Skip to main content
SpringerLink
Log in

Applications to Public Key Cryptography

  • Chapter
  • First Online:
Algebra for Cryptologists

  • 2531 Accesses

Abstract

In this chapter we describe, at an elementary level, some of the applications of the Group Theory and Number Theory we have developed so far to Cryptology. We emphasise that these “textbook versions” of the applications do not do justice to the complexities that arise in practice, and warn the reader that implementing the mechanisms that we discuss in the form given here would lead to severe vulnerabilities of the schemes. The reader is encouraged to start by reading the paper on Why textbook ElGamal and RSA encryption are insecure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 19.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 29.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 39.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    And if those sentences read like just another of those painful “Disclaimers” one finds everywhere, I apologise.

  2. 2.

    Boneh, D., Joux, A. and Nguyen, P.: Why textbook ElGamal and RSA encryption are insecure, Proc. Asiacrypt 2000, LNCS 1976, Springer-Verlag.

  3. 3.

    Diffie, W. and Hellman, M.E.: New Directions in Cryptography, IEEE Trans. on Information Theory 22 (1976), 644–654.

  4. 4.

    I used the words “of course” in this sentence, but it is perhaps not all that obvious: the British cryptologists at GCHQ, who anticipated what later became the RSA scheme, but whose work was only declassified in 1997, seem to have missed this point.

  5. 5.

    Rivest, R.L., Shamir, A. and Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems; Communications of the ACM, 21 (1978), pp. 120–126. Prior to that, the system had already appeared in Martin Gardner’s “Mathematical Games” column in Scientific American, August 1977.

  6. 6.

    For most a, anyway. Of course, there will be values of a for which there is no problem. D(1) = 1, for example!

  7. 7.

    Bear in mind that we can only speak of computational security, since an attacker with “infinite” computing power can, of course, factor the modulus.

  8. 8.

    Lenstra, A.K. et al.: Ron was wrong; Whit is right, IACR ePrint archive, https://eprint.iacr.org/2012/064.pdf.

  9. 9.

    Wiener, M.: Cryptanalysis of short RSA secret exponents, IEEE Trans. Info Th. 36 (1990), 553–558.

  10. 10.

    The (Hamming) weight of an integer is just the number of 1s in its binary representation. The relevance of this is that in exponentiation of an integer, a multiplication and a squaring is required whenever a 1 appears in the exponent. In the case of a 0, only squaring is required. This is the same as exponentiation in a finite field, and we return to this matter in Sect. 6.4.4, where a complete explanation is more appropriate than here.

  11. 11.

    Boneh, D.: Twenty years of attacks on the RSA cryptosystem, Notices of the Am. Math. Soc. 46 (1999), 203–213.

  12. 12.

    Current (2015) recommendations from such bodies as eCrypt and the German Bundesamt für Sicherheit in der Informationstechnik are that the length of n should be at least 3072 bits. This kind of requirement needs updating regularly as (e.g.) factoring techniques improve as does the computing power of the adversary.

  13. 13.

    Some kind of definition is required. A cryptographic hash function is a function defined on the set of binary strings (of all finite, but unbounded, lengths) and has as output strings of a fixed length. As a minimum cryptographic requirement one has one way-ness; while it should be easy to compute Y = h(X) when given X, it should be computationally infeasible to find X when given Y. Moreover, for most purposes it is also necessary that it should be computationally infeasible to find two strings X 0 and X 1 such that h(X 1) = h(X 2). This property is called collision resistance. From the definition it is clear that collisions must occur; it must just be computationally impossible to find them.

  14. 14.

    Bellare, M. and Rogaway, P.: Optimal Asymmetric Encryption—How to encrypt with RSA. Extended abstract in Proc. Eurocrypt ’94, LNCS 950, Springer-Verlag, 1995.

  15. 15.

    or “signature verification exponent e′”, of course. Alice, and everyone else, needs at least two certificates.

  16. 16.

    “If you ever hear anyone talk of the cyclic group of order n, beware!”—Carl Pomerance.

  17. 17.

    Running ahead of our development: some attacks work better for prime fields (GF( p)) while others are better if the field is of characteristic 2 (GF(2n)).

  18. 18.

    In the case of elliptic curves, discussed in Sect. 6.6, the group under consideration is a cyclic subgroup of an additively written Abelian group. So the notation changes, but the principle remains the same.

  19. 19.

    Though we have used the word “protocol” before, it may by now need a bit of an explanation. Van Tilborg’s Encyclopedia of Cryptography and Security gives, in an article by Berry Schoenmakers, the following description :

    A cryptographic protocol is a distributed algorithm describing precisely the interaction of two or more entities to achieve certain security objectives. The entities interact with each other by exchanging messages over private and/or public communication channels.

  20. 20.

    Sadly, things go wrong in their relationship, in Sect. 10.9.3 they are going through a divorce.

  21. 21.

    But an expert would point out that the problem of finding \(g^{x_{A}x_{B}}\) when \(g^{x_{A}}\) and \(g^{x_{B}}\) are known is not the same as that of finding x A or x B . See also some comments in Sect. 4.4.1.

  22. 22.

    In the case we described, it looks more like a “woman-in-the-middle” attack. Let’s try to be serious about this!

  23. 23.

    Or worse, as one developed “in-house” by one of their experts. Even if the “expert” has an international reputation.

  24. 24.

    This was originally written before it became known, through Wikileaks, that the National Security Agency had succeeded in getting a weak pseudo-random generator approved by ISO/IEC and included in one of its standards. Which goes to show that in applied cryptology suffering from paranoia is a distinct advantage. We refer the reader to the article by Thomas C. Hales: The NSA back door to NIST, which appeared in the Notices of the American Mathematical Society (volume 61 (2014), pp. 190–192) for some of the history and the nature of this embarrassing episode. Also read the resulting correspondence in subsequent issues of the Notices.

  25. 25.

    In a more theoretical approach, we should also have mentioned the Decisional Diffie–Hellman (DDH) assumption. This is the assumption that, for a given group, it is not possible to determine with a probability of success significantly better than 50 % which of two arbitrarily chosen triples (g a, g b, g ab) and (g a, g b, g c) (with cab) is a Diffie–Hellman triple. It is currently not known whether DDH and CDH are equivalent assumptions in general.

  26. 26.

    Failing to verify this first can be quite catastrophic.

    For suppose the adversary has a genuine message m with a valid signature < r, s > . He wishes to forge a signature on a message M of his own. He puts

    $$\displaystyle\begin{array}{rcl} & u = H(M) \cdot (H(m))^{-1}\ \mathrm{mod}\ (\,p - 1),& {}\\ & S = su\ \mathrm{mod}\ (\,p - 1) & {}\\ \end{array}$$

    and chooses (using the CRT) R such that R ≡ ru mod ( p − 1) and R ≡ r mod p. Then, as is easily verified, y R R S = g H(m)⋅ u = g H(M), so < M, R, S > will be accepted as genuine.

    It may also be useful to use H(m | | r) (where “ | | ” denotes concatenation) in place of simply H(m), as this makes it very hard for the adversary to find a suitable R.

  27. 27.

    Strictly speaking, the Decisional D.–H. assumption, as in footnote 23 above. But it is not hard to see that if DDH holds, then so does CDH, and certainly DLP will be intractable.

  28. 28.

    Boneh, D.: The Decision Diffie–Hellman Problem, Proceedings of the Third Algorithmic Number Theory Symposium, LNCS 1423, Springer-Verlag, pp. 48–63, 1998.

Author information

Authors and Affiliations

  1. Tokai, Cape Town, South Africa

    Alko R. Meijer

Authors
  1. Alko R. Meijer
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Meijer, A.R. (2016). Applications to Public Key Cryptography. In: Algebra for Cryptologists. Springer Undergraduate Texts in Mathematics and Technology. Springer, Cham. https://doi.org/10.1007/978-3-319-30396-3_4

Download citation

Publish with us

Policies and ethics

Search

Navigation