1. Cryptography and Network Security Chapter 10
Fifth Edition
by William Stallings
Lecture slides by Lawrie Brown
Modified by Richard Newman
Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 10 – “Other Public Key Cryptosystems”. 1

2. Chapter 10 – Other Public Key Cryptosystems
Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older men upon him or her soon after birth, and which is known to none but the fully initiated members of the group. This secret name is never mentioned except upon the most solemn occasions; to utter it in the hearing of men of another group would be a most serious breach of tribal custom. When mentioned at all, the name is spoken only in a whisper, and not until the most elaborate precautions have been taken that it shall be heard by no one but members of the group. The native thinks that a stranger knowing his secret name would have special power to work him ill by means of magic.
—The Golden Bough, Sir James George Frazer
Opening quote. 2

3. Roadmap Diffie-Hellman key exchange ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC)
Attacks and Standards
Chapter 10 summary. 3

4. Diffie-Hellman Key Exchange
first public-key type scheme proposed
Astounding concept that two parties can carry on a public conversation, and still end up with a secret that only the two of them know!
Public Secret Sharing
Shared secret is derived from private secrets and publically shared information
This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie-Hellman key exchange. This first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76b] and is generally referred to as Diffie-Hellman key exchange. The concept had been previously described in a classified report in by Williamson (UK CESG) - and subsequently declassified in 1987, see [ELLI99]. The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values. A number of commercial products employ this key exchange technique. 4

5. Diffie-Hellman Key Exchange
first public-key type scheme proposed
by Diffie & Hellman in 1976 along with the exposition of public key concepts
note: now know that Williamson (UK CESG) secretly proposed the concept in 1970
is a practical method for public exchange of a secret key – in practice, a “pre-key”
used in a number of commercial products
This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie-Hellman key exchange. This first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76b] and is generally referred to as Diffie-Hellman key exchange. The concept had been previously described in a classified report in by Williamson (UK CESG) - and subsequently declassified in 1987, see [ELLI99]. The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values. A number of commercial products employ this key exchange technique. 5

6. Diffie-Hellman Key Exchange
a public-key distribution scheme
cannot be used to exchange an arbitrary message
rather it can establish a common key
known only to the two participants
value of key depends on the participants (and their private and public key information)
The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms. 6

7. Diffie-Hellman Key Exchange
Derivation of shared secret is based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial)
- easy
security relies on the difficulty of working backward to get secrets by computing discrete logarithms (similar to factoring)
– hard
The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms. 7

8. Diffie-Hellman Setup all users agree on global parameters:
large prime integer or polynomial q
a, which is a primitive root mod q
each user (e.g. A) generates their key
chooses a secret key (number): xA < q
computes their public key: yA = axA mod q
each user makes public that key yA
In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a prime number q and an integer a that is a primitive root of q. The prime q and primitive root a can be common to all using some instance of the D-H scheme. Note that the primitive root a is a number whose powers successively generate all the elements mod q. Users Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create their public y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard. 8

9. Diffie-Hellman Key Exchange
shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yAxB mod q
(which B can compute)
= yBxA mod q
(which A can compute)
Each principal has the other's public key and their own secret, along with a and q.
The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys. 9

10. Diffie-Hellman Key Exchange
Bob
Alice
Agree on a and q
yB = axB mod q
yA = axA mod q
KAB = yAxB mod q
KAB = yBxA mod q
The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.
Both Alice and Bob have
KAB = axA.xB mod q 10

11. Diffie-Hellman Key Exchange
KAB is used as session key (or pre-key) in private-key encryption scheme between Alice and Bob
if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public- keys (can use nonces and pre-key to make session key different)
attacker needs a private key x, must solve discrete log base a modulo q to get it
The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys. 11

12. Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and a=3
select random secret keys:
A chooses xA=97, B chooses xB=233
compute respective public keys:
yA=397 mod 353 = 40 (Alice)
yB=3233 mod 353 = 248 (Bob)
compute shared session key as:
KAB= yBxA mod 353 = = 160 (Alice)
KAB= yAxB mod 353 = = 160 (Bob)
Here is an example of Diffie-Hellman from the text using prime q=353, showing how each computes its public key, and then how after they exchange public keys, each can compute the common secret key.I n this simple example, it would be possible by brute force to determine the secret key 160. In particular, an attacker E can determine the common key by discovering a solution to the equation 3a mod 353 = 40 or the equation 3b mod 353 = 248. The brute-force approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers, the problem becomes impractical. 12

13. Key Exchange Protocols
users could create random private/public D-H keys each time they communicate
users could create a known private/public D-H key and publish in a directory, then consult and use them to securely communicate with them
both of these are vulnerable to a Man-in- the-Middle Attack
authentication of the keys is needed
Now consider a simple protocol that makes use of the Diffie-Hellman calculation. Suppose that user A wishes to set up a connection with user B and use a secret key to encrypt messages on that connection. User A can generate a one-time private key XA, calculate YA, and send that to user B. User B responds by generating a private value XB, calculating YB, and sending YB to user A. Both users can now calculate the key. The necessary public values q and a would need to be known ahead of time. Alternatively, user A could pick values for q and a and include those in the first message. 13

14. Man-in-the-Middle Attack
Darth prepares by creating two private / public keys
Alice transmits her public key to Bob
Darth intercepts this and transmits his first public key to Bob. Darth also calculates a shared key with Alice
Bob receives the public key and calculates the shared key (with Darth instead of Alice)
Bob transmits his public key to Alice
Darth intercepts this and transmits his second public key to Alice. Darth calculates a shared key with Bob
Alice receives the key and calculates the shared key (with Darth instead of Bob)
Darth can then intercept, decrypt, re-encrypt, forward all messages between Alice & Bob
The protocol described on the previous slide is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as follows:
Darth prepares for the attack by generating two random private keys XD1 and XD2 and then computing the corresponding public keys YD1 and YD2
Alice transmits YA to Bob.
Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA )^ XD2 mod q
Bob receives YD1 and calculates K1=(YD1 )^ XB mod q
Bob transmits YB to Alice.
Darth intercepts YB and transmits YD2 to Alice. Darth calculates K1=(YB )^ XD1 mod q
Alice receives YD2 and calculates K2=(YD2 )^ XA mod q .
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice is compromised in the following way:
Alice sends an encrypted message M: E(K2, M).
Darth intercepts the encrypted message and decrypts it, to recover M.
Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply wants to eavesdrop on the communication without altering it. In the second case, Darth wants to modify the message going to Bob. The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This vulnerability can be overcome with the use of digital signatures and public- key certificates. 14

15. Man-in-the-Middle Attack
Bob
Darth
Alice
yA = axA mod q
y'A = axDA mod q
yB = axB mod q
y'B = axDB mod q
The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.
KDAB = y'AxB mod q
KADB = y'BxA mod q
Darth has a private, unauthenticated channel with each of Alice and Bob 15

16. Man-in-the-Middle Attack
Also known as “Bucket Brigade” Attack
Need reliable way to associate public key with principal
Public key infrastructure (PKI) is one way
PGP web of trust is another
In some circumstances, may be possible to use scheduling/timing to prevent MITM
The protocol described on the previous slide is insecure against a man-in-the-middle attack. Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as follows:
Darth prepares for the attack by generating two random private keys XD1 and XD2 and then computing the corresponding public keys YD1 and YD2
Alice transmits YA to Bob.
Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA )^ XD2 mod q
Bob receives YD1 and calculates K1=(YD1 )^ XB mod q
Bob transmits YB to Alice.
Darth intercepts YB and transmits YD2 to Alice. Darth calculates K1=(YB )^ XD1 mod q
Alice receives YD2 and calculates K2=(YD2 )^ XA mod q .
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret key K1 and Alice and Darth share secret key K2. All future communication between Bob and Alice is compromised in the following way:
Alice sends an encrypted message M: E(K2, M).
Darth intercepts the encrypted message and decrypts it, to recover M.
Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth simply wants to eavesdrop on the communication without altering it. In the second case, Darth wants to modify the message going to Bob. The key exchange protocol is vulnerable to such an attack because it does not authenticate the participants. This vulnerability can be overcome with the use of digital signatures and public- key certificates. 16

17. Roadmap Diffie-Hellman key exchange ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC)
Attacks and Standards
Chapter 10 summary. 17

18. ElGamal Cryptography public-key cryptosystem related to D-H
uses exponentiation in a finite field
with security based difficulty of computing discrete logarithms, as in D-H
each user (e.g. A) generates their key
chooses a secret key (number): 1 < xA < q-1
computes their public key: yA = axA mod q
In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique [ELGA84, ELGA85]. The ElGamal cryptosystem is used in some form in a number of standards including the digital signature standard (DSS) and the S/MIME standard. As with Diffie-Hellman, the global elements of ElGamal are a prime number q and a, which is a primitive root of q. User A generates a private/public key pair as shown. The security of ElGamal is based on the difficulty of computing discrete logarithms, to recover either x given y, or k given K (next slide). 18

19. ElGamal Message Exchange
Bob encrypts a message to send to A computing
message M in range 0 <= M <= q-1
longer messages must be sent as blocks
chose random integer k, 1 <= k <= q-1
compute one-time key K = yAk mod q
encrypt M as a pair of integers (C1,C2) where
C1 = ak mod q // like D-H public key
C2 = KM mod q // encrypted msg
Any user B that has access to A's public key can encrypt a message as shown. These steps correspond to Figure 9.1a in that Alice generates a public/private key pair; Bob encrypts using Alice's public key; and Alice decrypts using her private key. See text for details of why these steps result in M being recovered. Note that K functions as a one-time key, used to encrypt and decrypt the message. If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value of k should be used for each block. If k is used for more than one block, knowledge of one block m of the message enables the user to compute other blocks as shown in the text.
The basic idea with El Gamal encryption is to choose a random key, protect it, then use it to scramble the message by multiplying the message with it. Two bits of info have to be sent: the first to recover this temporary key, the second the actual scrambled message. See that El Gamal encryption involves 1 modulo exponentiation and a multiplication (vs 1 exponentiation for RSA). 19

20. ElGamal Message Exchange
encrypt M as a pair of integers (C1,C2) where
C1 = ak mod q ; C2 = KM mod q
A then recovers message by
recovering key K as K = C1xA mod q
computing M as M = C2 K-1 mod q
a unique K must be used each time
otherwise result is insecure
Any user B that has access to A's public key can encrypt a message as shown. These steps correspond to Figure 9.1a in that Alice generates a public/private key pair; Bob encrypts using Alice's public key; and Alice decrypts using her private key. See text for details of why these steps result in M being recovered. Note that K functions as a one-time key, used to encrypt and decrypt the message. If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value of k should be used for each block. If k is used for more than one block, knowledge of one block m of the message enables the user to compute other blocks as shown in the text.
The basic idea with El Gamal encryption is to choose a random key, protect it, then use it to scramble the message by multiplying the message with it. Two bits of info have to be sent: the first to recover this temporary key, the second the actual scrambled message. See that El Gamal encryption involves 1 modulo exponentiation and a multiplication (vs 1 exponentiation for RSA). 20

21. ElGamal Example use field GF(19) q=19 and a=10 Alice computes her key:
A chooses xA=5 & computes yA=105 mod 19 = 3
Bob send message m=17 as (11,5) by
chosing random k=6
computing K = yAk mod q = 36 mod 19 = 7
computing C1 = ak mod q = 106 mod 19 = 11;
C2 = KM mod q = 7.17 mod 19 = 5
Alice recovers original message by computing:
recover K = C1xA mod q = 115 mod 19 = 7
compute inverse K-1 = 7-1 = 11
recover M = C2 K-1 mod q = 5.11 mod 19 = 17
Here is an example of ElGamal from the text using the prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10, 13, 14, 15}, as shown in Table We choose a = 10. Alice generates a key pair as shown. Suppose Bob wants to send the message with the value M = 17. Then he computes the ciphertext pair (11, 5) and sends this to Alice. Alice recovers the message by first recovering K, then computing its inverse (using the Extended Euclids Algorithm – see Ch 4), and finally recovering M. 21

22. Roadmap Diffie-Hellman key exchange ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC)
Attacks and Standards
Chapter 10 summary. 22

23. Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials
imposes a significant load in storing and processing keys and messages
an alternative is to use elliptic curves
offers same security with smaller bit sizes
newer, but not as well analysed
A major issue with the use of Public-Key Cryptography, is the size of numbers used, and hence keys being stored. Recently, an alternate approach has emerged, elliptic curve cryptography (ECC), which performs the computations using elliptic curve arithmetic instead of integer or polynomial arithmetic. Already, ECC is showing up in standardization efforts, including the IEEE P1363 Standard for Public-Key Cryptography. The principal attraction of ECC, compared to RSA, is that it appears to offer equal security for a far smaller key size, thereby reducing processing overhead. Although the theory of ECC has been around for some time, it is only recently that products have begun to appear and that there has been sustained cryptanalytic interest in probing for weaknesses. Accordingly, the confidence level in ECC is not yet as high as that in RSA. 23

24. Real Elliptic Curves
an elliptic curve is defined by an equation in two variables x & y, with coefficients
consider a cubic elliptic curve of form
y2 = x3 + ax + b
where x, y, a, b are all real numbers
also define zero point O
consider set of points E(a,b) that satisfy
have addition operation for elliptic curve
geometrically sum of P+Q is reflection of the intersection R
An elliptic curve is defined by an equation in two variables, with coefficients. For cryptography, the variables and coefficients are restricted to elements in a finite field, which results in the definition of a finite abelian group (see Ch 4 for details of an abelian group). Before looking at this, we first look at elliptic curves in which the variables and coefficients are real numbers. This case is perhaps easier to visualize. Elliptic curves are not ellipses. They are so named because they are described by cubic equations, similar to those used for calculating the circumference of an ellipse. For our purpose, we can consider cubic equations for elliptic curves of the form shown here. Also included in the definition of an elliptic curve is a single element denoted O and called the point at infinity or the zero point. Now, consider the set of points E(a, b) consisting of all of the points (x, y) that satisfy this equation together with the element O. Using a different value of the pair (a, b) results in a different set E(a, b). See text for detailed rules of addition and relation to zero point O. Can derive an algebraic interpretation of addition, based on computing gradient of tangent and then solving for intersection with curve. There is also an algebraic description of additions over elliptic curves, see text. 24

25. Real Elliptic Curve Example
Stallings Figure 10.4b “Example of Elliptic Curves”, illustrates the geometric interpretation of elliptic curve addition, as follows: If three points on an elliptic curve lie on a straight line, their sum is O. hence define addition as:
O serves as the additive identity. Thus O = –O; for any point P on the elliptic curve, P + O = P. In what follows, we assume P <> O and Q <> O.
The negative of a point P is the point with the same x coordinate but the negative of the y coordinate; that is, if P = (x, y), then –P = (x, –y). These two points can be joined by a vertical line & that P + (–P) = P – P = O.
To add two points P and Q with different x coordinates, draw a straight line between them and find the third point of intersection R. There is a unique point R that is the point of intersection (unless the line is tangent to the curve at either P or Q, in which case we take R = P or R = Q, respectively). To form a group structure, we need to define addition on these three points as follows: P + Q = –R. ie. P + Q to be the mirror image (with respect to the x axis) of the third point of intersection as shown on slide.
The geometric interpretation of the preceding item also applies to two points, P and –P, with the same x coordinate. The points are joined by a vertical line, which can be viewed as also intersecting the curve at the infinity point. We therefore have P + (–P) = O, consistent with item (2).
To double a point Q, draw the tangent line and find the other point of intersection S. Then Q + Q = 2Q = –S.
With the preceding list of rules, it can be shown that the set E(a, b) is an abelian group. 25

26. Finite Elliptic Curves
Elliptic curve cryptography uses curves whose variables & coefficients are finite
have two families commonly used:
prime curves Ep(a,b) defined over Zp
use integers modulo a prime
best in software
binary curves E2m(a,b) defined over GF(2n)
use polynomials with binary coefficients
best in hardware
Elliptic curve cryptography makes use of elliptic curves in which the variables and coefficients are all restricted to elements of a finite field. Two families of elliptic curves are used in cryptographic applications: prime curves over Zp (best for software use), and binary curves over GF(2m) (best for hardware use).
There is no obvious geometric interpretation of elliptic curve arithmetic over finite fields. The algebraic interpretation used for elliptic curve arithmetic over does readily carry over. See text for detailed discussion. 26

27. Elliptic Curve Cryptography
ECC addition is analog of modulo multiply
ECC repeated addition is analog of modulo exponentiation
need “hard” problem equiv to discrete log
Q=kP, where Q,P belong to a prime curve
is “easy” to compute Q given k,P
but “hard” to find k given Q,P
known as the elliptic curve logarithm problem
Certicom example: E23(9,17)
Elliptic Curve Cryptography uses addition as an analog of modulo multiply, and repeated addition as an analog of modulo exponentiation. The “hard” problem is the elliptic curve logarithm problem. We give an example taken from the Certicom Web site ( Consider the group E23(9, 17). This is the group defined by the equation y2 mod 23 = (x3 + 9x + 17) mod 23. What is the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)? The brute-force method is to compute multiples of P until Q is found. Thus P = (16, 5); 2P = (20, 20); 3P = (14, 14); 4P = (19, 20); 5P = (13, 10); 6P = (7, 3); 7P = (8, 7); 8P = (12, 17) ; 9P = (4, 5). Because 9P = (4, 5) = Q, the discrete logarithm Q = (4, 5) to the base P = (16, 5) is k = 9. In a real application, k would be so large as to make the brute-force approach infeasible. 27

28. ECC Diffie-Hellman can do key exchange analogous to D-H
users select a suitable curve Eq(a,b)
select base point G=(x1,y1)
with large order n s.t. nG=O
A & B select private keys nA<n, nB<n
compute public keys: PA=nAG, PB=nBG
compute shared key: K=nAPB, K=nBPA
same since K=nAnBG
attacker would need to find k, hard
Illustrate here the elliptic curve analog of Diffie-Hellman key exchange, which is a close analogy given elliptic curve multiplication equates to modulo exponentiation. Key exchange using elliptic curves can be done in the following manner. First pick a large integer q, which is either a prime number p or an integer of the form 2m and elliptic curve parameters a and b for Equation (10.5) or Equation (10.7). This defines the elliptic group of points Eq(a, b). Next, pick a base point G = (x1, y1) in Eq(a, b) whose order is a very large value n. The order n of a point G on an elliptic curve is the smallest positive integer n such that nG = O. So Eq(a, b) and G are parameters of the cryptosystem known to all participants. A key exchange between users A and B can then be accomplished as shown. To break this scheme, an attacker would need to be able to compute k given G and kG, which is assumed hard. 28

29. ECC Encryption/Decryption
several alternatives, will consider simplest
must first encode any message M as a point on the elliptic curve Pm
select suitable curve & point G as in D-H
each user chooses private key nA<n
and computes public key PA=nAG
to encrypt Pm : Cm={kG, Pm+kPb}, k random
decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
Several approaches to encryption/decryption using elliptic curves have been analyzed in the literature. This one is an analog of the ElGamal public-key encryption algorithm. The sender must first encode any message M as a point on the elliptic curve Pm (there are relatively straightforward techniques for this). Note that the ciphertext is a pair of points on the elliptic curve. The sender masks the message using random k, but also sends along a “clue” allowing the receiver who know the private-key to recover k and hence the message. For an attacker to recover the message, the attacker would have to compute k given G and kG, which is assumed hard. 29

30. ECC Security relies on elliptic curve logarithm problem
fastest method is “Pollard rho method”
compared to factoring, can use much smaller key sizes than with RSA, etc.
for equivalent key lengths computations are roughly equivalent
hence for similar security ECC offers significant computational advantages
The security of ECC depends on how difficult it is to determine k given kP and P. This is referred to as the elliptic curve logarithm problem. The fastest known technique for taking the elliptic curve logarithm is known as the Pollard rho method. Compared to factoring integers or polynomials, can use much smaller numbers for equivalent levels of security. 30

31. Comparable Key Sizes for Equivalent Security
Symmetric scheme
(key size in bits)
ECC-based scheme
(size of n in bits)
RSA/DSA
(modulus size in bits) 56
112
512 80
160
1024
224
2048
128
256
3072
192
384
7680
15360
Stallings Table “ Comparable Key Sizes in Terms of Computational Effort for Cryptanalysis” ompares various algorithms by showing comparable key sizes in terms of computational effort for cryptanalysis. As can be seen, a considerably smaller key size can be used for ECC compared to RSA. Furthermore, for equal key lengths, the computational effort required for ECC and RSA is comparable. Thus, there is a computational advantage to using ECC with a shorter key length than a comparably secure RSA. 31

32. Roadmap Diffie-Hellman key exchange ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC)
Attacks and Standards
Chapter 10 summary. 32

33. Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers
asymmetric encryption algorithm produce apparently random output
hence can be used to build a pseudorandom number generator (PRNG)
much slower than symmetric algorithms
hence only use to generate a short pseudorandom bit sequence (eg. key)
We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions. 33

34. PRNG based on RSA have Micali-Schnorr PRNG using RSA
in ANSI X9.82 and ISO 18031
For a sufficient key length, the RSA algorithm is considered secure and is a good candidate to form the basis of a PRNG. Such a PRNG, known as the Micali-Schnorr PRNG is recommended in the ANSI standard X9.82 (Random Number Generation) and in the ISO standard (Random Bit Generation). The PRNG is illustrated in Stallings Figure This PRNG has much the same structure as the output feedback (OFB) mode used as a PRNG but using RSA instead of a block cipher. We can define the PRNG as follows:
SETUP Select parameters per normal RSA key setup, with r + k =bitlength of n
SEED Select a random seed x of bitlength the same as n
GENERATE a pseudorandom sequence of length k x m using the loop:
for i from 1 to m do the following:
yi = xei-1 mod n
xi = r most significant bits of yi
zi = k least significant bits of yi
OUTPUT The output sequence is z1 || z2 || … || zm
The parameters n, r, e, and k are selected to satisfy the six conditions detailed in the text. There is clearly a tradeoff between r and k. Because RSA is computationally intensive, we would like to generate as many pseudorandom bits per iteration as possible, and therefore would like a large value of k. However, for cryptographic strength, we would like r to be as large as possible. 34

35. PRNG based on ECC dual elliptic curve PRNG
NIST SP 800-9, ANSI X9.82 and ISO 18031
some controversy on security /inefficiency
algorithm
for i = 1 to k do
set si = x(si-1 P )
set ri = lsb240 (x(si Q))
end for
return r1 , , rk
only use if just have ECC
In this subsection, we briefly summarize a technique developed by the U.S. National Security Agency known as dual elliptic curve PRNG (DEC PRNG). This technique is recommended in NIST SP , the ANSI standard X9.82 and in the ISO standard There has been some controversy regarding both the security and inefficiency of this algorithm compared to other alternatives. Can summarize the algorithm as follows: Let P and Q be two known points on a given elliptic curve. The seed of the DEC PRNG is a random integer s0 Let x denote a function that gives the x-coordinate of a point of the curve. Let lsb i(s) denote the i least significant bits of an integer s. The DEC PRNG transforms the seed into the pseudorandom sequence of length 240k, k > 0, as follows.
for i = 1 to k do
set si = x(si-1 P )
set ri = lsb240 (x(si Q))
end for
return r1 , , rk
Given the security concerns expressed for this PRNG, the only motivation for its use would be that it is used in a system that already implements ECC but does not implement any other symmetric, asymmetric, or hash cryptographic algorithm that could be used to build a PRNG. 35

36. Roadmap Diffie-Hellman key exchange ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC)
Attacks and Standards
Chapter 10 summary. 36

37. Attacks on Public Key Crypto
RSA – progress in factoring
Any – side channel attacks (timing, power)
Any – quantum computing – gimme qubits
Key length for factoring (RSA)
Twice key length for ECC
Limited plaintext attacks (any)
Need to randomize
Other Protocol attacks
We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions. 37

38. Attacks on Public Key Crypto
Limited plaintext attacks (any)
If only a few plaintexts are possible,
Encrypt all of them and look for match!
Require random “confounder” in plaintext
Cube-root attack (RSA) – when e = 3
Message “small” – m3 < n
Then just take cube root of c to get m!
Require e > 3 or make m “big”
We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions. 38

39. Public Key Standards RSA Labs – de facto standards
PKCS series (also for other crypto)
NIST - FIPS
IETF – numerous standards
ITU-T/PKX – X.509v3 certificates
ISO/IEC – certs, authentication protocols
Many others
We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions. 39

40. PKCS Standards ♪ ♪ ♪ Standard Number Standard Title Description PKCS#1
RSA Cryptography
Algorithms and encoding/padding schemes for performing RSA encryption, decryption, and producing and verifying signatures.
PKCS#3
Diffie–Hellman Key Agreement]
Algorithms, encoding, and protocol for public secret sharing based on Diffie-Hellman
PKCS#5
Password-based Encryption 
Standard and secure way to derive a secret key from a text password
PKCS#7
Cryptographic Message Syntax 
Formats for signing or encrypting messages and for certificate distribution
PKCS#8
Private-Key Information Syntax 
Formats for carrying private certificate key pairs (encrypted or unencrypted)
PKCS#11
Cryptographic Token Interface
Generic interface to cryptographic tokens for single sign-on, public key encryption, disk
PKCS#12
Personal Information Exchange Syntax 
File format to store private keys and public key certificates, protected by a symmetric key ♪ ♪
We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions. ♪ 40

41. PKCS#1 Has subsumed PKCS#2 and #4
Defines syntax and coding for RSA signatures and RSA-encrypted data
Prevents many of the possible attacks
Forces m to be “big”
Inserts “confounder”
Makes it clear what the message is intended to be (at least at the cryptographic level) to avoid confusion
We noted in Chapter 7 that, because a symmetric block cipher produces an apparently random output, it can serve as the basis of a pseudorandom number generator (PRNG). Similarly, an asymmetric encryption algorithm produces apparently random output and can be used to build a PRNG. Because asymmetric algorithms are typically much slower than symmetric algorithms, asymmetric algorithms are not used to generate open-ended PRNG bit streams. Rather, the asymmetric approach is useful for creating a pseudorandom function (PRF) for generating a short pseudorandom bit sequence. In this section, we examine two PRNG designs based on pseudorandom functions. 41

42. Summary have considered: Diffie-Hellman key exchange
ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers (RSA & ECC)
Attacks and Standards
Chapter 10 summary. 42