Arithmetic for Cryptography

Principles of Pseudorandom Number

Generation
 The Use of Random Numbers
 Many uses of random numbers in cryptography
1. nonces in authentication protocols to prevent replay
2. session keys
3. public key generation
4. keystream for a one-time pad
 These applications give rise to two distinct requirements for a sequence of random
numbers:
1. Randomness – the generated sequence of numbers be random in some well-defined
statistical sense.
2. Unpredictability - the requirement is not randomness but that the successive members
of the sequence are unpredictable.
Principles of Pseudorandom Number
Generation
 TRNGs, PRNGs, and PRFs
 Cryptographic applications make use of many techniques for random number generation.
 These algorithms are deterministic and produce sequences of numbers that are not
statistically random.
 If the algorithm is good, the resulting sequences will pass many reasonable tests of
randomness. Such numbers are referred to as pseudorandom numbers.

 TRNG
 true random number generator
 takes as input a source that is effectively random, the source is often referred to as an
entropy source.
 TRNG may simply involve conversion of an analog source to a binary output.
Principles of Pseudorandom Number
Generation
 PRNG
 PRNG takes as input a fixed value, called the seed, and produces a sequence of output
bits using a deterministic algorithm.
 output bit stream is determined solely by the input value or values.
 Pseudorandom number generator: An algorithm that is used to produce an open-ended
sequence of bits is referred to as a PRNG.
 Pseudorandom function (PRF)
 A PRF is used to produce a pseudorandom string of bits of some fixed length. Ex-
symmetric encryption keys, nonces.
 the PRF takes as input a seed plus some context specific values, such as a user ID or
an application ID.
 Other than the number of bits produced, there is no difference between a PRNG and a
PRF.
Principles of Pseudorandom Number
Generation
Principles of Pseudorandom Number
Generation
 PRNG Requirements
 RANDOMNESS
1. Uniformity
2. Scalability
3. Consistency
 UNPREDICTABILITY
1. forward & backward unpredictability
2. use same tests to check
 CHARACTERISTICS OF THE SEED
1. secure
2. if known adversary can determine output
3. must be random or pseudorandom number
Principles of Pseudorandom Number
Generation
Principles of Pseudorandom Number
Generation
 Algorithm Design
 Two categories:
1. Purpose-built algorithms: These are algorithms designed specifically and solely for
the purpose of generating pseudorandom bit streams.
2. Algorithms based on existing cryptographic algorithms: Cryptographic algorithms
have the effect of randomizing input.
 Three categories of cryptographic algorithms are used to create PRNGs:
1. Symmetric block ciphers
2. Asymmetric ciphers
3. Hash functions and message authentication codes
Pseudorandom Number Generators
 Linear Congruential Generators
 Proposed by Lehmer.
 The algorithm is parameterized with four numbers:
m the modulus m>0
a the multiplier 0<a<m
c the increment 0<=c<m
X0 the starting value, or seed 0<=X 0<m
 The sequence of random numbers {Xn} is obtained via iterative equation:
Xn+1 = (aXn + c)mod m
 If m, a, c and X0 are integers, then this technique will produce a sequence of integers with
each integer in the range 0<=Xn<m.
Pseudorandom Number Generators
 Blum Blum Shub Generator
 Based on public key algorithms
 procedure is:
 choose two large prime numbers, p and q, that both have a remainder of 3 when
divided by 4.
 That is,

 the BBS generator produces a sequence of bits according to the following algorithm:
Pseudorandom Number Generators

 The BBS is referred to as a cryptographically secure pseudorandom bit generator

(CSPRBG).
 Example of BBS operation
 Here, n = 192649 = 383 x 503, and the seed s = 101355.
Prime Numbers
 Central concern of number theory is the study of prime numbers.
 An integer p > 1 is a prime number if and only if its only divisors are 1 and p.
 Any integer a > 1 can be factored in a unique way as:
a = p1a1 x p2a2 x . . . . x ptat
 Examples
91 = 7 x 13
3600 = 24 x 32 x 52
11011 = 7 x 112 x 13
 The value of any given positive integer can be specified by simply listing all the nonzero
exponents in the foregoing formulation.
The integer 12 is represented by {a2 = 2, a3 = 1}.
The integer 18 is represented by {a2 = 1, a3 = 2}.
The integer 91 is represented by {a7 = 1, a13 = 1}.
Prime numbers under 2000
Relatively Prime Numbers & GCD

 Two numbers a, b are relatively prime if have no common divisors apart from 1.
 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and
1 is the only common factor.
 Can determine the greatest common divisor (GCD) by comparing their prime
factorizations and using least powers.
 eg. 300 = 21 x 31 x 52 18 = 21 x 32 hence
GCD(18,300) = 21 x 31 x 50 = 6
Fermat's Theorem
 Two theorems that play important role in public-key cryptography:
1. Fermat’s theorem and
2. Euler’s theorem.
 Fermat's Theorem
 ap-1 = 1 (mod p)
where p is prime and gcd(a,p)=1
Fermat's Theorem

 Alternative form of Fermat’s theorem is also useful:

 If is prime and is a positive integer, then
 ap = a(mod p)

 The first form of the theorem requires that a be relatively prime to p, but this form does
not.
Euler’s Totient Function ((n))

 The number of positive integers less than n and relatively prime to n.

 (1) = 1.
Euler’s Totient Function ((n))
 for a prime number p,
(p) = p – 1
 Suppose that we have two prime numbers p and q with p ≠ q.
 for n = pq,
 (n) = (pq) = (p) x (q) = (p - 1) x (q - 1)
 To see that, (n) = (p) x (q)
 (n) = (pq - 1) - [(q - 1) + (p - 1)
= pq - (p + q) + 1
= (p - 1) x (q - 1)
= (p) x (q)
Euler's Theorem

 A generalization of Fermat's Theorem

 a(n) = 1 (mod n)
for any a, n where gcd(a, n)=1
 eg. a = 3 ; n = 10 ; (10)=4;
hence 34 = 81 = 1 mod 10
a=2 ; n=11 ; (11)=10;
hence 210 = 1024 = 1 mod 11
 also have: a(n)+1 = a (mod n)
Primality Testing

 often need to find large prime numbers

 traditionally sieve using trial division
 ie. divide by all numbers (primes) in turn less than the square root of the number
 only works for small numbers
 alternatively can use statistical primality tests based on properties of primes
 for which all primes numbers satisfy property
 but some composite numbers, called pseudo‐primes, also satisfy the property
 can use a slower deterministic primality test
The Chinese Remainder Theorem
 The Chinese remainder theorem (CRT) is used to solve a set of congruent equations with
one variable but different moduli, which are relatively prime, as shown below:

 Suppose m1, … , mk are pairwise relatively prime positive integers, and suppose a 1 , … , ak
are integers.
 Then the system of k congruences x = ai (mod mi) (1 ≤ i ≤ k) has a unique solution modulo
M = m1 x . . . . x mk, which is given by

where ci = Mi (Mi-1 mod mi) and Mi = M / mi ,

for 1 ≤ i ≤ k.
The Chinese Remainder Theorem

 Steps to follow:
1. Find M = m1 × m2 × … × mk. This is the common modulus.
2. Find M1 = M/m1, M2 = M/m2, …, Mk = M/mk.
3. Find the multiplicative inverse of M1, M2, …, Mk using the corresponding moduli
(m1, m2, …, mk). Call the inverses M1−1, M2−1, …, Mk −1.
4. The solution to the simultaneous equations is
The Chinese Remainder Theorem
(Example)
 Find the solution to the simultaneous equations:
 Solution-
 We follow the four steps.
1. M = 3 × 5 × 7 = 105
2. M1 = 105 / 3 = 35, M2 = 105 / 5 = 21, M3 = 105 / 7 = 15
3. The inverses are M1−1 = 2, M2−1 = 1, M3−1 = 1
4. x = (2 × 35 × 2 + 3 × 21 × 1 + 2 × 15 × 1) mod 105 = ???
Stream Ciphers

 Stream cipher encrypts plaintext one bit or one byte at a time.

Stream Ciphers

 A key is input to a pseudorandom bit generator that produces a stream of 8-bit numbers.
 The output of the generator, called a keystream, is combined one byte at a time with the
plaintext stream using the bitwise exclusive-OR (XOR) operation.

 The stream cipher is similar to the one-time pad.

 The difference is that a one-time pad uses a genuine random number stream, whereas a
stream cipher uses a pseudorandom number stream.
RC4

 RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security.
 variable key size, byte-oriented stream cipher
 widely used (web SSL/TLS, wireless WEP/WPA)
 key forms random permutation of all 8-bit values
 uses that permutation to scramble input info processed a byte at a time
 Initialization of S
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
RC4
 Use T to produce the initial permutation of S
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
 Stream Generation
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
 To encrypt, XOR the value with the next byte of plaintext. To decrypt, XOR the value with
the next byte of ciphertext.
RC4
Strength of RC4

 Claimed secure against known attacks

 However, have some analyses, some on the verge of practical
 first 256 bytes have bias
 multiple keys/same plaintext attack
 result is very non-linear
 since RC4 is a stream cipher, must never reuse a key
 have a concern with WEP, but due to key handling rather than RC4 itself .
PUBLIC KEY CRYPTOGRAPHY
Principles of Public Key cryptosystems

 Private-Key Cryptography
 traditional private/secret/single key cryptography uses one key
 shared by both sender and receiver
 if this key is disclosed communications are compromised
 also is symmetric, parties are equal
 hence does not protect sender from receiver forging a message & claiming is sent by
sender.
Principles of Public Key cryptosystems

 Public-Key Cryptography
 probably most significant advance in the 3000 year history of cryptography
 uses two keys – a public & a private key
 asymmetric since parties are not equal
 uses clever application of number theoretic concepts to function
 complements rather than replaces private key crypto.
Principles of Public Key cryptosystems

 public-key/two-key/asymmetric cryptography involves the use of two keys:

 a public-key, which may be known by anybody, and can be used to encrypt messages,
and verify signatures.
 a private-key, known only to the recipient, used to decrypt messages, and sign (create)
signatures.
 is asymmetric because
 those who encrypt messages or verify signatures cannot decrypt messages or create
signatures.
Principles of Public Key cryptosystems

 Public-Key Cryptography: Encryption

Principles of Public Key cryptosystems

 Public-Key Cryptography: Authentication

Principles of Public Key cryptosystems

 Why Public-Key Cryptography?

 developed to address two key issues:
 key distribution – how to have secure communications in general without having
to trust a KDC with your key
 digital signatures – how to verify a message comes intact from the claimed sender

 public invention due to Whitfield Diffie & Martin Hellman at Stanford University in
1976
 known earlier in classified community
Principles of Public Key cryptosystems

 Conventional and Public – Key Encryption

Principles of Public Key cryptosystems

 Public-Key Characteristics
 Public-Key algorithms rely on two keys with the characteristics that it is:
 computationally infeasible to find decryption key knowing only algorithm &
encryption key
 computationally easy to en/decrypt messages when the relevant (en/decrypt) key
is known
 either of the two related keys can be used for encryption, with the other used for
decryption (in some schemes)
Principles of Public Key cryptosystems

 Public-Key Cryptosystems: Secrecy

Principles of Public Key cryptosystems

 Public-Key Cryptosystems: Authentication

Principles of Public Key cryptosystems

 Public-Key Cryptosystems: Secrecy and Authentication

Principles of Public Key cryptosystems

 Public-Key Applications
 can classify uses into 3 categories:
 encryption/decryption (provide secrecy)
 digital signatures (provide authentication)
 key exchange (of session keys)
 some algorithms are suitable for all uses, others are specific to one.
 Applications :
Principles of Public Key cryptosystems

 Security of Public Key Schemes

 like private key schemes brute force exhaustive search attack is always theoretically
possible
 but keys used are too large (>512bits)
 security relies on a large enough difference in difficulty between easy
(encrypt/decrypt) and hard (cryptanalyse) problems
 more generally the hard problem is known, its just made too hard to do in practice
 requires the use of very large numbers
 hence is slow compared to private key schemes.
The RSA Algorithm

 Developed by Rivest, Shamir & Adleman of MIT in 1977

 First published in 1978.
 best known & widely used public-key scheme
 The RSA scheme is a block cipher in which the plaintext and ciphertext are integers
between 0 and n - 1 for some n.
 typical size for n is 1024 bits
 security due to cost of factoring large numbers
The RSA Algorithm

 RSA Key Setup: each user generates a public/private key pair by:
 selecting two large primes at random: p, q.
 computing their system modulus N = p × q
 note φ(N)=(p-1)×(q-1)
 selecting at random the encryption key e
 where 1<e<φ(N), gcd(e, φ(N)) = 1
 solve following equation to find decryption key d
 e*d=1 mod φ(N) and 0≤d≤N
 publish their public encryption key: KU={e,N}
 keep secret private decryption key: KR={d,p,q}.
The RSA Algorithm

 RSA Use
 to encrypt a message M the sender:
 obtains public key of recipient KU={e,N}
 computes: C = Me mod N, where 0≤M<N
 to decrypt the ciphertext C the owner:
 uses their private key KR={d,p,q}
 computes: M = Cd mod N
 the message M must be smaller than the modulus N (block if needed)
The RSA Algorithm
 Brief summary of RSA
The RSA Algorithm (Example)

 Select primes: p=17 & q=11

 Compute n = pq =17×11=187
 Compute ø(n)=(p–1)(q-1)=16×10=160
 Select e : gcd(e,160)=1; choose e=7
 Determine d:
de=1 mod 160 and d < 160
Value is d=23 since 23×7=161= 10×160+1
 Publish public key KU={7,187}
 Keep secret private key KR={23,17,11}
RSA Processing of Multiple Blocks
The Security of RSA

 Four approaches to attacking RSA:

 Brute force: This involves trying all possible private keys.
 Mathematical attacks: There are several approaches, all equivalent in effort to
factoring the product of two primes.
 Timing attacks: These depend on the running time of the decryption algorithm.
 Chosen ciphertext attacks: This type of attack exploits properties of the RSA
algorithm.
The Security of RSA
 Factoring Problem
 mathematical approach takes 3 forms:
 factor N=p.q, hence find ø(N) and then d
 determine ø(N) directly and find d
 find d directly
The Security of RSA

 Timing Attacks
 developed in mid-1990’s
 exploit timing variations in operations
 eg. multiplying by small vs large number
 infer operand size based on time taken
 RSA exploits time taken in exponentiation
 Countermeasures
 use constant exponentiation time
 add random delays
 blind values used in calculations
Diffie-Hellman Key Exchange

 First public-key type scheme.

 Proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts.
 is a practical method for public exchange of a secret key.
 used in a number of commercial products.

 The purpose of the algorithm is to enable two users to securely exchange a key that can
then be used for subsequent encryption of messages. The algorithm itself is limited to the
exchange of secret values.
Diffie-Hellman Key Exchange

 Two publicly known numbers: a prime number q and an integer α that is a primitive root
of q.
 Each user (eg. A) generates their key:
 chooses a secret key (number): XA < q
 compute their public key: YA= aXA mod q
 Similarly, B also generates the keys.
 Each side keeps the X value private and makes the Y value available publicly to the other
side.
 User A computes the key as, K = (YB)XA mod q
 User B computes the key as, K = (YA)XB mod q
Diffie-Hellman Key Exchange

 Key Exchange Algorithm

Diffie-Hellman Key Exchange

 Diffie-Hellman Key Exchange

Man-in-the-Middle Attack

 Suppose Alice and Bob wish to exchange keys, and Darth is the adversary.
 The attack proceeds as follows:
 Darth prepares for the attack by generating two random private keys X D1 and XD2 and then
computing the corresponding public keys Y D1 and YD2.
 Alice transmits YA to Bob.
 Darth intercepts YA and transmits YD1 to Bob. Darth also calculates

K2 = (YA)XD2 mod q
 Bob receives YD1 and calculates K1 = (YD1)XB mod q
 Bob transmits YB to Alice
 Darth intercepts YB and transmits YD2 to Alice. Darth calculates

K1 = (YB)XD1 mod q
 Alice receives YD2 and calculates K2 = (YD2)XA mod q
Man-in-the-Middle Attack
 Bob and Alice think that they share a secret key, but instead Bob and Darth share secret
key K1 and Alice and Darth share secret key K2.
 All future communication between Bob and Alice is compromised in the following way:
 Alice sends an encrypted message M : E(K2, M)
 Darth intercepts the encrypted message and decrypts it to recover
 Darth sends Bob E(K1, M) or E(K1, M’), where M’ is any message.
 In the first case, Darth simply wants to eavesdrop on the communication without
altering it.
 In the second case, Darth wants to modify the message going to Bob.
 The key exchange protocol is vulnerable to such an attack because it does not authenticate
the participants.
 This vulnerability can be overcome with the use of digital signatures and public-key
certificates.
Elliptic Curve Cryptography

 Majority of public-key crypto (RSA, Diffie-Hellman) use either integer or polynomial

arithmetic with very large numbers/polynomials
 imposes a significant load in storing and processing keys and messages
 an alternative is to use elliptic curves
 offers same security with smaller bit sizes
Real Elliptic Curves

 an elliptic curve is defined by an equation in two variables x & y, with coefficients

 consider a cubic elliptic curve of form
y2 = x3 + ax + b
where x, y, a, b are all real numbers
also define zero point O
 consider set of points E(a,b) that satisfy
 have addition operation for elliptic curve
 geometrically sum of P+Q is reflection of the intersection R
Finite Elliptic Curves

 Elliptic curve cryptography uses curves whose variables & coefficients are finite
 have two families commonly used:
 prime curves Ep(a,b) defined over Zp
 use integers modulo a prime
 best in software
 binary curves E2m(a,b) defined over GF(2n)
 use polynomials with binary coefficients
 best in hardware
Elliptic Curve Cryptography

 ECC addition is analog of modulo multiply

 ECC repeated addition is analog of modulo exponentiation
 need “hard” problem equiv to discrete log
 Q=kP, where Q,P belong to a prime curve
 is “easy” to compute Q given k,P
 but “hard” to find k given Q,P
 known as the elliptic curve logarithm problem
 Certicom example: E23(9,17)
ECC Diffie-Hellman Key Exchange
 Can do key exchange analogous to D-H
 users select a suitable curve Eq(a,b)
 select base point G=(x1,y1)
 A & B select private keys nA < n, nB < n
 compute public keys: PA=nAG, PB=nBG
 compute shared key: K=nAPB, K=nBPA
 same since K=nAnBG
 attacker would need to find k, hard
ECC Encryption/Decryption

 several alternatives, will consider simplest

 must first encode any message M as a point on the elliptic curve P m
 select suitable curve & point G as in D-H
 each user chooses private key nA<n
 and computes public key PA=nAG
 to encrypt Pm : Cm={kG, Pm+kPb}, k random
 decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
ECC Security

 relies on elliptic curve logarithm problem.

 fastest method is “Pollard rho method”.
 compared to factoring, can use much smaller key sizes than with RSA etc.
 for equivalent key lengths computations are roughly equivalent.
 hence for similar security ECC offers significant computational advantages.