Cryptology - I: Public-Key Cryptosystem Applications

Cryptology-I: § 3.3: Applications of Public-Key Cryptosystems

Instructors: R.E. Newman-Wolfe and M.S. Schmalz

We begin our discussion of public-key cryptography (PKC) applications by reviewing several topics that were mentioned in the introduction to Section 3.2. We then progress to a discussion of authentication, digital signatures, and message digests (Section 3.3.2).

3.3.1. Overview of Implementational Issues

Recall that a goal of cryptography is integrity, which can be realized through methods such as message digest and authentication protocols. For example, integrity can be implemented in terms of Message Integrity Codes (MICs), whose goals are to:

Prevent generation of false messages;
Ensure message origin is correct as stated (authentication);
Ensure message integrity by disallowing (a) modification or (b) cut-and-paste attacks; and
Detect or avoid replay attacks by using a timestamp.

The topic of message integrity leads naturally into a discussion of digital signatures (DSs, Section 3.3.2). It is desirable that DSs have the following attributes:

Unforgeable -- protects the sender from responsibility for false messages
Verifiable -- protects the receiver from false claims
Unalterable -- supports message integrity
Not reusable -- protects against replay attacks
Irrefutable -- protects the receiver from false message refutation by the sender

A method of implementing the preceding protocols is to encrypt the message using symmetric keys. That is, given a message a and key k, Alice sends c = e_k(a) to Bob. Unfortunately, while Bob may reliably believe Alice sent a, he cannot reliably prove this to a third party, since Bob also has k, and could thus have forged c. In contrast, PKC does not utilize symmetric keys and can achieve some degree of irrefutability.

Additionally, it is useful for hash functions (where the hash size is smaller than the message) to have collision freedom, which can be specified as follows:

Weak Sense: Given a hash function h, if y = h(x), then it should be hard to find x^' such that y = h(x^'). This property is especially desirable in systems where a hash is sent instead of sending the actual message.
Strong Sense: It should be hard to find x or x^' such that h(x) = h(x^') .
"One-Way": Given y, it should be hard to find x such that h(x) = y.

We next progress to the description of digital signatures and message digests.

3.3.2. MICs, Digital Signatures, and Message Digests.

We begin by advancing the following observations concerning

MICs

sender authentication

message

Message Digests (MDs)

Digital Signatures must authenticate the sender and are customarily bound to the associated message.

Note: We especially want to obviate cut-and-paste attacks, which can be done with chaining or reduction. With chaining, messages that the sender signs are joined and sent as one message. Reduction hashes a long message into blocks that the sender signs. This achieves integrity and authentication of the sender.

One approach to achieve integrity via chaining is to use DES with a Cipher Block Chaining (CBC) residue. Recall (from Section 3.1) that there are three modes of DES usage, namely, Electronic Code Book (ECB), Cipher Feedback Mode (CFM, which facilitates stream ciphers), and CBC.

Algorithm. CBC partitions a message a into blocks (a₁, a₂, ..., a_n), and uses DES blockwise as shown in Figure 3.3.1. The terminal ciphertext block c_n is sent.

Figure 3.3.1. DES cipher-block chaining mode.
Advantages. DES/CBC works if the receiver knows the secret key k. Integrity is supported, since if a is altered, then c_n will be significantly altered, due to DES' properties of confusion and diffusion.
Disadvantages. The sender(s) and receiver(s) share a secret key. This leads to quadratic complexity of key distribution over a network, which we discussed in Section 3.2.

Thus, it is preferable to employ an PKC/RSA based solution. An instance of this method is called Public Signatures, which we discuss as follows.

Assumption. Let k_A denote Alice's public key and let k_A^-1 denote Alice's private key.
Algorithm. If the preceding assumption holds, then
e(a,k_A) yields an encryption that only Alice can read; and

e(a,k_A^-1) yields an encryption that anyone can read, but only Alice can produce.

Advantages. Since only Alice can read e(a,k_A), we have secrecy. Since only Alice can produce e(a,k_A^-1), some degree of authenticity can be implemented.
Disadvantages. Unfortunately, if one encrypts with a public key, one does not have verifiability via examination of the encryption by a third party.
Observation. For two-party RSA (e.g., Alice and Bob), we have keys (k_A,k_A^-1) and (k_B,k_B^-1). The order of encryption is important. That is, if Bob is sending a message a to Alice, should we encrypt with k_B then k_A^-1, or vice versa? The latter method is preferred (i.e., {{a}_{k_A^-1}}_{k_B}), since
Bob has a signature k_B on the message a, which can be verified by anyone; and
Bob doesn't have to reveal his decryption key.

In general, a method for digital signing of messages is called a Signature Scheme, and may be described as follows:

Definition. Let the signature scheme S = (P, A, K, S, V), where

P denotes a finite plaintext space;

A denotes a finite signature space;

K denotes a finite key space; and

for all k K,
(i) there exists a function sig_k S such that sig_k : P -> A, and
(ii) there exists a function ver_k V such that ver_k : P × A -> {0,1},
where ver_k is given by

Observation. The following implementational requirements pertain to signature schemes:

The complexity of sig and ver should be polynomial in the message size |domain(a)|.
The function ver must be publically available.

Remark. Signature schemes have the following desirable properties, which are symmetric to those enumerated at the end of Section 3.3.1. Namely, it should be hard to

compute sig_k(x) if x is unknown.
find x^' for any given x, such that sig_k(x^') = sig_k(x). This helps avoid forgery.
find x and x^' such that sig_k(x^') = sig_k(x).

We next overview Lamport's One-time Signature Scheme (LSS), a variation of the preceding signature scheme.
Assumption. Let P = {0,1}ⁿ denote the space of n-bit messages. Let X and Y denote sets that contain elements of form x_i,j and y_i,j, respectively, and let a one-way function f : X -> Y. Note that f is quite difficult to derive (no one-way functions have been proven to exist) and thus remains unspecified at a lower level. The remaining entities in LSS are as specified in the preceding signature scheme.
Algorithm. Given the foregoing assumption, Lamport's signature scheme involves the following steps:

Step 1. Pick 2n elements of X chosen randomly, which we denote as x_i,j, where i = 1..n, and j {0,1} and keep them secret.
Step 2. Compute 2n elements y_i,j = f(x_i,j), for i = 1..n, and j {0,1}.
Step 3. Let a message a P be partitioned bitwise as (a₁, a₂, ..., a_n). The sig function is given by
sig_k(a₁, a₂, ..., a_n) = (x_1,a₁, x_2,a₂, ..., x_{n,a_n}) .
Step 4. Given a signature s A = P partitioned bitwise as (s₁, s₂, ..., s_n), the ver function is given by
ver_k(a₁, a₂, ..., a_n, s₁, s₂, ..., s_n) = 1 ,
if and only if for all i {1,2,...,n}, f(s_i) = y_{i,a_i} .
Observation. The spaces X and Y must be large, such that guessing the function f incurs a prohibitively large search cost.
A different method is used in the generation of UNIX passwords.
Algorithm. Given a finite text password k F^N,

Step 1. The first eight characters k(1:8) are hashed into a 7-bit ASCII code with one parity bit, and are also used to form a 64-bit DES key k_DES.
Step 2. A DES-like encryption scheme is applied to text input and k_DES, where the expansion permutation is modified by a 12-bit mask. The modified expansion permutation converts 32 bits into 48 bits. Additionally, the mask is randomly reset whenever the user's password is changed.
Step 3. The DES output is an encrypted password that is assigned to storage as the user's password.
The El-Gamal Scheme is another method for signing messages and determining message authenticity.
Definition. A primitive element x Z_p^* exists if and only if all y Z_p^* are nontrivial powers of x.
Assumption. Let p be a prime number such that log(p) Z_p is hard to compute. Additionally, let Z_p^* be a primitive element. Using the cryptosystem formalism developed in the preceding section, let plaintext P = Z_p^* and let authentication codes
A = Z_p^* × Z_p-1.
Observation. Given the preceding assumption, let the keyspace
K = {(, , a, ) : = ^a mod p }.
Since a is secret and the discrete logarithm is a hard problem, it is hard to guess a.
Definition. Let k (Z_p-1)^* and let = ^k mod p. Denote the plaintext xP and let
= (x - ) · k^-1 mod (p - 1).
Definition. Given the preceding definition, let
sig_k(x,k) = (, )
and
ver_k(x, , ) = 1 <=> · ~ ^x mod p. (I)
Remark. The preceding definition is valid because
^a · ^k = (^a)(^k) ~ ^x mod p
= ^a · ^{k(x - ) · k^-1 mod (p-1)} ~ ^x mod p
= ^{a + x-} = ^x .
Here, k and k^-1 cancel, since they belong to an Abelian group Z_p-1.
Observation. Possible attacks on the El Gamal cryptosystem include:

Solving an equation of form ^-1 · (x - k) = , which is hard because an adversary must simultaneously choose correct values for a, k, and .

Alternatively, one can find a message for which a given signature will work. But this is also hard, since an adversary must find a value of x for which Equation (I) holds.

Another possible attack is to choose , , and x simultaneously. For example, let
i,j Z such that 0 i,j p-2 and gcd(j, p-1) = 1. Additionally let:

= ⁱ^j mod p
= -j^-1 mod p-1
x = - i j^-1 mod p-1,

where j^-1 is taken modulo p-1. Now, observe that
~ (ⁱ^j)
~ (ⁱ^j)
~ ^{i(- j^-1) mod p-1}^{j(- j^-1}) mod p-1
~ ^{- i j^-1}^- ~ ^{- i j^-1} ~ ^x .

Remark. It is hard to choose a message, then given x, to perform the decomposition into , , i, j, etc. This is a weakness of the El Gamal cryptosystem, but not an implementationally significant one.
Observation. If the unique, randomly-chosen k = (, , , ) is compromised, it is possible that knowledge of k will reveal the secret value a. If k is revealed for (x, , ), then
a = (x - k) ^-1 mod (p-1)
and
= (x - a) k^-1 mod (p-1) .
Because k = x - a,
a = (x - k) ^-1 mod (p-1) .
Since there is no exponentiation, it is easy to decode a from k.
Remark. Implementationally, every reuse of k reinforces an adversary's trial of previous attacks. When Oscar finds two messages that yield to the same attack, he can compute k and then obtain the desired signature.
The Digital Signature System (DSS) is another method of digitally signing messages that features small signatures and a large modulus (to make the discrete key hard to guess). DSS has reduction in the exponent that allows (for example) a 160-bit message, which implies a 320-bit signature by a 512-bit modulus.
The following changes to the El Gamal cryptosystem are encountered in DSS:
= (x + a) k^-1 mod (p-1).

^x = mod p .
Note: If gcd(x + a, p-1) = 1, then ^-1 mod p-1 exists and the preceding equation becomes
^{x^-1} ^{^-1} = mod p .

3.3.3. Computation of Message Digests, with Applications.
With message digests (MDs), one hashes a long message to yield a short "digest". In practice, a one-way function is employed to significantly reduce violation of collisions and security concerns.
A key implementational issue is the probability of successful attack. We begin by discussing the Birthday Attack, which provides information about a lower bound on digest size.

Observation. The probability that a person's birthday occurs on a prespecified day of the year is clearly 1/365 (neglecting leap years). Given N values, of which M are chosen, the expected number of matches Q is given by:
Q = N(N-1)/2M ,
and hence is of order N².
Example. For a birthday attack where M = 365, we have that
Q = N(N-1)/730 and 730 N(N-1) < N² .
As a result, N > (730)^1/2. Thus, if you use N bits, you need an average of 2^N/2 attempts to compromise the hash.
Remark. Finding one-way functions that perform the appropriate reduction is a difficult goal, since there are many unresolved questions associated with hash functions. For example, the use of trapdoors, trick constants, etc. that permit Government agencies to access encrypted data.

An early message digest implementation called MD2 employed (a) 8-bit arithmetic; (b) few intermediate values, thereby yielding low space complexity; and (c) one-pass computation.
Algorithm. A high-level description of the MD2 algorithm is comprised of the following steps:

Step 1. Partition the original message into 8-bit bytes.
Step 2. Pad the concatenation of the partitions obtained in Step 1 to the nearest multiple of 16 bytes.
Step 3. Add a 16-byte checksum.
Step 4. Perform digest computation on 16-byte blocks.

We examine Steps 2 through 4 in detail, as follows:

Step 2 - Padding: If you have to add r bytes, the value r is appended r times, as shown below:

Step 3 - Checksum: Assume that there exists a -substitution, which is customarily based on digits of taken in 8-bit partitions, where repeated results are discarded. The -substitution is employed as shown in the following schematic diagram:

The following equation presents the formulation associated with Step 3:
checksum(a[n mod 16]) =
checksum(a[n mod 16]) XOR (checksum(a[n-1 mod 16], msk[n]) ,
where msk denotes a mask vector that is the initial value of the checksum (which we assume to be zero, per the preceding illustration).
Step 4 - Digest Computation: The message digest is computed via the following architecture:

Notes on the MD-2 digest computation:

Each iteration of the outer loop recursively propagates MD-temp information to each successive 16-byte partition of the input.

MD-temp will be affected by every bit in the input as well as by the iteration numbers. This implies that the property of diffusion is implemented, with the inclusion of iteration number information as a type of confusion.

As time progressed, the development of integrated-circuit CPUs soon rendered MD2's byte-oriented algorithm obsolete. Thus, MD4 was introduced, which implemented the following advances:

Designed to accomodate a 32-bit word length

Message could be an arbitrary number of bits, instead of a multiple of 16 bytes.

Algorithm. We begin by padding the message to a multiple of 512 bits (i.e., sixteen 32 bit words), as shown below:

A schematic block diagram of the message digest computation follows:

Similar to MD2, the MD4 digest computation implements diffusion through application of the output of DF_i to DF_i+1, where i = 1..n-1.

Note that the message digest is a one-way mapping in the sense that it is difficult to obtain a message a from MD(a). Furthermore, the hash is small and has fixed size.

3.3.3.1. Application: Conversion of MDs to MICs.
A given message digest is not, of itself, a Message Integrity Code, since anyone can generate a valid MD. Thus, we need to convert the MD into a MIC. The following alternative procedures are employed:
Encrypt the MD (vulnerable to plaintext attack).

Encrypt the message, then make the encrypted message into an MD.

Shared Secret - Concatenate message with a key known only to the sending and receiving parties prior to generating an MD.

For example, secret sharing between two parties (Alice and Bob) employs the following procedure:
Concatenate the key K_AB with the plaintext a and apply the message digest (MD) to yield
MIC = MD(K_AB · a) ,
where the digest function DF is applied recursively as follows:

and the end-of-message (EOM) code is appended to define the message end.

Alternatively, one can use MIC = DF(a · K_AB) .

However, neither of these methods help in third-party authentication. Thus, we present an additional MD-to-MIC conversion technique that uses an initialization vector (IV) to set the digest to an initial value. Since the IV can vary with time, it is possible to use a timestamp as the IV, thereby avoiding replay attacks.
In practice, one partitions a message as a = (a₁, a₂, ..., a_n) and employs keys k₁, k₂, ..., k_n. The encryption function e is then applied as:

If the key is made public (private), then a MD (MIC) is produced.

3.3.3.2. Application: Encryption with MDs.
One can use the MD as a pseudo-random number generator, with implementation as a one-time pad. For example, if plaintext is partitioned as a = (a₁, a₂, ..., a_n) and n = 3, then one can chain message digest computations (MDCs) as follows:

Here, x_i, i = 1..3, denote the stream keys. The preceding method has several features of interest:
Advantage: Perfect secrecy is achieved in the Shannon sense provided that the stream keys are not discovered.
Disadvantages: This system is vulnerable for at least two reasons:

The same one-time pad is produced each time; and

Interception of x_i yields information about successive keys (i.e., x_i+1, x_i+2,...).

Alternatively, one can assume the existence of an initial vector v and partition a message a as before. A secret key K_AB is concatenated with v and the stream keys are produced as in the preceding method. The following diagram illustrates this method:

Here, the initial vector ensures a different stream each time that v is changed. Additional features are:
Advantage: Concatenation of K with the stream keys implements confusion, so interception of a stream key yields no useful information about successive keys.
Disadvantage: Cut-and-paste attacks are possible, but can be avoided by concatenating K with ciphertext partition c_i instead of x_i.

3.3.3.3. Application: Authentication using Message Digest.
Given an encryption function e that accepts a key and a message, as well as two parties (Alice and Bob), we have the following challenge scenario:

By replacing the encryption with a message digest computation, we obtain the following symmetric scenario:

Unfortunately, replay attacks are still possible, but could be obviated by appending timestamps to the challenge texts (e.g., K_AB · r_A). Additional prevention against replay attacks can be obtained by naming of principals, i.e., appending Alice's or Bob's name or signature to the messages they respectively send.
This concludes our overview of public-key cryptosystem applications. We next dicuss implementational aspects of PKC.

References