IT2352 CRYPTOGRAPHY AND NETWORK SECURITY

UNIT III

3.1 Discrete Logarithms

In the RSA algorithm, we saw how the difficulty of factoring yields useful cryptosystems. There is
another number theory problem, namely discrete logarithms, that has similar applications. Fix a prime
p. Let α and β be nonzero integers mod p and suppose
β = αx (mod p).
The problem of finding x is called the discrete logarithm problem. If n is the smallest positive integer
such that an ≡ 1 (mod p), we may assume 0 < x < n, and then we denote
x = Lα(β)
and call it the discrete log of β with respect to α (the prime p is omitted from the notation).
For example, let p = 11 and let α = 2. Since 26 ≡ 9 (mod 11), we have L2(9) = 6. Of course, 26 ≡ 216 ≡
226 ≡9 (mod 11), so we could consider taking any one of 6, 16, 26 as the discrete logarithm. But we fix
the value by taking the smallest nonnegative value, namely 6, Note that we could have defined the
discrete logarithm in this case to be the congruence class 6 mod 10. In some ways, this would be more
natural, but there are applications where it is convenient to have a number, not just a congruence
class.

3.2 Computing discrete logs

For simplicity, take a to be a primitive root mod p, so p —1 is the smallest positive exponent n such
that a" = 1 (mod p). This implies that

Assume that
β = αx , 0 < x < p — 1.
We want to find x.
First, it’s easy to determine x (mod 2). Note that

so α(p-1)/2 = ±1 (mod p). However, p - 1 is assumed to be the smallest exponent to yield +1, so we must
have
α (p - 1 )/2 =-1(mod p ) .
Prepared by P.Vasantha Kumari 51
Starting with β = α x (mod p), raise both sides to the (p — l)/2 power to obtain

Therefore, if /j(p_1)/2 = -j-1, then x is even; otherwise, x is odd.

(i) The Pohlig -Hellman Algorithm

The preceding idea was extended by Pohlig and Heilman to give an algorithm to compute discrete logs
when p — 1 has only small prime factors. Suppose

is the factorization of p — 1 into primes. Let qr be one of the factors. We'll compute Lα (β) (mod qr). If
this can be done for each qiri, the answers can be recombined using the Chinese remainder theorem to
find the discrete logarithm. Write

We’ll determine the coefficients x0, x1, … xr-1 successively, and thus obtain x mod qr. Note that

where n is an integer. Starting with β = αx , raise both sides to the (p— l)/q power to obtain

The last congruence is a consequence of Fermat's theorem: aβ-1 ≡ l (mod p). To find x0, simply look at
the powers

Prepared by P.Vasantha Kumari 52

(ii) Baby Step, Giant Step

(iii) The Index Calculus

The idea is similar to the quadratic sieve method of factoring. Again, we are trying to solve @ = a 1
(mod p), where p is a large prime and a is a primitive root. First, there is a pre computation step. Let B
be a bound and let pi, P2, . . . , pm be the primes less than B. This set of primes is called our factor base.
Compute a k (mod p) for several values of k. For each such number, try to write it as a product of the
primes less than B . If this is not the case, discard a k. However,

Example. Let p = 131 and a = 2. Let B = 10, so we are working with the primes 2,3,5,7. A calculation
yields the following:

Prepared by P.Vasantha Kumari 53

The second congruence yields 1,2(5) = 46 (mod 130). Substituting this into the third congruence yields
L2(7) = -3 4 = 96 (mod 130). The fourth congruence only yields the value of L2(3) (mod 65) since gcd
(2,130) ≠ 1. This gives two choices for L2(3) (mod 130). Of course, we could try them and see which
works. Or we could use the fifth congruence to obtain L2(3) = 72 (mod 130). This finishes the pre
computation step. Suppose now that we want to find L2(37). Trying a few randomly chosen exponents
yields 37 . 243 = 3 - 5 - 7 (mod 131), so
L2(37) ≡ -43 + L2(3) + L2(5) + L2(7) = 41 (mod 130). Therefore, L2(37) = 41. Of course, once
the pre computation has been done, it can be reused for computing several discrete logs for the same
prime p.

3.3 Diffie-Hellman key exchange

A simple public-key algorithm is Diffie-Hellman key exchange.This protocol enables two users to
establish a secret key using a public-key scheme based on discrete logarithms. The protocol is secure
only if the authenticity of the two participants can be established. Figure shows a simple protocol that
makes use of the Diffie-Hellman calculation. Suppose that user A wishes to set up a connection with
user B and use a secret key to encrypt messages on that connection. User A can generate a one-time
private key , calculate , and send that to user B. User B responds by generating a private value ,
calculating , and sending to user A. Both users can now calculate the key.The necessary public values
and would need to be known ahead of time. Alternatively, user A could pick values for and and include
those in the first message.

Prepared by P.Vasantha Kumari 54

Prepared by P.Vasantha Kumari 55
Key Exchange Protocols

Man-in-the-Middle Attack
The protocol depicted in Figure is insecure against a man-in-the-middle attack. Suppose Alice and Bob
wish to exchange keys, and Darth is the adversary. The attack proceeds as follows.

At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret
key and Alice and Darth share secret key . All future communication between Bob and Alice is
compromised in the following way.
1. Alice sends an encrypted message .
2. Darth intercepts the encrypted message and decrypts it to recover .
3. Darth sends Bob , where is any message. In the first case, Darth simply wants to eavesdrop on the
communication without altering it. In the second case, Darth wants to modify the message going to

Prepared by P.Vasantha Kumari 56

Bob. The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants.

3.4 ElGamal Public key cryptosystems

The ElGamal2 cryptosystem is used in some form in a number of standards including the digital
signature standard (DSS), which is covered in Chapter 13, and the S/MIME e-mail standard.

Alice generates a public/private key pair; Bob encrypts using Alice’s public key; and Alice decrypts
using her private key. Let us demonstrate why the ElGamal scheme works. First, we show how is
recovered by the decryption process:

Prepared by P.Vasantha Kumari 57

Thus, functions as a one-time key, used to encrypt and decrypt the message. For example, let us start
with the prime field GF(19); that is, q 19. It has primitive roots {2, 3, 10, 13, 14, 15}, as shown in Table
We choose . Alice generates a key pair as follows:

Prepared by P.Vasantha Kumari 58

If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a unique value
of should be used for each block. If is used for more than one block, knowledge of one block m1 of the
message enables the user to compute other blocks as follows. Let

3.5 Hash functions

 A hash function maps a variable-length message into a fixed-length hash value, or message
digest.
 Virtually all cryptographic hash functions involve the iterative use of a compression function.
 The compression function used in secure hash algorithms falls into one of two categories: a
function specifically designed for the hash function or an algorithm based on a symmetric block
cipher.
A hash function H accepts a variable-length block of data as input and produces a fixed-size
hash value .A “good” hash function has the property that the results of applying the function to a large
Prepared by P.Vasantha Kumari 59
set of inputs will produce outputs that are evenly distributed and apparently random. In general
terms, the principal object of a hash function is data integrity.A change to any bit or bits in results, with
high probability, in a change to the hash code.
A cryptographic hash function is an algorithm for which it is computationally infeasible
(because no attack is significantly more efficient than brute force) to find either (a) a data object that
maps to a pre-specified hash result (the one-way property) or (b) two data objects that map to the
same hash result (the collision-free property). Because of these characteristics, hash functions are
often used to determine whether or not data has changed.
Figure depicts the general operation of a cryptographic hash function. Typically, the input is
padded out to an integer multiple of some fixed length (e.g., 1024 bits), and the padding includes the
value of the length of the original message in bits.The length field is a security measure to increase the
difficulty for an attacker to produce analternative message with the same hash value.

3.5.1. Applications of Cryptographic Hass Functions

3.5.1.1 Message Authentication

Message authentication is a mechanism or service used to verify the integrity of a message. Message
authentication assures that data received are exactly as sent (i.e., contain no modification, insertion,
deletion, or replay). In many cases, there is a requirement that the authentication mechanism assures
that purported identity of the sender is valid. When a hash function is used to provide message
authentication, the hash function value is often referred to as a message digest. Figure illustrates a
variety of ways in which a hash code can be used to provide message authentication, as follows.

Prepared by P.Vasantha Kumari 60

a. The message plus concatenated hash code is encrypted using symmetric encryption. Because only A
and B share the secret key, the message must have come from A and has not been altered. The hash
code provides the structure or redundancy required to achieve authentication. Because encryption is
applied to the entire message plus hash code, confidentiality is also provided.
b. Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden
for those applications that do not require confidentiality.
c. It is possible to use a hash function but no encryption for message authentication. The technique
assumes that the two communicating parties share a common secret value S.A computes the hash
value over the concatenation of Mand S and appends the resulting hash value to . Because B possesses ,
it can recomputed the hash value to verify. Because the secret value itself is not sent, an opponent
cannot modify an intercepted message and cannot generate a false message.
Prepared by P.Vasantha Kumari 61
d. Confidentiality can be added to the approach of method (c) by encrypting the entire message plus
the hash code. When confidentiality is not required, method (b) has an advantage over methods (a)
and (d), which encrypts the entire message, in that less computation is required.
• Encryption hardware costs are not negligible. Low-cost chip implementations of DES are available,
but the cost adds up if all nodes in a network must have this capability.
• Encryption hardware is optimized toward large data sizes. For small blocks of data, a high
proportion of the time is spent in initialization/invocation overhead.
• Encryption algorithms may be covered by patents, and there is a cost associated with licensing their
use.
3.5.1.2. Digital Signatures

Another important application, which is similar to the message authentication application, is

the digital signature. The operation of the digital signature is similar to that of the MAC. In the case of
the digital signature, the hash value of a message is encrypted with a user’s private key. Anyone who
knows the user’s public key can verify the integrity of the message that is associated with the digital
signature. In this case, an attacker who wishes to alter the message would need to know the user’s
private key.

Figure illustrates, in a simplified fashion, how a hash code is used to provide a digital signature.
a. The hash code is encrypted, using public-key encryption with the sender’s private key. As with
Figure b, this provides authentication. It also provides a digital signature, because only the sender
could have produced the encrypted hash code. In fact, this is the essence of the digital signature
technique.

Prepared by P.Vasantha Kumari 62

b. If confidentiality as well as a digital signature is desired, then the message plus the private-key-
encrypted hash code can be encrypted using a symmetric secret key. This is a common technique.

3.6 Secure Hash Algorithms

The most widely used hash function has been the Secure Hash Algorithm (SHA).

SHA-512 Logic

The algorithm takes as input a message with a maximum length of less than bits and produces as
output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure depicts the overall
processing of a message to produce a digest. This follows the general structure depicted in Figure. The
processing consists of the following steps.
Step 1 Append padding bits. The message is padded so that its length is congruent to 896 modulo
1024 . Padding is always added, even if the message is already of the desired length. Thus, the number
of padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit followed by the
necessary number of 0 bits.
Step 2 Append length. A block of 128 bits is appended to the message. This block is treated as an
unsigned 128-bit integer (most significant byte first) and contains the length of the original message
(before the padding). The outcome of the first two steps yields a message that is an integer multiple of
Prepared by P.Vasantha Kumari 63
1024 bits in length. In Figure, the expanded message is represented as the sequence of 1024-bit
blocks, so that the total length of the expanded message is .
Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of the
hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).These
registers are initialized to the following 64-bit
integers (hexadecimal values):
a = 6A09E667F3BCC908 e = 510E527FADE682D1
b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CD19137E2179

These values are stored in big-endian format, which is the most significant byte of a word in the low-
address (leftmost) byte position. These words were obtained by taking the first sixty-four bits of the
fractional parts of the square roots of the first eight prime numbers.

Prepared by P.Vasantha Kumari 64

Step 4 Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a module that
consists of 80 rounds; this module is labeled F. Each round takes as input the 512-bit buffer value,
abcdefgh, and updates the contents of the buffer. At input to the first round, the buffer has the value of
the intermediate hash value, . Each round makes use of a 64-bit value , derived from the current 1024-
bit block being processed .These values are derived using a message schedule described subsequently.
Each round also makes use of an additive constant , where indicates one of the 80 rounds. These words
represent the first 64 bits of the fractional parts of the cube roots of the first 80 prime numbers. The
constants provide a “randomized” set of 64-bit patterns, which should eliminate any regularities in the
input data. The output of the eightieth round is added to the input to the first round (Hi-1) to produce
Hi. The addition is done independently for each of the eight words in the buffer with each of the
corresponding words in , using addition modulo .
Step 5 Output. After all 1024-bit blocks have been processed, the output from the stage is the 512-bit
message digest. We can summarize the behavior of SHA-512 as follows:

SHA-512 Round Function

Let us look in more detail at the logic in each of the 80 steps of the processing of one 512-bit block
(Figure 11.10). Each round is defined by the following set of equations:

Prepared by P.Vasantha Kumari 65

3.7 Birthday attacks
A birthday attack is a name used to refer to a class of brute-force attacks. It gets its name from the
surprising result that the probability that two or more people in a group of 23 share the same birthday
is greater than 1/2; such a result is called a birthday paradox. If some function, when supplied with a
random input, returns one of k equally-likely values, then by repeatedly evaluating the function for
different inputs, we expect to obtain the same output after about 1.2k1/2. For the above birthday
paradox, replace k with 365. Birthday attacks are often used to find collisions of hash functions. Let
the set of variations on the correct form of the contract be denoted {c1, c2, . . . , ck} and the set of
variations on the fraudulent contract by {f1, f2, . . . , fk} .

Prepared by P.Vasantha Kumari 66

We need to figure out the probability that there exists at least one pair (ci, fj)so that h(ci) =h(fj). If we
assume (a very questionable assumption indeed) that all the fraudulent contracts are truly random
vis-a-vis the correct versions of the contract, then the probability of f1’s hash code being any one of N
permissible values is 1/N. Therefore, the probability that the hash code h(c1) matches the hash code
h(f1) is 1/N. Hence the probability that the sh code h(c1) does not match the hash code h(f1) is
1−(1/N). Extending the above reasoning to joint events, the probability that h(c1) does not match
h(f1) and h(f2) and . . ., h(fk) is

The probability that the same holds conjunctively for all members of the set {c1, c2, . . . , ck} would
therefore be

This is the probability that there will NOT exist any hash code matches between the two sets of
contracts {c1, c2, . . . , ck} and {f1, f2, . . . , fk}. Therefore the probability that there will exist at least one
match in hash code values between the set of correct contracts and the set of fraudulent contracts is

3.8 MD5
The algorithm accepts an input message of arbitrary length and produces a 128-bit “message digest".
Figure depicts the way the input message is turned into a 128-bit message digest. The actual
processing of the MD5 algorithm consists of the following 5 steps:
Step 1: Append padding bits

During this step, the message is extended or padded in such a way that its total length in bits is
congruent to 448 modulo 512. This operation is always performed even if the message's length in bit is
originally congruent to 448 modulo 512. We notice that 448 + 64 = 512, so the message is padded such
that its length is now 64 bits less an integer multiple of 512. Padding is done by appending to the
message a single 1 bit followed by the necessary amount of 0 bits so that the length in bits of the
padded message becomes congruent to 448 modulo 512.

Prepared by P.Vasantha Kumari 67

Step 2: Append length

A 64 bit representation of the length in bits of the original message M (before the padding bits were
added) is appended to the result of step 1. The result of step 1 and step 2 is a message with a length in
bits that is an integer multiple of 512 bits. Consequently, the result has a length that is also a multiple
of 16 32 bits word.

Step 3: Initialize MD buffer

A 128 bit buffer (A, B, C, D) is used to hold intermediate and result of the MD5 hash algorithm. These
registers are initialized to the following 32 bit values in hexadecimal:
A = 67 45 23 01
B = ef cd ab 89
C = 98 ba dc fe
D = 10 32 54 76

Prepared by P.Vasantha Kumari 68

These values are stored in little-endian format, meaning that the low -order bytes of a word is placed
in the low-address byte position. The initialization values appear then as follows:
word A = 01 23 45 67
word B = 89 ab cd ef
word C = fe dc ba 98
word D = 76 54 32 10
These four variables (they are indeed variables since they change value) are copied into di_erent
variables: A is saved as AA, B as BB, C as CC and D is saved as DD.
Step 4: Define four auxiliary functions and process message

This step consists of sixty-four (64) steps divided into four (4) rounds of processing. The four rounds
are almost identical, with the main difference being that each round uses a different primitive logical
function, denoted by F, G, H, and I in the specification. Let us first define the four functions.

Step 5: Output
The output from the very last round is the 128-bit hash result or message digest we obtain after we
have incrementally processed all t 512-bit blocks of the message.

3.9 Digital signatures

A digital signature is an authentication mechanism that enables the creator of a message to attach a
code that acts as a signature. Typically the signature is formed by taking the hash of the message and

Prepared by P.Vasantha Kumari 69

encrypting the message with the creator’s private key. The signature guarantees the source and
integrity of the message.
Properties
Message authentication protects two parties who exchange messages from any third party. However, it
does not protect the two parties against each other. Several forms of dispute between the two are
possible.

Consider the following disputes that could arise.

1. Mary may forge a different message and claim that it came from John. Mary would simply have to
create a message and append an authentication code using the key that John and Mary share.
2. John can deny sending the message. Because it is possible for Mary to forge a message, there is no
way to prove that John did in fact send the message.
Both scenarios are of legitimate concern. Here is an example of the first scenario: An electronic funds
transfer takes place, and the receiver increases the amount of funds transferred and claims that the
larger amount had arrived from the sender. An example of the second scenario is that an electronic
Prepared by P.Vasantha Kumari 70
mail message contains instructions to a stockbroker for a transaction that subsequently turns out
badly. The sender pretends that the message was never sent.

In situations where there is not complete trust between sender and receiver, something more than
authentication is needed. The most attractive solution to this problem is the digital signature. The
digital signature must have the following properties:
• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes the authentication function.
Attacks and Forgeries
A denotes the user whose signature method is being attacked, and C denotes the attacker.
• Key-only attack: C only knows A’s public key.

Prepared by P.Vasantha Kumari 71

• Known message attack: C is given access to a set of messages and their signatures.
• Generic chosen message attack: C chooses a list of messages before attempting to breaks A’s
signature scheme, independent of A’s public key. C then obtains from A valid signatures for the chosen
messages. The attack is generic, because it does not depend on A’s public key; the same attack is used
against everyone.
• Directed chosen message attack: Similar to the generic attack, except that the list of messages to be
signed is chosen after C knows A’s public key but before any signatures are seen.
• Adaptive chosen message attack: C is allowed to use A as an “oracle.” This means the A may
request signatures of messages that depend on previously obtained message–signature pairs.
• Total break: C determines A’s private key.
• Universal forgery: C finds an efficient signing algorithm that provides an equivalent way of
constructing signatures on arbitrary messages.
• Selective forgery: C forges a signature for a particular message chosen by C.
• Existential forgery: C forges a signature for at least one message. C has no control over the message.
Consequently, this forgery may only be a minor nuisance to A.

Digital Signature Requirements

On the basis of the properties and attacks just discussed, we can formulate the following requirements
for a digital signature.
• The signature must be a bit pattern that depends on the message being signed.
• The signature must use some information unique to the sender to prevent both forgery and denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the digital signature.
• It must be computationally infeasible to forge a digital signature, either by constructing a new
message for an existing digital signature or by constructing a fraudulent digital signature for a given
message.
• It must be practical to retain a copy of the digital signature in storage.
A secure hash function, embedded in a scheme which provides a basis for satisfying these
requirements. However, care must be taken in the design of the details of the scheme.
Direct Digital Signature
The term direct digital signature refers to a digital signature scheme that involves only the
communicating parties (source, destination). It is assumed that the destination knows the public key

Prepared by P.Vasantha Kumari 72

of the source. Confidentiality can be provided by encrypting the entire message plus signature with a
shared secret key (symmetric encryption). Note that it is important to perform the signature function
first and then an outer confidentiality function. In case of dispute, some third party must view the
message and its signature. If the signature is calculated on an encrypted message, then the third party
also needs access to the decryption key to read the original message. However, if the signature is the
inner operation, then the recipient can store the plaintext message and its signature for later use in
dispute resolution.

3.10 ElGamal – DSA.

ElGamal encryption scheme is designed to enable encryption by a user’s public key with decryption by
the user’s private key. The ElGamal signature scheme involves the use of the private key for encryption
and the public key for decryption. Before proceeding, we need a result from number theory. If is a
primitive root of , then

Prepared by P.Vasantha Kumari 73

Prepared by P.Vasantha Kumari 74