
– Satisfies DK-1[EK[M]] = M
• Knowing the public-key K, it is computationally infeasible to
compute the private key K-1
– How to check (K,K-1) is a pair?
– Offers only computational security. PK Encryption impossible when
P=NP, as deriving K-1 from K is in NP.
• The public-key K may be made publicly available, e.g., in a
publicly available directory
– Many can encrypt, only one can decrypt
• Public-key systems aka asymmetric crypto systems

Fall 2010/Lecture 31 2
Public Key Encryption Algorithms
• Almost all public-key encryption algorithms use
either number theory and modular arithmetic, or
elliptic curves
• RSA
– based on the hardness of factoring large numbers
• El Gamal
– Based on the hardness of solving discrete logarithm
– Basic idea: public key gx, private key x, to encrypt:
[gy, gxy M].

Fall 2010/Lecture 31 3
RSA Algorithm
• Invented in 1978 by Ron Rivest, Adi Shamir and
Leonard Adleman
– Published as R L Rivest, A Shamir, L Adleman, "On
Digital Signatures and Public Key Cryptosystems",
Communications of the ACM, vol 21 no 2, pp120-126,
Feb 1978
• Security relies on the difficulty of factoring large
composite numbers
• Essentially the same algorithm was discovered
in 1973 by Clifford Cocks, who works for the
British intelligence

Fall 2010/Lecture 31 4
RSA Public Key Crypto System
Key generation:
1. Select 2 large prime numbers of about the same size, p
and q
Typically each p, q has between 512 and 2048 bits
2. Compute n = pq, and (n) = (q-1)(p-1)
3. Select e, 1<e< (n), s.t. gcd(e, (n)) = 1
Typically e=3 or e=65537
4. Compute d, 1< d< (n) s.t. ed  1 mod (n)
Knowing (n), d easy to compute.

Public key: (e, n)

Private key: d

Fall 2010/Lecture 31 5
RSA Description (cont.)
Encryption
Given a message M, 0 < M < n M  Zn {0}
use public key (e, n)
compute C = Me mod n C  Zn {0}

Decryption
Given a ciphertext C, use private key (d)
Compute Cd mod n = (Me mod n)d mod n = Med
mod n = M

Fall 2010/Lecture 31 6
 C = Me mod (n=pq)

Plaintext: M Ciphertext: C
Cd mod n

From n, difficult to figure out p,q

From (n,e), difficult to figure d.
From (n,e) and C, difficult to figure out M s.t. C = Me

Fall 2010/Lecture 31 7
RSA Example
• p = 11, q = 7, n = 77, (n) = 60
• d = 13, e = 37 (ed = 481; ed mod 60 = 1)
• Let M = 15. Then C  Me mod n
– C  1537 (mod 77) = 71
• M  Cd mod n
– M  7113 (mod 77) = 15

Fall 2010/Lecture 31 8
RSA Example 2
• Parameters:
– p = 3, q = 5, q= pq = 15
 (n) = ?
• Let e = 3, what is d?
• Given M=2, what is C?
• How to decrypt?

Fall 2010/Lecture 31 9
RSA Security
• Security depends on the difficulty of factoring n
– Factor n => (n) => compute d from (e, (n))
• The length of n=pq reflects the strength
– 700-bit n factored in 2007
– 768 bit factored in 2009
• 1024 bit for minimal level of security today
– likely to be breakable in near future
• Minimal 2048 bits recommended for current usage
• NIST suggests 15360-bit RSA keys are equivalent in
strength to 256-bit
• RSA speed is quadratic in key length

Fall 2010/Lecture 31 10
Real World Usage of Public Key
Encryption
• Often used to encrypt a symmetric key
– To encrypt a message M under a public key (n,e), generate a new
AES key K, compute [RSA(n,e,K), AES(K,M)]
• Plain RSA does not satisfy IND requirement.
– How to break it?
• One often needs padding, e.g., Optimal Asymmetric
Encryption Padding (OAEP)
– Roughly, to encrypt M, chooses random r, encode M as M’
= [X = M  H1(r) , Y= r  H2(X) ]where H1 and H2 are cryptographic
hash functions, then encrypt it as (M’) e mod n
– Note that given M’=[X,Y], r = Y  H2(X), and M = X  H1(r)

Fall 2010/Lecture 31 11
Digital Signatures: The Problem

• Consider the real-life example where a person pays by

credit card and signs a bill; the seller verifies that the
signature on the bill is the same with the signature on the
card
• Contracts, they are valid if they are signed.
• Signatures provide non-repudiation.
– ensuring that a party in a dispute cannot repudiate, or refute the
validity of a statement or contract.
• Can we have a similar service in the electronic world?
– Does Message Authentication Code provide non-repudiation? Why?

Fall 2010/Lecture 31 12
Digital Signatures
• MAC: One party generates MAC, one party verifies integrity.
• Digital signatures: One party generates signature, many
parties can verify.
• Digital Signature: a data string which associates a message
with some originating entity.
• Digital Signature Scheme:
– a signing algorithm: takes a message and a (private) signing key,
outputs a signature
– a verification algorithm: takes a (public) key verification key, a
message, and a signature
• Provides:
– Authentication, Data integrity, Non-Repudiation

Fall 2010/Lecture 31 13
Digital Signatures and Hash
• Very often digital signatures are used
with hash functions, hash of a
message is signed, instead of the
message.
• Hash function must be:
– Pre-image resistant
– Weak collision resistant
– Strong collision resistant

Fall 2010/Lecture 31 14
RSA Signatures
Key generation (as in RSA encryption):
• Select 2 large prime numbers of about the
same size, p and q
• Compute n = pq, and  = (q - 1)(p - 1)
• Select a random integer e, 1 < e < , s.t.
gcd(e, ) = 1
• Compute d, 1 < d <  s.t. ed  1 mod 

Public key: (e, n) used for verification

Secret key: d, used for generation

Fall 2010/Lecture 31 15
RSA Signatures (cont.)
Signing message M
• Verify 0 < M < n
• Compute S = Md mod n

Verifying signature S
• Use public key (e, n)
• Compute Se mod n = (Md mod n)e mod n = M

Note: in practice, a hash of the message is signed

and not the message itself.

Fall 2010/Lecture 31 16
The Big Picture

Secret Key Public Key

Setting Setting
Secrecy / Stream ciphers Public key
Confidentiality Block ciphers + encryption: RSA,
encryption modes El Gamal, etc.

Authenticity / Message Digital Signatures:

Integrity Authentication RSA, DSA, etc.
Code

Fall 2010/Lecture 31 17
Fall 2010/Lecture 31 18
Zero Knowledge Proofs

19
Interactive Proof Systems
• Traditionally, a proof for a statement is a static
string such that one can verify for its correctness
– Follows axioms and deduction rules.

• Generalizing proof systems to be interactive

– A proof system involves an algorithm for a prover and
a verifier.
– A proof system can be probabilistic in ensuring
correctness of the statement being proved

20
Zero Knowledge Proofs
• A protocol involving a prover and a verifier that
enables the prover to prove to a verifier without
revealing any other information
– E.g., proving that a number n is of the form of the
product of two prime number
– Proving that one knows p,q such that n=pq
– Proving that one knows x such gx mod p = y

CS555 Topic 23 21
Two Kinds of Zero-Knowledge Proofs

• ZK proof of a statement
– convincing the verifier that a statement is true without
yielding any other information
– example of a statement, a propositional formula is
satisfiable

• ZK proof of knowledge
– convincing the verifier that one knows a secret, e.g.,
one knows the discrete logarithm logg(y)

CS555 Topic 23 22
Properties of Interactive Zero-
Knowledge Proofs of Knowledge
• Completeness
– Given honest prover and honest verifier, the protocol
succeeds with overwhelming probability

• Soundness
– no one who doesn’t know the secret can convince the
verifier with nonnegligible probability

• Zero knowledge
– the proof does not leak any additional information
CS555 Topic 23 23
Honest Verifier ZK vs. Standard
ZK
• Honest Verifier ZK means that a simulator exists
for the Verifier algorithm V given in the protocol.

• Standard ZK requires that a simulator exists for

any algorithm V* that can play the role of the
verifier in the protocol.

CS555 Topic 23 24
Zero Knowledge Proof of
Knowledge
• A ZKP protocol is a proof of knowledge if it
satisfies a stronger soundness property:
– The prover must know the witness of the statement
• Soundness property: If a prover A can convince a
verifier, then a knowledge exactor exists
– a polynomial algorithm that given A can output the
secret
• The Fiat-Shamir protocol is also a proof of
knowledge:

CS555 Topic 23 25
 Elliptic Curve

• What are Elliptic Curves?

– Curve with standard form y2 = x3 + ax + b a, b ϵ ℝ

• Characteristics of Elliptic Curve

– Forms an abelian group
– Symmetric about the x-axis
– Point at Infinity acting as the identity element
Examples of Elliptic Curves
Why Elliptic Curve Cryptography?

• Shorter Key Length

• Lesser Computational Complexity

• Low Power Requirement

• More Secure
Comparable Key Sizes for Equivalent
Security

Symmetric Encryption RSA and Diffie-Hellman ECC Key Size

(Key Size in bits) (modulus size in bits) in bits

56 512 112

80 1024 160

112 2048 224

128 3072 256

192 7680 384

256 15360 512

 What is Elliptic Curve Cryptography?

• Implementing Group Operations

– Main operations - point addition and point multiplication
– Adding two points that lie on an Elliptic Curve – results in a
third point on the curve
– Point multiplication is repeated addition
– If P is a known point on the curve (aka Base point; part of
domain parameters) and it is multiplied by a scalar k, Q=kP
is the operation of adding P + P + P + P… +P (k times)
– Q is the resulting public key and k is the private key in the
public-private key pair
 What is Elliptic Curve Cryptography?

• Adding two points on the curve

• P and Q are added to obtain P+Q which is a
reflection of R along the X axis
 What is Elliptic Curve Cryptography?

• A tangent at P is extended to cut the curve at a point; its

reflection is 2P
• Adding P and 2P gives 3P
• Similarly, such operations can be performed as many times as
desired to obtain Q = kP
What is Elliptic Curve Cryptography?

• Discrete Log Problem

– The security of ECC is due the intractability or difficulty of
solving the inverse operation of finding k given Q and P
– This is termed as the discrete log problem
– Methods to solve include brute force and Pollard’s Rho
attack both of which are computationally expensive or
unfeasible
– The version applicable in ECC is called the Elliptic Curve
Discrete Log Problem
– Exponential running time
 Elliptic Curve Schemes

• Elliptic Curve Digital Signature Algorithm

(ECDSA)

• Elliptic Curve Pintsov Vanstone

Signature(ECPVS)

• Elliptic Curve Diffie-Hellman (ECDH)

 Elliptic Curve Digital Signature
Algorithm (ECDSA)
• Elliptic curve variant of Digital Signature
Algorithm

Canadian postage stamp that

 ECDSA
• Signature Generation

Once we have the domain parameters and have decided on the keys
to be used, the signature is generated by the following steps.
Given Input: d, G, n, hash Function H

1. A random number k, 1 ≤ k ≤ n-1 is chosen

2. kG = (x1,y1) is computed. x1 is converted to its corresponding integer
x 1’
3. Next, r = x1 mod n is computed. If r=0 go to step 1.
4. We then compute k-1 mod q
5. e = HASH(m) where m is the message to be signed
6. s = k-1(e + dr) mod n. If s=0 then go to step 1.
where d is the private key of the sender.

We have the signature as (r,s)

 ECDSA
• Signature Verification
Given: (r,s), m,n,e,G, Q, and hash function H
At the receiver’s end the signature is verified as follows:
1. Verify whether r and s belong to the interval [1, n-1] for the signature to be valid.
2. Compute e = HASH(m). The hash function should be the same as the one used for signature
generation.
3. Compute w = s-1 mod n.
4. Compute u1 = ew mod n and u2 = rw mod n.
5. Compute (x1,y1) = u1G + u2Q.
6. The signature is valid if r = x1 mod n, invalid otherwise.

This is how we know that the verification works the way we want it to:

We have, s = k-1(e + dr) mod n which we can rearrange to obtain, k = s-1(e + dr) which is
s-1e + s-1rd

This is nothing but we + wrd = (u1 + u2d) (mod n)

We have u1G + u2Q = (u1 + u2d)G = kG which translates to v = r.

ECDSA

Fall 2010/Lecture 31 38