PV181 Laboratory of security
and applied cryptography
Asymmetric cryptography
Marek Sýs, Zdeněk Říha
| PV1811
Asymmetric cryptography
• Confidentiality
– asymmetric cipher - encryption, key agreement
• Authentication
1. Entity – identity verification – certificates,
2. Data origin - digital signature
• Integrity
– digital signature
• Non-repudiation
– digital signature
2 | PV181
Asymmetric cryptosystem
3 | PV181
Adapted Source: Network and
Internetwork Security (Stallings)
encryption decryption
message
Alice
Public key of Bob
Bob
Private key of Bob
Encrypted
message
Decrypted
original
message
Asymmetric cryptography
• Two related keys – created by one party
– different inverse operations (encryption - decryption, signing
– signature verification)
• Properties - hard to compute private from public key
– based on hard mathematical problems
• Hard problems and cryptosystems:
– Integer factorization – RSA, Rabin, …
– Discrete logarithm problem (DLP): ElGamal, EC, DSA, …
– Others (DH, decoding,…) – Diffie-Helman, McElliece,…
4 | PV181
Hard problems
• Integer factorization
– for N find its nontrivial divisor
• DLP in domains:
(parameters: define alg. structure and DLP)
– 𝑍 𝑝 defined by 𝑝 :
• for 𝑔, ℎ find 𝑥 such that 𝑔 𝑥
≡ ℎ 𝑚𝑜𝑑 𝑝
– Elliptic curve defined by triple 𝑎, 𝑏, 𝑝:
• for points 𝐺, 𝐻 find 𝑥 such that 𝑥. 𝐺 = 𝐻
5 | PV181
RSA generation
• Two random primes 𝑝, 𝑞
– 𝑝𝑟𝑖𝑚𝑒 − 1 must have large factor (110 bits)
• Public exponent 𝑒 chosen so:
– gcd 𝑝 − 1, 𝑒 = gcd 𝑞 − 1, 𝑒 = 1
– typically set 65537 – prime number
– very small 𝑒 is insecure: e.g. 𝑒=3 sent to 3 recipients
• Private exponent 𝑑 computed
– from 𝑒 so that : 𝑒. 𝑑 ≡ 1 𝑚𝑜𝑑 𝑝 − 1 ∗ 𝑞 − 1
– Small 𝑑 is insecure – < 0.29 bits of N (𝑑 can be computed)
6 | PV181
RSA keys
• Public key
– 𝑁 = 𝑝. 𝑞 , 𝑒
• Private key
– 𝑑 but 𝑝, 𝑞 must be kept secret
• Encryption: 𝐸 𝑝 = 𝑚 𝑒
𝑚𝑜𝑑 𝑁
• Decryption: 𝐷 𝑐 = 𝑐 𝑑
𝑚𝑜𝑑 𝑁
– Can be sped up (4x) using CRT
• 𝐷 𝑐 = 𝑐 𝑑2 𝑚𝑜𝑑 𝑞 + C. ( 𝑐 𝑑1 𝑚𝑜𝑑 𝑝 − 𝑐 𝑑2 𝑚𝑜𝑑 𝑞),
for 𝑑2 = 𝑑 𝑚𝑜𝑑 𝑞, 𝑑1 = 𝑑 𝑚𝑜𝑑 𝑝
7 | PV181
RSA Padding example (PKCS#1 v1.5)
• Document
– “00 01 02 03 04 05 06 07 07 06 05 04 03 02 01”
• Hash of the document (sha-1)
– “b3 39 90 4c d2 a0 10 e6 19 37 eb e5 b5 83 37 8c 5d 10
51 95”
• Padded hash
– “00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00
30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 b3 39 90 4c
d2 a0 10 e6 19 37 eb e5 b5 83 37 8c 5d 10 51 95”
RSA in practice: Padding
• Non-random padding (textbook RSA) is insecure
- Bleichenbacher attack – oracle attack (information about
improper format of message) CCA
• Paddings - random value computed from message
– ANSI X9.31
– PKCS #1 v1.5
– Probabilistic Signature Scheme (PSS)
– OAEP – PKCS#1 v2 & RFC 2437- completely random -
secure
Diffie-Hellman (DH) algorithm
• Described in PKCS#1
• Params:
– 𝑝, 𝑔 prime, generator of subgroup in 𝑍 𝑝, define DLP 𝑔 𝑥 ≡ ℎ 𝑚𝑜𝑑 𝑝
• Private key: 𝑥
• Public key: 𝑔, 𝑝, ℎ (ℎ ≡ 𝑔 𝑥
𝑚𝑜𝑑 𝑝)
• Key agreement - both participants affect the key
– Alice sends: 𝑔 𝑎
𝑚𝑜𝑑 𝑝
– Bob sends: 𝑔 𝑏 𝑚𝑜𝑑 𝑝
– Shared key 𝑔 𝑎𝑏 𝑚𝑜𝑑 𝑝 computed as:
• (𝑔 𝑎 𝑚𝑜𝑑 𝑝) 𝑏 𝑚𝑜𝑑 𝑝 or (𝑔 𝑏 𝑚𝑜𝑑 𝑝) 𝑎 𝑚𝑜𝑑 𝑝
10 | PV181
Digital signature
• Asymmetric cryptography
– Private key – signature generation (usually only hash of
data is typically signed not data itself)
– Public key – verification procedure
• Data integrity + data origin + non-repudiation:
– Non-repudiation - correct signatures can be generated
only by those having the private key
• The digital signature itself does not give any
guarantees with respect to signing time.
Digital signature scheme
12 | PV181
Signature
algorithm
Verification
algorithmmessage signed
message
Alice
Public key of Alice
Bob
Source: Network and
Internetwork Security (Stallings)
verified
message
Private key of Alice
Digital Signature Algorithm (DSA)
• In 1994 the selection procedure for Digital Signature Standard
(DSS) was concluded – DSA (Digital Signature Algorithm) was
selected.
• Modified version of ElGamal algorithm, based on discrete
logarithm in Zp.
• Became FIPS standard FIPS 186 in 1993.
– Standards – 186-1, 186-2, 186-3, 186-4
– Now NIST FIPS 186-4 supports RSA & DSA & ECDSA.
Digital Signature Standard (DSS)
14 | PV181
DSS
1. Selection of Parameter Sizes and Hash Functions
2. Domain Parameter Generation
- only for DSA, ECDSA
3. Signature Generation
4. Signature Verification and Validation
15 | PV181
DSA: Key generation
• Parameter generation
– Key length: 𝑁, 𝐿 bits
1. Choose prime 𝑞 with 𝑁 bits
2. Choose prime modulus 𝑝 with 𝐿 bits such that: 𝑞|𝑝
3. Choose 𝑔 with order 𝑞 in 𝑍 𝑝
Keys:
• Private key: 𝑥
• Public key: 𝑝, 𝑔, 𝑞, ℎ (ℎ ≡ 𝑔 𝑥 𝑚𝑜𝑑 𝑝)
DSA signature generation & verification
• Signature generation
– Generate a random per-message value k such that 0 < k < q.
– Calculate r = (gk mod p) mod q
– Calculate s = (k−1(H(m) + x*r)) mod q
– The signature is (r, s).
• Signature verification
– w = (s)−1 mod q
– u1 = (H(m)*w) mod q
– u2 = (r*w) mod q
– v = ((gu1*yu2) mod p) mod q
– The signature is valid if v = r
• For DSA (1024,160) the signature size will be 2x160 bits.
DSA: Padding
• Decide on lengths L and N, e.g. (1024,160).
– N must be less than or equal to the hash output length
• E.g. for (1024,160) sha-1 is typically used,
sha-256 would be ok as well and only first 160 bits would be
used
– s = (k−1(H(m) + x*r)) mod q
• “It is recommended that the security strength of the (L, N) pair and the security strength of the hash
function used for the generation of digital signatures be the same unless an agreement has been
made between participating entities to use a stronger hash function. When the length of the output of
the hash function is greater than N (i.e., the bit length of q), then the leftmost N bits of the hash
function output block shall be used in any calculation using the hash function output during the
generation or verification of a digital signature. A hash function that provides a lower security
strength than the (L, N) pair ordinarily should not be used, since this would reduce the security
strength of the digital signature process to a level no greater than that provided by the hash
function.” [FIPS 186-3]
Elliptic curve DSA (ECDSA)
• Elliptic curves invented by Koblitz & Miller in 1985.
• ECDSA proposed in 1992 by Vanstone
• Became ISO standard (ISO 14888-3) in 1998
• Became ANSI standard (ANSI X9.62) in 1999
• ECDSA, ECDH is a version of DSA, DH based on
elliptic curves.
Elliptic curve (EC) domain parameters
• (field,a,b,G,n,h)
– Finite field
• p for Fp
• m, bases (trinomial, pentanomial) for F2
m
– Coefficients a, b: y2 = x3 + ax +b
– Group generator: G
– Order of the G: n
– Optional cofactor: h
• (h = number of elements in field / order n)
– The base point G generates a cyclic subgroup of order n in
the field.
Elliptic curve DH (ECDH)
• Described in PKCS#1
• Params:
– 𝑝, 𝑎, 𝑏 define EC over 𝑍 𝑝
– generator of EC - point 𝑮, definess DLP: 𝑥𝑮 = 𝐻
• Private key: 𝑥
• Public key: 𝐺, 𝐸𝐶, 𝐻 (𝐻 = 𝑥. 𝐺)
• Key agreement - both participants affect the key
– Alice sends: 𝑎. 𝐺
– Bob sends: 𝑏. 𝐺
– Shared key 𝑎. 𝑏. 𝐺 computed as:
• 𝑏. (𝑎. 𝐺) or 𝑎. (𝑏. 𝐺)
ECDSA: Keys
• Generating key pair
– Select a random integer d from [1,n − 1]
– Compute P = d*G;
• Private key: d
• Public key: P
• For 256-bit curve
– the private key d will be approx. 256-bit long
– the public key P is a point on the curve – will be approx
512-bit long
ECDSA: Signatures
• Generate signature
– Select a random integer k from [1,n − 1]
– (x1,y1) = k*G
– Calculate r = x1 (mod n)
– Calculate s = k−1(M + r*d) (mod n)
– Signature is (r,s).
• Signature verification
– Calculate w = s−1 (mod n)
– Calculate u1 = z*w (mod n) & u2 = r*w (mod n)
– Calculate (x1,y1) = u1*G + u2*P
– The signature is valid if r = x1 (mod n).
• For 256-bit curve the signature length will be approx.
512 bits
ECDSA: Padding
• Rules are same as for DSA
• “It is recommended that the security strength associated with the bit length of
n and the security strength of the hash function be the same unless an
agreement has been made between participating entities to use a stronger
hash function. When the length of the output of the hash function is greater
than the bit length of n, then the leftmost n bits of the hash function output
block shall be used in any calculation using the hash function output during
the generation or verification of a digital signature. A hash function that
provides a lower security strength than the security strength associated with
the bit length of n ordinarily should not be used, since this would reduce the
security strength of the digital signature process to a level no greater than that
provided by the hash function.” [FIPS 186-3]