Chapter Overview of Cryptography Contents in Brief 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14
§?§N§?§...
75 downloads
1531 Views
6MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
Chapter Overview of Cryptography Contents in Brief 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14
§?§N§?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §N§?§?§&§?§?§?§&§ §?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§
Introduction Information security and cryptography Background on functions Basic terminology and concepts Symmetric-key encryption Digital signatures Authentication and identification Public-key cryptography Hash functions Protocols and mechanisms Key establishment, management, and certification Pseudorandom numbers and sequences Classes of attacks and security models Notes and further references
1 2 6 11 15 22 24 25 33 33 35 39 41 45
1.1 Introduction Cryptography has a long and fascinating history. The most complete non-technical account of the subject is Kahn’s The Codebreakers. This book traces cryptography from its initial and limited use by the Egyptians some 4000 years ago, to the twentieth century where it played a crucial role in the outcome of both world wars. Completed in 1963, Kahn’s book covers those aspects of the history which were most significant (up to that time) to the development of the subject. The predominant practitioners of the art were those associated with the military, the diplomatic service and government in general. Cryptography was used as a tool to protect national secrets and strategies. The proliferation of computers and communications systems in the 1960s brought with it a demand from the private sector for means to protect information in digital form and to provide security services. Beginning with the work of Feistel at IBM in the early 1970s and culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard for encrypting unclassified information, DES, the Data Encryption Standard, is the most well-known cryptographic mechanism in history. It remains the standard means for securing electronic commerce for many financial institutions around the world. The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published New Directions in Cryptography. This paper introduced the revolutionary concept of public-key cryptography and also provided a new and ingenious method 1
2
Ch. 1 Overview of Cryptography
for key exchange, the security of which is based on the intractability of the discrete logarithm problem. Although the authors had no practical realization of a public-key encryption scheme at the time, the idea was clear and it generated extensive interest and activity in the cryptographic community. In 1978 Rivest, Shamir, and Adleman discovered the first practical public-key encryption and signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical problem, the intractability of factoring large integers. This application of a hard mathematical problem to cryptography revitalized efforts to find more efficient methods to factor. The 1980s saw major advances in this area but none which rendered the RSA system insecure. Another class of powerful and practical public-key schemes was found by ElGamal in 1985. These are also based on the discrete logarithm problem. One of the most significant contributions provided by public-key cryptography is the digital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9796) was adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Government adopted the Digital Signature Standard, a mechanism based on the ElGamal publickey scheme. The search for new public-key schemes, improvements to existing cryptographic mechanisms, and proofs of security continues at a rapid pace. Various standards and infrastructures involving cryptography are being put in place. Security products are being developed to address the security needs of an information intensive society. The purpose of this book is to give an up-to-date treatise of the principles, techniques, and algorithms of interest in cryptographic practice. Emphasis has been placed on those aspects which are most practical and applied. The reader will be made aware of the basic issues and pointed to specific related research in the literature where more indepth discussions can be found. Due to the volume of material which is covered, most results will be stated without proofs. This also serves the purpose of not obscuring the very applied nature of the subject. This book is intended for both implementers and researchers. It describes algorithms, systems, and their interactions. Chapter 1 is a tutorial on the many and various aspects of cryptography. It does not attempt to convey all of the details and subtleties inherent to the subject. Its purpose is to introduce the basic issues and principles and to point the reader to appropriate chapters in the book for more comprehensive treatments. Specific techniques are avoided in this chapter.
1.2 Information security and cryptography The concept of information will be taken to be an understood quantity. To introduce cryptography, an understanding of issues related to information security in general is necessary. Information security manifests itself in many ways according to the situation and requirement. Regardless of who is involved, to one degree or another, all parties to a transaction must have confidence that certain objectives associated with information security have been met. Some of these objectives are listed in Table 1.1. Over the centuries, an elaborate set of protocols and mechanisms has been created to deal with information security issues when the information is conveyed by physical documents. Often the objectives of information security cannot solely be achieved through mathematical algorithms and protocols alone, but require procedural techniques and abidance of laws to achieve the desired result. For example, privacy of letters is provided by sealed envelopes delivered by an accepted mail service. The physical security of the envelope is, for practical necessity, limited and so laws are enacted which make it a criminal
¨ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
© 1.2 Information security and cryptography privacy or confidentiality data integrity entity authentication or identification message authentication signature authorization validation access control certification timestamping witnessing receipt confirmation ownership anonymity non-repudiation revocation
3
keeping information secret from all but those who are authorized to see it. ensuring information has not been altered by unauthorized or unknown means. corroboration of the identity of an entity (e.g., a person, a computer terminal, a credit card, etc.). corroborating the source of information; also known as data origin authentication. a means to bind information to an entity. conveyance, to another entity, of official sanction to do or be something. a means to provide timeliness of authorization to use or manipulate information or resources. restricting access to resources to privileged entities. endorsement of information by a trusted entity. recording the time of creation or existence of information. verifying the creation or existence of information by an entity other than the creator. acknowledgement that information has been received. acknowledgement that services have been provided. a means to provide an entity with the legal right to use or transfer a resource to others. concealing the identity of an entity involved in some process. preventing the denial of previous commitments or actions. retraction of certification or authorization.
Table 1.1: Some information security objectives.
offense to open mail for which one is not authorized. It is sometimes the case that security is achieved not through the information itself but through the physical document recording it. For example, paper currency requires special inks and material to prevent counterfeiting. Conceptually, the way information is recorded has not changed dramatically over time. Whereas information was typically stored and transmitted on paper, much of it now resides on magnetic media and is transmitted via telecommunications systems, some wireless. What has changed dramatically is the ability to copy and alter information. One can make thousands of identical copies of a piece of information stored electronically and each is indistinguishable from the original. With information on paper, this is much more difficult. What is needed then for a society where information is mostly stored and transmitted in electronic form is a means to ensure information security which is independent of the physical medium recording or conveying it and such that the objectives of information security rely solely on digital information itself. One of the fundamental tools used in information security is the signature. It is a building block for many other services such as non-repudiation, data origin authentication, identification, and witnessing, to mention a few. Having learned the basics in writing, an individual is taught how to produce a handwritten signature for the purpose of identification. At contract age the signature evolves to take on a very integral part of the person’s identity. This signature is intended to be unique to the individual and serve as a means to identify, authorize, and validate. With electronic information the concept of a signature needs to be Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
4
Ch. 1 Overview of Cryptography
redressed; it cannot simply be something unique to the signer and independent of the information signed. Electronic replication of it is so simple that appending a signature to a document not signed by the originator of the signature is almost a triviality. Analogues of the “paper protocols” currently in use are required. Hopefully these new electronic based protocols are at least as good as those they replace. There is a unique opportunity for society to introduce new and more efficient ways of ensuring information security. Much can be learned from the evolution of the paper based system, mimicking those aspects which have served us well and removing the inefficiencies. Achieving information security in an electronic society requires a vast array of technical and legal skills. There is, however, no guarantee that all of the information security objectives deemed necessary can be adequately met. The technical means is provided through cryptography. 1.1 Definition Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication. Cryptography is not the only means of providing information security, but rather one set of techniques. Cryptographic goals Of all the information security objectives listed in Table 1.1, the following four form a framework upon which the others will be derived: (1) privacy or confidentiality ( 1.5, 1.8); (2) data integrity ( 1.9); (3) authentication ( 1.7); and (4) non-repudiation ( 1.6).
ª
ª
ª
ª
ª
1. Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible. 2. Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution. 3. Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed). 4. Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute. A fundamental goal of cryptography is to adequately address these four areas in both theory and practice. Cryptography is about the prevention and detection of cheating and other malicious activities. This book describes a number of basic cryptographic tools (primitives) used to provide information security. Examples of primitives include encryption schemes ( 1.5 and 1.8),
ª
¨ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
ª
© 1.2 Information security and cryptography ª
5
ª
hash functions ( 1.9), and digital signature schemes ( 1.6). Figure 1.1 provides a schematic listing of the primitives considered and how they relate. Many of these will be briefly introduced in this chapter, with detailed discussion left to later chapters. These primitives should Arbitrary length hash functions Unkeyed Primitives
One-way permutations
Random sequences Block ciphers Symmetric-key ciphers Arbitrary length hash functions (MACs) Security Primitives
Stream ciphers
Symmetric-key Primitives Signatures
Pseudorandom sequences Identification primitives
Public-key ciphers
Public-key Primitives
Signatures
Identification primitives
Figure 1.1: A taxonomy of cryptographic primitives.
be evaluated with respect to various criteria such as: 1. level of security. This is usually difficult to quantify. Often it is given in terms of the number of operations required (using the best methods currently known) to defeat the intended objective. Typically the level of security is defined by an upper bound on the amount of work necessary to defeat the objective. This is sometimes called the work factor (see 1.13.4). 2. functionality. Primitives will need to be combined to meet various information security objectives. Which primitives are most effective for a given objective will be determined by the basic properties of the primitives. 3. methods of operation. Primitives, when applied in various ways and with various inputs, will typically exhibit different characteristics; thus, one primitive could provide
ª
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
6
Ch. 1 Overview of Cryptography
very different functionality depending on its mode of operation or usage. 4. performance. This refers to the efficiency of a primitive in a particular mode of operation. (For example, an encryption algorithm may be rated by the number of bits per second which it can encrypt.) 5. ease of implementation. This refers to the difficulty of realizing the primitive in a practical instantiation. This might include the complexity of implementing the primitive in either a software or hardware environment. The relative importance of various criteria is very much dependent on the application and resources available. For example, in an environment where computing power is limited one may have to trade off a very high level of security for better performance of the system as a whole. Cryptography, over the ages, has been an art practised by many who have devised ad hoc techniques to meet some of the information security requirements. The last twenty years have been a period of transition as the discipline moved from an art to a science. There are now several international scientific conferences devoted exclusively to cryptography and also an international scientific organization, the International Association for Cryptologic Research (IACR), aimed at fostering research in the area. This book is about cryptography: the theory, the practice, and the standards.
1.3 Background on functions While this book is not a treatise on abstract mathematics, a familiarity with basic mathematical concepts will prove to be useful. One concept which is absolutely fundamental to cryptography is that of a function in the mathematical sense. A function is alternately referred to as a mapping or a transformation.
1.3.1 Functions (1-1, one-way, trapdoor one-way)
« «¤¯°±¬�²²®³ 1.2 Definition A function is defined by two sets « and ´ and a rule µ which assigns to each element in « precisely one element in ´ . The set « is called the domain of the function and ´ the codomain. If ¶ is an element of « (usually written ¶·h« ) the image of ¶ is the element in ´ which the rule µ associates with ¶ ; the image ¸ of ¶ is denoted by ¸F¯�µ�¹º¶ » . Standard notation for a function µ from set « to set ´ is µO¼�«¾½f¿´ . If ¸7·x´ , then a preimage of ¸ is an element ¶·�« for which µ�¹º¶R»A¯~¸ . The set of all elements in ´ which have at least one preimage is called the image of µ , denoted À�Á�¹Âµ�» . 1.3 Example (function) Consider the sets «Ã¯Ä°±¬�²²U®³ , ´Ä¯Å°VÆK²Ç�²È�²ÉK³ , and the rule µ from « to ´ defined as µ�¹Â¬K»¯Ç , µ�¹Ê¦»¯É , µ�¹Â®¦»"¯Æ . Figure 1.2 shows a schematic of the sets « , ´ and the function µ . The preimage of the element Ç is ¬ . The image of µ is °VÆ�²Ç�²ÉK³ . Ë A set consists of distinct objects which are called elements of the set. For example, a set might consist of the elements , , , and this is denoted .
¬ ®
Thinking of a function in terms of the schematic (sometimes called a functional diagram) given in Figure 1.2, each element in the domain has precisely one arrowed line originating from it. Each element in the codomain can have any number of arrowed lines incident to it (including zero lines).
´
«
¨ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
© 1.3 Background on functions
7
Ï 1
Í
2
Ì
3
Ñ
Î
Ð
4 Figure 1.2: A function
Ò
from a set
Ó
«
of three elements to a set
Ô
of four elements.
µ
Often only the domain and the rule are given and the codomain is assumed to be the image of . This point is illustrated with two examples.
µ
«\¯I°±Æ�²ÇK²ÈK²ÕÕUÕ�²Æ`Ö�³ and let µ be the rule that for each ¶�·h« , × Ø ¶QÙ is divided by Æ�Æ . Explicitly then µ�¹Æ�»H¯|ÆÚµ�¹Ç�»H¯DÉ µ�¹ÂÈ`»H¯DÛ µ�¹ÂÉ`»H¯|Ü µ�¹Ü�»H¯DÈ µ�¹Ý�»H¯|ÈÚµ�¹Þ�»H¯DÜ µ�¹Âß`»H¯DÛ µ�¹ÂÛ`»H¯|É µ�¹Æ`Ö�»�¯|ÆKÕ The image of µ is the set ´I¯�°VÆK²ÈK²É�²Ü�²ÛK³ . Ë 1.5 Example (function) Take «\¯I°±Æ�²Ç�²ÈK²ÕUÕÕQ²Æ`ÖUàÂáK³ and let µ be the rule µ�¹º¶ »(¯~× Ø , where × Ø is the remainder when ¶�Ù is divided by Æ�ÖàÊá"âxÆ for all ¶-·�« . Here it is not feasible to write down µ explicitly as in Example 1.4, but nonetheless the function is completely Ë specified by the domain and the mathematical description of the rule µ . 1.4 Example (function) Take , where is the remainder when
µ�¹º¶R»H¯×Ø
(i) 1-1 functions 1.6 Definition A function (or transformation) is (one-to-one) if each element in the codomain is the image of at most one element in the domain .
Æ�½Æ
´
«
ãÊäæåã
´ µN¼ Ì@
= @
= =?>
=
Ì> Ì@
= @
ÌA@
=?@
ó
= =?>
ó
ÌA>
ÌH@
=?@
ó
< @
ó
ÌH> <ED
Ì
ó
Ì
ó
=?>
ÌA@
=?@ =
=
ó
ÌA>
=?>
< >
DÝ
ó
Ì
Ì>
ó
Ì@
= @
Figure 1.5: Schematic of a simple encryption scheme.
ì
ì
sends ì ¹ ì ».¯and® þ and observing ì
formation, say � . To encrypt the message � , Alice computes � I� to Bob. Bob decrypts by reversing the arrows on the diagram for � that points to � .
®þ
®þ
ì
®þ
¨ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
© 1.4 Basic terminology and concepts
13
When � is a small set, the functional diagram is a simple visual means to describe the mapping. In cryptography, the set � is typically of astronomical proportions and, as such, the visual description is infeasible. What is required, in these cases, is some other simple means to describe the encryption and decryption transformations, such as mathematical algorithms.
Ë
Figure 1.6 provides a simple model of a two-party communication using encryption. Adversary
õ¯
ô^¯õ ëfì
õ
õ
A BC D E FG H I J K L MNOP Q R S T UVWXY Z D E F GH I J KLMNO P Q R S T UVWXY Z A B C
Private key is a term also used in quite a different context (see Z 1.8). The term will be reserved for the latter usage in this book.
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
16
Ch. 1 Overview of Cryptography
A message
�¡¯\[^].À3_�U7À3`8]Ca�bÀ3_�U^a�bc[dQ.À3eCf:XgeCh�[^_ia�U^jEbka
is encrypted to
®N¯l���V¹I�»(¯nmpo�fWqgrsfd_�o�]CjtfTqurv]Cj�mpwEfdx�hyS(x�bzm{q|]CrvVCjE]Õ
Ë
A two-party communication using symmetric-key encryption can be described by the block diagram of Figure 1.7, which is Figure 1.6 with the addition of the secure (both conAdversary
î
key source
SECURE CHANNEL
î
î ÌA@
Ô @
O
ñ
= >
JuKNM ÌA@NO
ñ
=P@
î
Bob
Figure 1.12: Schematic use of public-key encryption.
° Q¼3õ.·
³
° æ¼Rô·
³
� and 0��� � , respectively. The encryption method tion transformations +��� is said to be a public-key encryption scheme if for each associated encryption/decryption pair , one key (the public key) is made publicly available, while the other (the private key) is kept secret. For the scheme to be secure, it must be computationally infeasible to compute from .
¹Êõ�²Uô`»
ô
õ
ô
õ
1.51 Remark (private key vs. secret key) To avoid ambiguity, a common convention is to use the term private key in association with public-key cryptosystems, and secret key in association with symmetric-key cryptosystems. This may be motivated by the following line of thought: it takes two or more parties to share a secret, but a key is truly private only when one party alone knows it. There are many schemes known which are widely believed to be secure public-key encryption methods, but none have been mathematically proven to be secure independent of qualifying assumptions. This is not unlike the symmetric-key case where the only system which has been proven secure is the one-time pad ( 1.5.4).
ª
1.8.2 The necessity of authentication in public-key systems It would appear that public-key cryptography is an ideal system, not requiring a secure channel to pass the encryption key. This would imply that two entities could communicate over an unsecured channel without ever having met to exchange keys. Unfortunately, this is not the case. Figure 1.13 illustrates how an active adversary can defeat the system (decrypt messages intended for a second entity) without breaking the encryption system. This is a type of impersonation and is an example of protocol failure (see 1.10). In this scenario the adversary impersonates entity Ð by sending entity Á a public key 2¼ which Á assumes (incorrectly) to be the public key of Ð . The adversary intercepts encrypted messages from Á to Ð , decrypts with its own private key H¼ , re-encrypts the message under Ð ’s public key , and sends it on to Ð . This highlights the necessity to authenticate public keys to achieve data origin authentication of the public keys themselves. Á must be convinced that she is
ª
õ
õ
ô
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
28
Ch. 1 Overview of Cryptography
encrypting under the legitimate public key of Ð . Fortunately, public-key techniques also allow an elegant solution to this problem (see 1.11).
ª
Adversary key source
íÕ
îÕ
< encryption M � =PO ñ Ì
J decryption K M Ì2Õ.O = ñ × =
î
² 7 Áx²"°~î�ïfð ° ÷ 7 ¬
where the summation is over all and , then
2.29 Fact (model B) If the balls from both urns are drawn without replacement, then the probability of at least one coincidence is
)
+
ü#HKÞ�7®�÷ á ®�÷ â à ¾ "² ° 7 7 ) ò/+ CD7 ,9ò() E + ¬ òIC ò(E If O ÷ á ¾4= Þ 7à , f÷ â ¾4= Þ$> 7à , and 7¤°¯? æ 5 , then ü#HKÞ�7®�÷ á ®�÷ â àA°fæ\²"°~î�ïfð ° ÷O7 áÍ÷fâ ² õ ÷Oá õ ±@÷f7 â°7² õ ÷Oá
= 7² ¬
÷fâ
2.30 Fact (model C) If the white balls are drawn one at a time, with replacement, and the red balls are drawn without replacement, then the probability of at least one coincidence is
ü/J`Þ�7®1÷Oá®�÷fâ�à ¾ ²"° ²"° ÷ 7 â ò C ¬ If O ÷ á ¾4= Þ 7à , ÷fâ ¾4= Þ$> 7à , and 7¤°¯æ?5 , then ü J Þ�7®�÷ á ®�÷ â àA°3æ\²"°7î1ïfð ° ÷O7 áÒ÷fâ ² õ = >² 7 Á ²"°7î1ï¯ð ° ÷O7 áÍ÷fâ ¬ D
2.1.6 Random mappings
K
ò
2.31 Definition Let denote the collection of all functions (mappings) from a finite domain of size to a finite codomain of size .
÷
÷
K
ò
Models where random elements of are considered are called random mappings models. In this section the only random mappings model considered is where every function from is equally likely to be chosen; such models arise frequently in cryptography and algorithmic number theory. Note that , whence the probability that a particular function from is chosen is .
K
ò
K
ò
¹K ò ¹ ¾ ÷ ò M² L¦÷ ò
ä
K
V« ²K®±K®¬¬U¬�®�÷O´ «V²�®±�®U¬¬¬�®1÷O´ ÞùÎ�®ä�ÞùÎ àà μ«V²K®±K®¬¬U¬�®�÷O´ 2.33 Example (functional graph) Consider the function äZåQ«V²�®±�®U¬¬¬�®²`ÂK´°fæ «²�®±�®¬U¬¬�®²�ÂK´ defined by ä�Þß²`à ¾ Ä , ä�Þ±`à ¾ ²`² , ä�ÞßÂ`à ¾ ² , ä�ÞßÄ`à ¾ Ó , ä�ÞÅ`à ¾  , ä�ÞÓ�à ¾ Æ , ä�ÞÈ�à ¾  , ä�ÞÊ`à ¾ ²`² , ä�ÞßÆ`à ¾ ² , ä�Þ²�³`à ¾ ± , ä�Þ²�²`à ¾ ²`³ , ä�Þß²`±`à ¾ Ä , ä�Þ²�Â`à ¾ È . The functional graph of ä is shown in Figure 2.1. N ò
2.32 Definition Let be a function in with domain and codomain equal to . The functional graph of is a directed graph whose points (or vertices) are the elements and whose edges are the ordered pairs for all .
ä
As Figure 2.1 illustrates, a functional graph may have several components (maximal connected subgraphs), each component consisting of a directed cycle and some directed trees attached to the cycle.
÷
K
2.34 Fact As tends to infinity, the following statements regarding the functional digraph of a random function from are true: (i) The expected number of components is .
ä
ò
â á êìë�÷
¨ c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
2.1 Probability theory
55
13 12
4
10
6
8
7 3
11
9
1
2
5 Figure 2.1: A functional graph (see Example 2.33).
À¯÷ L±
÷ L`Ç
. (ii) The expected number of points which are on the cycles is (iii) The expected number of terminal points (points which have no preimages) is . (iv) The expected number of -th iterate image points ( is a -th iterate image point if for some ) is , where the satisfy the recurrence
Î ¾ �ä Þßä�Þ öUöö ä Þ�O¯à ööUö àà & & ¾ á P - ¾ ³ , P times á Ç * ,(R@S
%
,
for
ä
Î
Þ²A°QP & àù÷
O
%T"D³ .
% P&
«V²K®±�®U¬¬U¬�®1÷O´ «V²�®±�®U¬¬¬Q®�÷O´ ¾ U - �® U ä á �® U â ®U¬¬¬ U-
U U UIó ¾ ¼
to and let 2.35 Definition Let be a random function from . Consider the sequence of points defined by , for . In terms of the functional graph of , this sequence describes a path that connects to a cycle. (i) The number of edges in the path is called the tail length of , denoted . (ii) The number of edges in the cycle is called the cycle length of , denoted . (iii) The rho-length of is the quantity . (iv) The tree size of is the number of edges in the maximal tree rooted on a cycle in the component that contains . (v) The component size of is the number of edges in the component that contains . (vi) The predecessors size of is the number of iterated preimages of .
V« ²�®±�®U¬¬¬�®1÷O´ ä�Þ�U ó * á à V�"D²
U
U
U
W�Þ�U�à �(Þ�U à
U U U 2.36 Example The functional graph in Figure 2.1 has ± components and Ä terminal points. The point U ¾  has parameters W�Þ�U�à ¾ ² , �(Þ�U�à ¾ Ä , X�Þ�U�à ¾ Å . The tree, component, and predecessors sizes of U ¾  are Ä , Æ , and  , respectively. N ÷
U
U
XQÞ�U à ¾ W�Þ�U�à õ �(Þ�U à
U
K ò ÷ LÂ
2.37 Fact As tends to infinity, the following are the expectations of some parameters associated with a random point in and a random function from : (i) tail length: (ii) cycle length: (iii) rho-length: (iv) tree size: (v) component size: (vi) predecessors size: .
À¯÷ L`Ê
±÷ LÂ
÷ Y â Áx²K¬ÉÈ�Â`È�Ä`Ó
«V²K®±K®¬¬U¬�®�÷O´ À¯ ÷ LÊ
À¯÷ L±
À¯÷ LÊ
Y ã ÁDK ±�ò ¬ÃÄ`²�Ä`Æ YáZ> ÷ Y�â[> ÷
Y1ã\> ÷
Yá?ÁD³�¬ÃÈ`Ê�±`Ä`Ê
2.38 Fact As tends to infinity, the expectations of the maximum tail, cycle, and rho lengths in a random function from are , , and , respectively, where , , and . Facts 2.37 and 2.38 indicate that in the functional graph of a random function, most points are grouped together in one giant component, and there is a small number of large trees. Also, almost unavoidably, a cycle of length about arises after following a path of edges. length
>÷
>÷
Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
56
Ch. 2 Mathematical Background
2.2 Information theory
2.2.1 Entropy
üsÞ�
^
¾ Î óà ¾ ý ó
V ²Ï]V?Ï÷ Î�áU®�ÎQâ�®U¬¬¬3®�Î ò
òóô á ý ó ¾ ²
Let be a random variable which takes on a finite set of values , with probability , where for each , , and where . Also, let and be random variables which take on finite sets of values. The entropy of is a mathematical measure of the amount of information provided by an observation of . Equivalently, it is the uncertainity about the outcome before an observation of . Entropy is also useful for approximating the average number of bits required to encode the elements of .
_
³Ïý ó ÏD²
�Þ ~à ¾ ° òóÍô á ý ó Ãê í3ý ó ¾ ` á where, by convention, ý ó ö ìê ífý ó ¾ ý ó ö ìê í ac ¾ ³ if ý ó ¾ ³ .
2.39 Definition The entropy or uncertainty of
òóÍô á ý ó êÃí abá
is defined to be
³Ïd`
Þ� ~à(ÏDêÃíf÷ `
�Þ ~à ¾ ³ `
�Þ ~à ¾ êìí¯÷
÷
2.40 Fact (properties of entropy) Let be a random variable which takes on values. . (i) if and only if for some , and for all (that is, there is (ii) no uncertainty of the outcome). (iii) if and only if for each , (that is, all outcomes are equally likely). 2.41 Definition The joint entropy of
`
Þ� ®@^%à ¾
V
ýó¾ ² ý ó ¾ ²ML¦÷
° ñ
Î
and
^
V
ý.e ¾ ³ ² Ï;> 9;=.>;< A;A/B;=.@ .?;:;=.8 (Note 3.72). Later, Odlyzko [940] gave several refinements to Coppersmith’s algorithm, and a detailed practical analysis; this paper provides the most extensive account to date of the discrete logarithm problem in gG d h . A similar practical analysis was also given by van Oorschot [1203]. Most recently in 1992, Gordon and McCurley [511] reported on their massively parallel implementation of Coppersmith’s algorithm, combined with their own improvements. Using primarily a 1024 processor nCUBE-2 machine with 4 megabytes of memory per processor, they completed the precomputation of logarithms of factor base elements (which is the dominant step of the algorithm) required to compute logarithms in gGd x/xDy , glG'd �w! , and gGLd D�w . The calculations for gG d D�w were estimated to take 5 days. Gordon and McCurley also completed most of the precomputations required for computing logarithms in g G'd
/D ; the amount of time to complete this task on the 1024 processor nCUBE-2 was estimated to be 44 days. They concluded that computing logarithms in the multiplicative groups of fields as large as g G'
D/ still seems to be out of their reach, but might be possible in the near future with a concerted effort. It was not until 1992 that a subexponential-time algorithm for computing discrete logarithms over all finite fields g- was discovered by Adleman and DeMarrais [11]. The expected running time of the algorithm is conjectured to be )?�, G . 1AjD< for some constant j . Adleman [9] generalized the number field sieve from algebraic number fields to algebraic function fields which resulted in an algorithm, called the function field sieve, for computing discrete logarithms in gf d h ; the algorithm has a heuristic expected running time of ) f'h ,D0 . 1LjD< for some constant j�8 when ^a;`�Ib�Y , and where is any function such that 8| 2X!b\ |894=6;p and ^=a Xub\ k8 . The practicality of the function field sieve has e not yet been determined. It remains an open problem to find an algorithm with a heuristic expected running time of ) ,/0 . 1Aj< for all finite fields g . The algorithms mentioned in the previous three paragraphs have heuristic (or conjectured) rather than proven running times because the analyses make some (reasonable) assumptions about the proportion of integers or polynomials generated that are smooth, and also because it is not clear when the system of linear equations generated has full rank, i.e., yields a unique solution. The best rigorously analyzed algorithms known for the discrete logarithm problem in c f d and g G d h are due to Pomerance [991] with expected running times of ) f ,/G . 1 Z :�< and ) G h ,DG . 1 Z :�< , respectively. Lovorn [773] obtained rigorously analyzed algorithms for the fields g f x and g fLh with ^=9`I | b¡ ;¢ £�¤ , having expected running times of 0 x ) f , G . 1 G¥< and ) f'h , G . 1 Z :�< , respectively. The linear system of equations collected in the quadratic sieve and number field sieve factoring algorithms, and the index-calculus algorithms for computing discrete logarithms in c f d and g G d h , are very large. For the problem sizes currently under consideration, these systems cannot be solved using ordinary linear algebra techniques, due to both time and space constraints. However, the equations generated are extremely sparse, typically with at most 50 non-zero coefficients per equation. The technique of structured or so-called intelligent Gaussian elimination (see Odlyzko [940]) can be used to reduce the original sparse system to a much smaller system that is still fairly sparse. The resulting system can be solved using either ordinary Gaussian elimination, or one of the conjugate gradient, Lanczos (Coppersmith, Odlyzko, and Schroeppel [280]), or Wiedemann algorithms [1239] which were also designed to handle sparse systems. LaMacchia and Odlyzko [737] have implemented some of these algorithms and concluded that the linear algebra stages arising in both integer factorization and the discrete logarithm problem are not running-time bottlenecks in practice. Recently, Coppersmith [272] proposed a modification of the Wiedemann algorithm which allows parallelization of the algorithm; for an analysis of Coppersmith’s algorithm, see Kaltofen [657]. Coppersmith [270] (see also Montgomery [896]) presented a modifiHandbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
130
Ch. 3 Number-Theoretic Reference Problems
cation of the Lanczos algorithm for solving sparse linear equations over g G ; this variant appears to be the most efficient in practice. As an example of the numbers involved, Gordon and McCurley’s [511] implementation for computing logarithms in glG'd /_w produced a total of 3;3;>93;B9r equations from a factor base consisting of the ~;p9B;C9B irreducible polynomials in g G , F�< of degree at most 19. The system of equations had :;89B;p9>;8;> non-zero entries. Structured Gaussian elimination was then applied to this system, the result being a 39B;3;C96§¦o39B;39C;6 system of equations having 3;:98;C9r;3;r nonzero entries, which was then solved using the conjugate gradient method. Another example is from the recent factorization of the RSA-129 number (see Atkins et al. [59]). The sieving step produced a sparse matrix of ~9B;69r;B;B rows and ~9:;r;C9C;6 columns. Structured Gaussian elimination was used to reduce this to a dense 39p;p;B93;r¨¦3;p;p93;B98 system, which was then solved using ordinary Gaussian elimination. There are many ways of representing a finite field, although any two finite fields of the same order are isomorphic (see also Note 3.55). Lenstra [757] showed how to compute an isomorphism between any two explicitly given representations of a finite field in deterministic polynomial time. Thus, it is sufficient to find an algorithm for computing discrete logarithms in one representation of a given field; this algorithm can then be used, together with the isomorphism obtained by Lenstra’s algorithm, to compute logarithms in any other representation of the same field. Menezes, Okamoto, and Vanstone [843] showed how the discrete logarithm problem for an elliptic curve over a finite field g- can be reduced to the discrete logarithm problem in some extension field g '© . For the special class of supersingular curves, O is at most B , thus providing a subexponential-time algorithm for the former problem. This work was extended by Frey and R¨uck [422]. No subexponential-time algorithm is known for the discrete logarithm problem in the more general class of non-supersingular elliptic curves. Adleman, DeMarrais, and Huang [12] presented a subexponential-time algorithm for finding logarithms in the jacobian of large genus hyperelliptic curves over finite fields. More precisely, there exists a number j , 8|j :54739p;3 , such that for all sufficiently large «ª 3 and all odd primes I with ^=9`I¬X : ¡ 3 \/ ¥¢ £®¤ , the expected running time of the algorithm for computing logarithms in the jacobian of a genus hyperelliptic curve over c f is conjectured to be ) f xD¯±°²w , G2 . 1Aj< . McCurley [826] invented a subexponential-time algorithm for the discrete logarithm problem in the class group of an imaginary quadratic number field. See also Hafner and McCurley [537] for further details, and Buchmann and D¨ullmann [216] for an implementation report. In 1994, Shor [1128] conceived randomized polynomial-time algorithms for computing discrete logarithms and factoring integers on a quantum computer, a computational device based on quantum mechanical principles; presently it is not known how to build a quantum computer, nor if this is even possible. Also recently, Adleman [10] demonstrated the feasibility of using tools from molecular biology to solve an instance of the directed Hamiltonian path problem, which is NP-complete. The problem instance was encoded in molecules of DNA, and the steps of the computation were performed with standard protocols and enzymes. Adleman notes G that while the currently available fastest supercomputers can exe398 . operations per second, it is plausible for a DNA computer to excute approximately G ecute 398 or more operations per second. Moreover such a DNA computer would be far more energy-efficient than existing supercomputers. It is not clear at present whether it is feasible to build a DNA computer with such performance. However, should either quantum computers or DNA computers ever become practical, they would have a very significant z
c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
{
3.12 Notes and further references
131
impact on public-key cryptography. H
3.7 Fact 3.77(i) is due to den Boer [323]. Fact 3.77(iii) was proven by Maurer [817], who also proved more generally that the GDHP and GDLP in a group ³ of order N are computationally equivalent when certain extra information of length WYX_^a`�N´\ bits is given. The extra information depends only on N and not on the definition of ³ , and consists of parameters that define cyclic elliptic curves of smooth order over the fields c f'µ where the I²¶ are the prime divisors of N . Waldvogel and Massey [1228] proved that if · and ¸ are chosen uniformly and randomly from the interval ¹ 891A391A4L4A421 I´t 3²º , the values »2¼�½¨²¾¿I are roughly uniformly distributed (see page 537). H
H
3.8 Facts 3.78 and 3.79 are due to Bach [62]. Fact 3.80 is due to Shmuely [1127]. McCurley [825] refined this result to prove that for specially chosen composite N , the ability to solve the Diffie-Hellman problem in c * d for the fixed base » kÀ39B implies the ability to factor N . 3.9 The notion of a hard Boolean predicate (Definition 3.81) was introduced by Blum and Micali [166], who also proved Fact 3.84. The notion of a hard O -bit predicate (Definition 3.82) was introduced by Long and Wigderson [772], who also proved Fact 3.85; see also Peralta [968]. Fact 3.83 is due to Peralta [968]. The results on hard predicates and O -bit predicates for the RSA functions (Facts 3.86 and 3.87) are due to Alexi et al. [23]. Facts 3.88 and 3.89 are due to Vazirani and Vazirani [1218]. Yao [1258] showed how any one-way length-preserving permutation can be transformed into a more complicated one-way length-preserving permutation which has a hard predicate. Subsequently, Goldreich and Levin [471] showed how any one-way function Á can be transformed into a one-way function which has a hard predicate. Their construction is as follows. Define the function by 2X!I 1±F \ k X!I 1 Á2X F \_\ , where I is a binary string of the same * length as F , say N . Then is also a one-way function and ÂÃX!I 1±F \ k ¶/Ä I²¶ F ¶@¨²¾ : is . a hard predicate for .
H
H˚astad, Schrift, and Shamir [543] considered the one-way function Á2X F \ k »2Ũ¨5¾¿N , where N is a Blum integer and » Æ�c * d . Under the assumption that factoring Blum integers is intractable, they proved that all the bits of this function are individually hard. Moreover, the lower half as well as the upper half of the bits are simultaneously secure. 3.10 The subset sum problem (Definition 3.90) is sometimes confused with the knapsack problem which is the following: given two sets ¹¥· 1 · G 1A4L4A4�1 ·�* º and ¹¥¸ 1 ¸ G 1A4A4L41 ¸_* º of pos. . itive integers, and given two positive integers Ç and P , determine whether or not there is a subset È of ¹ 351�:91L4A4L41 N º such that ¶DÉ�Ê · ¶ }Ç and ¶DÉ�Ê ¸ ¶ ªËP . The subset sum problem is actually a special case of the knapsack problem when · ¶ k ¸ ¶ for Ì kÍ391�:51A4L4A41 N and Ç k P . Algorithm 3.94 is described by Odlyzko [941]. 0
The ) -lattice basis reduction algorithm (Algorithm 3.101) and Fact 3.103 are both due to Lenstra, Lenstra, and Lov´asz [750]. Improved algorithms have been given for lattice basis reduction, for example, by Schnorr and Euchner [1099]; consult also Section 2.6 of Cohen [263]. Algorithm 3.105 for solving the subset sum problem involving knapsacks sets of low density is from Coster et al. [283]. Unusually good simultaneous diophantine approximations were first introduced and studied by Lagarias [723]; Fact 3.107 and Algorithm 3.108 are from this paper. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone.
132 H
Ch. 3 Number-Theoretic Reference Problems
3.11 A readable introduction to polynomial factorization algorithms is given by Lidl and Niederreiter [764, Chapter 4]. Algorithm 3.110 for square-free factorization is from Geddes, Czapor, and Labahn [445]. Yun [1261] presented an algorithm that is more efficient than Algorithm 3.110 for finding the G square-free factorization of a polynomial. The running time of the algorithm is only WYXuN \c f -operations when Á2X F \ is a polynomial of degree N in c f , F�< . A lucid presentation of Yun’s algorithm is provided by Bach and Shallit [70]. Berlekamp’s Î -matrix algorithm (Algorithm 3.111) was first discovered by Prange [999] for the purpose of factoring polynomials of the form F * t 3 over finite fields. The algorithm was later and independently discovered by Berlekamp [117] who improved it for factoring general polynomials over finite fields. There is no deterministic polynomial-time algorithm known for the problem of factoring polynomials over finite fields. There are, however, many efficient randomized algorithms that work well even when the underlying field is very large, such as the algorithms given by Ben-Or [109], Berlekamp [119], Cantor and Zassenhaus [232], and Rabin [1025]. For recent work along these lines, see von zur Gathen and Shoup [1224], as well as Kaltofen and Shoup [658].
z
c 1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
Chapter Public-Key Parameters Contents in Brief 4.1 4.2 4.3 4.4 4.5 4.6 4.7
§?§N§?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ ¨�©ª§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §?§?§&§?§?§?§N§?§?§&§?§?§?§&§ §&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§
Introduction Probabilistic primality tests (True) Primality tests Prime number generation Irreducible polynomials over Generators and elements of high order Notes and further references
133 135 142 145 154 160 165
4.1 Introduction The efficient generation of public-key parameters is a prerequisite in public-key systems. A specific example is the requirement of a prime number to define a finite field for use in the Diffie-Hellman key agreement protocol and its derivatives ( 12.6). In this case, an element of high order in is also required. Another example is the requirement of primes and for an RSA modulus ( 8.2). In this case, the prime must be of sufficient size, and be “random” in the sense that the probability of any particular prime being selected must be sufficiently small to preclude an adversary from gaining advantage through optimizing a search strategy based on such probability. Prime numbers may be required to have certain additional properties, in order that they do not make the associated cryptosystems susceptible to specialized attacks. A third example is the requirement of an irreducible polynomial of degree over the finite field for constructing the finite field . In this case, an element of high order in is also required.
«
«
¬N ¯
°
Chapter outline
±³²�«�° ®
´�µ�¶R·
¹H�º
¬R
®
¸
¹ ¯ º
¬R
®
The remainder of 4.1 introduces basic concepts relevant to prime number generation and summarizes some results on the distribution of prime numbers. Probabilistic primality tests, the most important of which is the Miller-Rabin test, are presented in 4.2. True primality tests by which arbitrary integers can be proven to be prime are the topic of 4.3; since these tests are generally more computationally intensive than probabilistic primality tests, they are not described in detail. 4.4 presents four algorithms for generating prime numbers, strong primes, and provable primes. 4.5 describes techniques for constructing irreducible and primitive polynomials, while 4.6 considers the production of generators and elements of high orders in groups. 4.7 concludes with chapter notes and references.
®
®
®
®
®
133
®
134
Ch. 4 Public-Key Parameters
4.1.1 Approaches to generating large prime numbers To motivate the organization of this chapter and introduce many of the relevant concepts, the problem of generating large prime numbers is first considered. The most natural method is to generate a random number of appropriate size, and check if it is prime. This can be done by checking whether is divisible by any of the prime numbers . While more efficient methods are required in practice, to motivate further discussion consider the following approach: 1. Generate as candidate a random odd number of appropriate size. 2. Test for primality. 3. If is composite, return to the first step. A slight modification is to consider candidates restricted to some search sequence start. Using from ; a trivial search sequence which may be used is ing specific search sequences may allow one to increase the expectation that a candidate is prime, and to find primes possessing certain additional desirable properties a priori. In step 2, the test for primality might be either a test which proves that the candidate is prime (in which case the outcome of the generator is called a provable prime), or a test which establishes a weaker result, such as that is “probably prime” (in which case the outcome of the generator is called a probable prime). In the latter case, careful consideration must be given to the exact meaning of this expression. Most so-called probabilistic primality tests are absolutely correct when they declare candidates to be composite, but do not provide a mathematical proof that is prime in the case when such a number is declared to be “probably” so. In the latter case, however, when used properly one may often be able to draw conclusions more than adequate for the purpose at hand. For this reason, such tests are more properly called compositeness tests than probabilistic primality tests. True primality tests, which allow one to conclude with mathematical certainty that a number is prime, also exist, but generally require considerably greater computational resources. While (true) primality tests can determine (with mathematical certainty) whether a typically random candidate number is prime, other techniques exist whereby candidates are specially constructed such that it can be established by mathematical reasoning whether a candidate actually is prime. These are called constructive prime generation techniques. A final distinction between different techniques for prime number generation is the use of randomness. Candidates are typically generated as a function of a random input. The technique used to judge the primality of the candidate, however, may or may not itself use random numbers. If it does not, the technique is deterministic, and the result is reproducible; if it does, the technique is said to be randomized. Both deterministic and randomized probabilistic primality tests exist. In some cases, prime numbers are required which have additional properties. For example, to make the extraction of discrete logarithms in resistant to an algorithm due to Pohlig and Hellman ( 3.6.4), it is a requirement that have a large prime divisor. Thus techniques for generating public-key parameters, such as prime numbers, of special form need to be considered.
±
±
»
±
±
±
¼±
±
±A½�±h¾¿�½1±�¾ÀK½�±�¾Á�½UÂÂUÂ
±
±
±
±
¬N ¯ «"Ã
Ä
®
4.1.2 Distribution of prime numbers
Å(µÆ¶ ·
Ç ¿K½�¶9È
Let denote the number of primes in the interval . The prime number theorem (Fact 2.95) states that . In other words, the number of primes in the interval
Å(µ�¶R· É Ë Ì Ê Ê Í
Î If Ïis odd. Let ç be any integer ç hÿĵ����æ�±(· or ç
