Asymmetric (Public-Private) Key Cryptography

3.4 Cryptography

3.4.2 Asymmetric (Public-Private) Key Cryptography

One of the major drawbacks with the private key encryption method is how to give both parties exclusive access to the private key. If they are at the same location, it is not a problem, but that is not always the case. A message may wish to be sent to people who are far from each other. A solution to this problem was introduced in 1976 with the the advent of asymmetric or public key encryption.

Public key encryption works by using two keys, a public and a private key. The key pair is selected such that deriving the private key from the public key is equivalent to solving a compu-tational problem that is believed to be intractable.

If the sender wants to send a message, as in Figure 3.4, the receiver must first supply the sender with a public keyPK_rec over an unsecured channel. The sender then uses the receiver’s public keyPK_rec and their own private key p_sen to calculate a common secretS. An encrypted message can be created withS, the plain text message and the encryption function. The encrypted message is sent to the receiver, where theyfirst calculate the common secretSusing their private

3.4. CRYPTOGRAPHY 25 key prec and the public key from the sender PKsen. The common secret is used again with the symmetric encryption algorithm (in decrypt mode) and the encrypted message to recreate the plain text message.

Symmetric Encryption Algorithm - Encrypt Message

Symmetric Encryption Algorithm - Decrypt Message

Sender's Random Number

Generator

Receiver's Random Number

Generator

Calc Receiver's Public Key PK_rec= p_rec*Q Calc Sender's Public Key PK_sen= p_sen*Q PK_rec

PK_sen

Open Channel

Receiver

p_sen

p_rec

Sender

Plain Text Message

Plain Text Message Encrypted

Text Message

Calc Common Secret

S(PK_rec, p_sen)

Calc Common Secret

S(PK_sen, p_rec) S

Figure 3.4:Asymmetric encryption.

The public key system has the benefit of being more robust than the private key system, however, this comes at the cost of higher computation and algorithm complexity. Table 3.1 shows a comparison of the key lengths for various private and public key systems. It is evident that the private key algorithm requires a smaller key length to achieve the equivalent security to a public key system. Also included in Table 3.1 is the newer elliptic curve cryptosystem.

The public key architecture is moving away from the older RSA/DSA systems, see [Lab02]

and [18600] for further details on these algorithms, towards the Elliptic Curve Cryptography (ECC). Currently, ECC algorithms are more complex than the RSA equivalent; however, ongoing research is allowing ECC technology to be used in small devices such as smart cards. The major benefit of ECC is in future expandability of the algorithm. Whereas the RSA algorithm requires an extremely large key of 15360 bits for an equivalent 256 bit symmetric key, the ECC system only needs a key size of 512 bits. The smaller key size requires less memory and processor power.

Example 3.4.1. An example of an ECC algorithm is the Elliptic Curve Authentication Encryp-tion Scheme (EC-AES) algorithm [LeR00, Han04]. To send a message using EC-AES it is as-sumed that the sender has the receiver’s public keyK_pub2and the domainD= (q,F,a,b,BP,n,#E(F)), whereqis the prime power (q= porq=2^m),F is thefield representation,a,b∈Fq specify the

26 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY

Symmetric Algorithm ECC Algorithm DSA/RSA Algorithm Key length (bits) Key length (bits) Key length (bits)

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360

Table 3.1:Comparison of key lengths for symmetric, ECC and RSA/DSA cryptographic algorithms .

curve overFq(i.e.y²=x³+ax+bforp>3),BPis the base pointBP= (xBP,yBP),nis the order ofBP, and curve order #E(F)is the number of points on the curve. The EC-AES uses elliptic curve cryptography and a Key Derivation Function (KDF), such as the ANSI X9.42 [Kel00], to transport the key from sender to receiver while the actual encryption of the message is done by a symmetric encryption scheme, for example the AES standard [19701]. The authentication is performed by a Message Authentication Code (MAC) such as the HMAC [oST02].

To encrypt a messagemthe needs to perform the following:

1. Select a random number in the range[1,n−1]. 2. Calculate the senders public key

K_pub1,k_priv1

pairK_pub1=k_priv1·BP.

3. Calculate shared secret on the curveS=#E(F)·k_priv1·K_pub2= (S_x,S_y). 4. Verify thatS=O.

5. Use the key derivation function to calculate the signature and encryption keysk_signk_enc= KDF(S_x).

6. Encrypt the message using the symmetric encryption algorithmc=E_k_enc(m). 7. Sign the message using the MAC algorithmv=MAC_k_sign(c).

8. Send

K_pub1,c,v .

On the other end of the communication line, the receiver gets

K_pub1,c,v

and has the domain D. They proceed to calculate the following to retrieve the message:

1. Check thatK_pub1=O.

2. Verify that the pointsx_k_pub1 andy_k_pub1 are elements ofF_q. 3. Confirm thatK_pub1is on the curve defined byaandb.

4. Derive the shared secretS=CO·k_priv2·K_pub1= (Sx,Sy).

3.4. CRYPTOGRAPHY 27 5. Verify thatS=O.

6. Calculate the keys for authentication and decryption from the curvek_authk_dec=KDF(S_x). 7. Checkv=MAC_k_auth(c).

8. Decrypt the messagem=DEC_k_dec(c).

28 CHAPTER 3. ELLIPTIC CURVE THEORY AND CRYPTOGRAPHY

Chapter 4 Random Numbers, Generation and Testing

4.1 Definition of a random sequence

What exactly are random numbers? Is number “5” random? In this section we closely follow the exposition of [Lub]. LetΣ={0,1}andΣ^∗be the set of sequences of countable infinite¹ length with coefficients in the alphabetΣ. An element ofu∈Σ^∗can be written as a sequence of 0 and 1:

u=u₀u₁u₂u₃u₄u₅...,

withu_i∈{0,1}. Forn∈N, the set of finite binary sequences of length n is denoted by Σⁿ. An elementu∈Σⁿcan be written as:

u=u₀u₁u₂...u_n−1.

The objective of this paragraph is to define among all the elements ofΣ^∗those that are random.

LetW^k be the map fromΣ^∗ in the set of sequences with coefficients inΣ^k, which associates tou∈Σ^∗the unique sequence such that:

u=w₀|w₁|...w_q|...

with|the concatenation andwi∈Σ^k.

In the following, a sequence of events is defined as a sequence(un)_n∈Nwith values in a set Ωwhich will always befinite. The probability denoted by

P_e[(u_n) =x]

1Acountable infinite set is any set which, in spite of its boundlessness, can be shown equivalent to the natural numbers [Wei].

30 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

is the empirical probability that an event is equal toxif the following limit exists

k→∞lim S_k(x)

k , (4.1)

with S_k =|{n≤k|u_n=x}|. If (w_n) is a sequence of words of Σ^k then E((w_n)) denotes the Shannon entropy functionof(w_n), defined by

E((w_n)) =−

∑

x∈Σ^k

P_e[(w_n) =x]log

1 Pe[(wn) =x]

The definition from [Knu97] can now be stated.

Definition 4.1.1. A sequence(un)∈Σ^∗isl-distributedforl∈N^∗, ifE

W^l((un))

=l or that for allx∈Σ^l,Pe[W^l((un)) =x] = (¹₂)^l. A sequence un∈Σ^∗ is then∞-distributedif it isl-distributed for alll∈N^∗.

Temporarily, it can be stated that a sequence is random if it is ∞-distributed. In particular, if (u_n) is a random sequence thenW^k((u_n)) is an equidistributed sequence of words ofΣ^k. If a random subsequence of lengthk is picked from a random sequence, then the probability of selecting a given subsequence is the same for all words inΣ^k. This illustrates well the intuitive idea of a random phenomenon. A consequence of this is that it is impossible to precisely define what is afinite random sequence.

The link between the statistical tests and the preceding definition of a random sequence can be shown by rewriting the preceding definition in the terms of probability theory. For that, let (Ω,A,P) be a probability space, which is defined by Ω, a set that is finite, endowed by the discrete sigma-algebra, i.e. the one generated by all the elements ofΩand a positive measureP onA equidistributed and of total weight 1. For this paragraph,Ωwill be Σⁿ, the set of binary sequences of lengthn. The probability space is then denoted by(Σⁿ,Aⁿ,Pⁿ).

A random variable is a mapX :Ω →R. This endows R with a structure of measured space, and the induced measure is indicated by the abuse of notationP_X. The function which mapsx∈R toP[X =x] =P(X⁻¹(x))is called thelaw of X. This gives the following alternative definition of a random sequence, which is just a reformulation of Definition 4.1.1.

Definition 4.1.2. A sequence(u_n)∈Σ^∗israndomif and only if for all random variables fromΣ^k endowed with the equidistributed law of probability to R and for allx∈R there is

P_e[X(W^k((u_n)) =x] =P[X =x].

In other words, the empiric law determined by the sequence X(u) follows the theoretical law induced by the random variable on R by the equidistributed probability law of Σ^k. This definition gives a general principle that underlies statistical tests in order to assess if a sequence

4.2. RANDOM NUMBER GENERATORS 31

Im Dokument Improving Security for Elliptic Curve Implementations on Smart Cards: A Random Number Generator Test Unit (Seite 34-41)