Professional Documents
Culture Documents
UNIT III
In the RSA algorithm, we saw how the difficulty of factoring yields useful cryptosystems. There is
another number theory problem, namely discrete logarithms, that has similar applications. Fix a prime
p. Let α and β be nonzero integers mod p and suppose
β = αx (mod p).
The problem of finding x is called the discrete logarithm problem. If n is the smallest positive integer
such that an ≡ 1 (mod p), we may assume 0 < x < n, and then we denote
x = Lα(β)
and call it the discrete log of β with respect to α (the prime p is omitted from the notation).
For example, let p = 11 and let α = 2. Since 26 ≡ 9 (mod 11), we have L2(9) = 6. Of course, 26 ≡ 216 ≡
226 ≡9 (mod 11), so we could consider taking any one of 6, 16, 26 as the discrete logarithm. But we fix
the value by taking the smallest nonnegative value, namely 6, Note that we could have defined the
discrete logarithm in this case to be the congruence class 6 mod 10. In some ways, this would be more
natural, but there are applications where it is convenient to have a number, not just a congruence
class.
Assume that
β = αx , 0 < x < p — 1.
We want to find x.
First, it’s easy to determine x (mod 2). Note that
so α(p-1)/2 = ±1 (mod p). However, p - 1 is assumed to be the smallest exponent to yield +1, so we must
have
α (p - 1 )/2 =-1(mod p ) .
Prepared by P.Vasantha Kumari 51
Starting with β = α x (mod p), raise both sides to the (p — l)/2 power to obtain
is the factorization of p — 1 into primes. Let qr be one of the factors. We'll compute Lα (β) (mod qr). If
this can be done for each qiri, the answers can be recombined using the Chinese remainder theorem to
find the discrete logarithm. Write
We’ll determine the coefficients x0, x1, … xr-1 successively, and thus obtain x mod qr. Note that
where n is an integer. Starting with β = αx , raise both sides to the (p— l)/q power to obtain
The last congruence is a consequence of Fermat's theorem: aβ-1 ≡ l (mod p). To find x0, simply look at
the powers
Example. Let p = 131 and a = 2. Let B = 10, so we are working with the primes 2,3,5,7. A calculation
yields the following:
A simple public-key algorithm is Diffie-Hellman key exchange.This protocol enables two users to
establish a secret key using a public-key scheme based on discrete logarithms. The protocol is secure
only if the authenticity of the two participants can be established. Figure shows a simple protocol that
makes use of the Diffie-Hellman calculation. Suppose that user A wishes to set up a connection with
user B and use a secret key to encrypt messages on that connection. User A can generate a one-time
private key , calculate , and send that to user B. User B responds by generating a private value ,
calculating , and sending to user A. Both users can now calculate the key.The necessary public values
and would need to be known ahead of time. Alternatively, user A could pick values for and and include
those in the first message.
Man-in-the-Middle Attack
The protocol depicted in Figure is insecure against a man-in-the-middle attack. Suppose Alice and Bob
wish to exchange keys, and Darth is the adversary. The attack proceeds as follows.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share secret
key and Alice and Darth share secret key . All future communication between Bob and Alice is
compromised in the following way.
1. Alice sends an encrypted message .
2. Darth intercepts the encrypted message and decrypts it to recover .
3. Darth sends Bob , where is any message. In the first case, Darth simply wants to eavesdrop on the
communication without altering it. In the second case, Darth wants to modify the message going to
Alice generates a public/private key pair; Bob encrypts using Alice’s public key; and Alice decrypts
using her private key. Let us demonstrate why the ElGamal scheme works. First, we show how is
recovered by the decryption process:
Message authentication is a mechanism or service used to verify the integrity of a message. Message
authentication assures that data received are exactly as sent (i.e., contain no modification, insertion,
deletion, or replay). In many cases, there is a requirement that the authentication mechanism assures
that purported identity of the sender is valid. When a hash function is used to provide message
authentication, the hash function value is often referred to as a message digest. Figure illustrates a
variety of ways in which a hash code can be used to provide message authentication, as follows.
Figure illustrates, in a simplified fashion, how a hash code is used to provide a digital signature.
a. The hash code is encrypted, using public-key encryption with the sender’s private key. As with
Figure b, this provides authentication. It also provides a digital signature, because only the sender
could have produced the encrypted hash code. In fact, this is the essence of the digital signature
technique.
SHA-512 Logic
The algorithm takes as input a message with a maximum length of less than bits and produces as
output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure depicts the overall
processing of a message to produce a digest. This follows the general structure depicted in Figure. The
processing consists of the following steps.
Step 1 Append padding bits. The message is padded so that its length is congruent to 896 modulo
1024 . Padding is always added, even if the message is already of the desired length. Thus, the number
of padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit followed by the
necessary number of 0 bits.
Step 2 Append length. A block of 128 bits is appended to the message. This block is treated as an
unsigned 128-bit integer (most significant byte first) and contains the length of the original message
(before the padding). The outcome of the first two steps yields a message that is an integer multiple of
Prepared by P.Vasantha Kumari 63
1024 bits in length. In Figure, the expanded message is represented as the sequence of 1024-bit
blocks, so that the total length of the expanded message is .
Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of the
hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).These
registers are initialized to the following 64-bit
integers (hexadecimal values):
a = 6A09E667F3BCC908 e = 510E527FADE682D1
b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CD19137E2179
These values are stored in big-endian format, which is the most significant byte of a word in the low-
address (leftmost) byte position. These words were obtained by taking the first sixty-four bits of the
fractional parts of the square roots of the first eight prime numbers.
The probability that the same holds conjunctively for all members of the set {c1, c2, . . . , ck} would
therefore be
This is the probability that there will NOT exist any hash code matches between the two sets of
contracts {c1, c2, . . . , ck} and {f1, f2, . . . , fk}. Therefore the probability that there will exist at least one
match in hash code values between the set of correct contracts and the set of fraudulent contracts is
3.8 MD5
The algorithm accepts an input message of arbitrary length and produces a 128-bit “message digest".
Figure depicts the way the input message is turned into a 128-bit message digest. The actual
processing of the MD5 algorithm consists of the following 5 steps:
Step 1: Append padding bits
During this step, the message is extended or padded in such a way that its total length in bits is
congruent to 448 modulo 512. This operation is always performed even if the message's length in bit is
originally congruent to 448 modulo 512. We notice that 448 + 64 = 512, so the message is padded such
that its length is now 64 bits less an integer multiple of 512. Padding is done by appending to the
message a single 1 bit followed by the necessary amount of 0 bits so that the length in bits of the
padded message becomes congruent to 448 modulo 512.
A 64 bit representation of the length in bits of the original message M (before the padding bits were
added) is appended to the result of step 1. The result of step 1 and step 2 is a message with a length in
bits that is an integer multiple of 512 bits. Consequently, the result has a length that is also a multiple
of 16 32 bits word.
A 128 bit buffer (A, B, C, D) is used to hold intermediate and result of the MD5 hash algorithm. These
registers are initialized to the following 32 bit values in hexadecimal:
A = 67 45 23 01
B = ef cd ab 89
C = 98 ba dc fe
D = 10 32 54 76
This step consists of sixty-four (64) steps divided into four (4) rounds of processing. The four rounds
are almost identical, with the main difference being that each round uses a different primitive logical
function, denoted by F, G, H, and I in the specification. Let us first define the four functions.
Step 5: Output
The output from the very last round is the 128-bit hash result or message digest we obtain after we
have incrementally processed all t 512-bit blocks of the message.
In situations where there is not complete trust between sender and receiver, something more than
authentication is needed. The most attractive solution to this problem is the digital signature. The
digital signature must have the following properties:
• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes the authentication function.
Attacks and Forgeries
A denotes the user whose signature method is being attacked, and C denotes the attacker.
• Key-only attack: C only knows A’s public key.