Chapter 1 OverviewofCryptography Contents inBrief 1.1 Introduction: : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 1.2 Informationsecurityandcryptography : : : : : : : : : : : : : : 2 1.3 Backgroundonfunctions : : : : : : : : : : : : : : : : : : : : : : 6 1.4 Basicterminologyandconcepts: : : : : : : : : : : : : : : : : : : 11 1.5 Symmetric-keyencryption : : : : : : : : : : : : : : : : : : : : : 15 1.6 Digitalsignatures : : : : : : : : : : : : : : : : : : : : : : : : : : 22 1.7 Authenticationandidentification : : : : : : : : : : : : : : : : : : 24 1.8 Public-keycryptography : : : : : : : : : : : : : : : : : : : : : : 25 1.9 Hashfunctions : : : : : : : : : : : : : : : : : : : : : : : : : : : 33 1.10 Protocolsandmechanisms : : : : : : : : : : : : : : : : : : : : : 33 1.11 Keyestablishment,management,andcertification : : : : : : : : : 35 1.12 Pseudorandomnumbersandsequences : : : : : : : : : : : : : : 39 1.13 Classesofattacksandsecuritymodels : : : : : : : : : : : : : : : 41 1.14 Notesandfurtherreferences : : : : : : : : : : : : : : : : : : : : 45 1.1 Introduction Cryptographyhasalongandfascinatinghistory.Themostcompletenon-technicalaccount ofthesubjectisKahn’sTheCodebreakers. Thisbooktracescryptographyfromitsinitial andlimiteduse bytheEgyptianssome4000yearsago,to thetwentiethcenturywhereit playedacrucialroleintheoutcomeofbothworldwars. Completedin1963,Kahn’sbook coversthoseaspectsofthehistorywhichweremostsignificant(uptothattime)tothedevel- opmentofthesubject. Thepredominantpractitionersoftheartwerethoseassociatedwith themilitary,thediplomaticserviceandgovernmentingeneral. Cryptographywasusedas atooltoprotectnationalsecretsandstrategies. Theproliferationofcomputersandcommunicationssystemsinthe1960sbroughtwith itademandfromtheprivatesectorformeanstoprotectinformationindigitalformandto providesecurityservices. BeginningwiththeworkofFeistelatIBMintheearly1970sand culminatingin1977withtheadoptionasaU.S.FederalInformationProcessingStandard for encryptingunclassified information,DES, the Data EncryptionStandard, is the most well-knowncryptographicmechanisminhistory. Itremainsthestandardmeansforsecur- ingelectroniccommerceformanyfinancialinstitutionsaroundtheworld. Themoststrikingdevelopmentinthehistoryofcryptographycamein1976whenDiffie andHellmanpublishedNewDirectionsinCryptography.Thispaperintroducedtherevolu- tionaryconceptofpublic-keycryptographyandalsoprovidedanewandingeniousmethod 1 2 Ch.1OverviewofCryptography forkeyexchange,thesecurityofwhichisbasedontheintractabilityofthediscreteloga- rithmproblem. Althoughtheauthorshadnopracticalrealizationofapublic-keyencryp- tionschemeatthetime,theideawasclearanditgeneratedextensiveinterestandactivity inthecryptographiccommunity.In1978Rivest,Shamir,andAdlemandiscoveredthefirst practicalpublic-keyencryptionandsignaturescheme,nowreferredtoasRSA.TheRSA schemeisbasedonanotherhardmathematicalproblem,theintractabilityoffactoringlarge integers. Thisapplicationofahardmathematicalproblemtocryptographyrevitalizedef- fortstofindmoreefficientmethodstofactor. The1980ssawmajoradvancesinthisarea butnonewhichrenderedtheRSAsysteminsecure. Anotherclassofpowerfulandpractical public-keyschemeswasfoundbyElGamalin1985. Thesearealsobasedonthediscrete logarithmproblem. Oneofthemostsignificantcontributionsprovidedbypublic-keycryptographyisthe digital signature. In 1991 the first internationalstandard for digital signatures (ISO/IEC 9796)wasadopted. ItisbasedontheRSApublic-keyscheme. In1994theU.S.Govern- mentadoptedtheDigitalSignatureStandard,amechanismbasedontheElGamalpublic- keyscheme. Thesearchfornewpublic-keyschemes,improvementstoexistingcryptographicmec- hanisms,andproofsofsecuritycontinuesatarapidpace. Variousstandardsandinfrastruc- turesinvolvingcryptographyarebeingputinplace. Securityproductsarebeingdeveloped toaddressthesecurityneedsofaninformationintensivesociety. Thepurposeofthisbookistogiveanup-to-datetreatiseoftheprinciples,techniques, andalgorithmsof interestin cryptographicpractice. Emphasishas beenplaced onthose aspectswhicharemostpracticalandapplied. Thereaderwillbemadeawareofthebasic issuesandpointedtospecificrelatedresearchintheliteraturewheremoreindepthdiscus- sionscanbefound. Duetothevolumeofmaterialwhichiscovered,mostresultswillbe statedwithoutproofs.Thisalsoservesthepurposeofnotobscuringtheveryappliednature ofthesubject. Thisbookisintendedforbothimplementersandresearchers. Itdescribes algorithms,systems,andtheirinteractions. Chapter1 is atutorialonthemanyandvariousaspectsofcryptography. Itdoesnot attempttoconveyallofthedetailsandsubtletiesinherenttothesubject. Itspurposeisto introducethebasicissuesandprinciplesandtopointthereadertoappropriatechaptersinthe bookformorecomprehensivetreatments. Specifictechniquesareavoidedinthischapter. 1.2 Information security and cryptography Theconceptofinformationwillbetakentobeanunderstoodquantity. Tointroducecryp- tography,anunderstandingofissuesrelatedtoinformationsecurityingeneralisnecessary. Informationsecuritymanifestsitselfinmanywaysaccordingtothesituationandrequire- ment. Regardlessofwhoisinvolved,toonedegreeoranother,allpartiestoatransaction musthaveconfidencethatcertainobjectivesassociatedwithinformationsecurityhavebeen met. SomeoftheseobjectivesarelistedinTable1.1. Overthecenturies,anelaboratesetofprotocolsandmechanismshasbeencreatedto dealwithinformationsecurityissueswhentheinformationisconveyedbyphysicaldoc- uments. Often the objectives of information security cannot solely be achieved through mathematicalalgorithmsandprotocolsalone,butrequireproceduraltechniquesandabid- anceoflawstoachievethedesiredresult. Forexample,privacyoflettersisprovidedby sealedenvelopesdeliveredbyanacceptedmailservice. Thephysicalsecurityoftheen- velopeis,forpracticalnecessity,limitedandsolawsareenactedwhichmakeitacriminal (cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. x1.2Informationsecurityandcryptography 3 privacy keepinginformationsecretfromallbutthosewhoareautho- orconfidentiality rizedtoseeit. dataintegrity ensuringinformationhasnotbeenalteredbyunauthorizedor unknownmeans. entity authentication corroboration of the identity of an entity (e.g., a person, a oridentification computerterminal,acreditcard,etc.). message corroboratingthesourceofinformation;alsoknownasdata authentication originauthentication. signature ameanstobindinformationtoanentity. authorization conveyance,toanotherentity,ofofficialsanctiontodoorbe something. validation ameanstoprovidetimelinessofauthorizationtouseorma- nipulateinformationorresources. accesscontrol restrictingaccesstoresourcestoprivilegedentities. certification endorsementofinformationbyatrustedentity. timestamping recordingthetimeofcreationorexistenceofinformation. witnessing verifyingthecreationorexistenceofinformationbyanentity otherthanthecreator. receipt acknowledgementthatinformationhasbeenreceived. confirmation acknowledgementthatserviceshavebeenprovided. ownership a means to provide an entity with the legal right to use or transferaresourcetoothers. anonymity concealingtheidentityofanentityinvolvedinsomeprocess. non-repudiation preventingthedenialofpreviouscommitmentsoractions. revocation retractionofcertificationorauthorization. Table1.1:Someinformationsecurityobjectives. offensetoopenmailforwhichoneisnotauthorized. Itissometimesthecasethatsecurity isachievednotthroughtheinformationitselfbutthroughthephysicaldocumentrecording it. Forexample,papercurrencyrequiresspecialinksandmaterialtopreventcounterfeiting. Conceptually,thewayinformationisrecordedhasnotchangeddramaticallyovertime. Whereas information was typically stored and transmitted on paper, much of it now re- sidesonmagneticmediaandis transmittedviatelecommunicationssystems, somewire- less. Whathaschangeddramaticallyistheabilitytocopyandalterinformation. Onecan makethousandsofidenticalcopiesofapieceofinformationstoredelectronicallyandeach isindistinguishablefromtheoriginal. Withinformationonpaper,thisismuchmorediffi- cult. Whatisneededthenforasocietywhereinformationismostlystoredandtransmitted in electronicformis a meansto ensureinformationsecurity which is independentof the physicalmediumrecordingorconveyingitandsuchthattheobjectivesofinformationse- curityrelysolelyondigitalinformationitself. Oneofthefundamentaltoolsusedininformationsecurityisthesignature.Itisabuild- ingblockformanyotherservicessuchasnon-repudiation,dataoriginauthentication,iden- tification,andwitnessing,tomentionafew. Havinglearnedthebasicsinwriting,anindi- vidualistaughthowtoproduceahandwrittensignatureforthepurposeofidentification. Atcontractagethesignatureevolvestotakeonaveryintegralpartoftheperson’sidentity. Thissignatureisintendedtobeuniquetotheindividualandserveasameanstoidentify, authorize,andvalidate. Withelectronicinformationtheconceptofasignatureneedstobe HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 4 Ch.1OverviewofCryptography redressed;itcannotsimplybesomethinguniquetothesignerandindependentofthein- formationsigned. Electronicreplicationofitissosimplethatappendingasignaturetoa documentnotsignedbytheoriginatorofthesignatureisalmostatriviality. Analoguesofthe“paperprotocols”currentlyinusearerequired. Hopefullythesenew electronicbasedprotocolsareatleastasgoodasthosetheyreplace. Thereisauniqueop- portunityforsocietytointroducenewandmoreefficientwaysofensuringinformationse- curity.Muchcanbelearnedfromtheevolutionofthepaperbasedsystem,mimickingthose aspectswhichhaveserveduswellandremovingtheinefficiencies. Achievinginformationsecurityinanelectronicsocietyrequiresavastarrayoftechni- calandlegalskills. Thereis,however,noguaranteethatalloftheinformationsecurityob- jectivesdeemednecessarycanbeadequatelymet. Thetechnicalmeansisprovidedthrough cryptography. 1.1 Definition Cryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofin- formationsecuritysuchasconfidentiality,dataintegrity,entityauthentication,anddataori- ginauthentication. Cryptographyisnottheonlymeansofprovidinginformationsecurity,butratheronesetof techniques. Cryptographicgoals Of all the information security objectives listed in Table 1.1, the following four form a frameworkuponwhichtheotherswillbederived:(1)privacyorconfidentiality(x1.5,x1.8); (2)dataintegrity(x1.9);(3)authentication(x1.7);and(4)non-repudiation(x1.6). 1. Confidentialityisaserviceusedtokeepthecontentofinformationfromallbutthose authorizedtohaveit. Secrecyisatermsynonymouswithconfidentialityandprivacy. Therearenumerousapproachestoprovidingconfidentiality,rangingfromphysical protectiontomathematicalalgorithmswhichrenderdataunintelligible. 2. Data integrity is aservicewhichaddressestheunauthorizedalteration ofdata. To assuredataintegrity,onemusthavetheabilitytodetectdatamanipulationbyunau- thorizedparties. Datamanipulationincludessuchthingsasinsertion,deletion,and substitution. 3. Authenticationisaservicerelatedtoidentification.Thisfunctionappliestobothenti- tiesandinformationitself. Twopartiesenteringintoacommunicationshouldidentify eachother. Informationdeliveredoverachannelshouldbeauthenticatedastoorigin, dateoforigin,datacontent,timesent,etc. Forthesereasonsthisaspectofcryptog- raphy is usually subdividedinto two majorclasses: entity authenticationand data origin authentication. Data originauthenticationimplicitly providesdataintegrity (forifamessageismodified,thesourcehaschanged). 4. Non-repudiationisaservicewhichpreventsanentityfromdenyingpreviouscommit- mentsoractions. Whendisputesariseduetoanentitydenyingthatcertainactions were taken, a meansto resolvethe situation is necessary. For example, oneentity mayauthorizethepurchaseofpropertybyanotherentityandlaterdenysuchautho- rizationwasgranted.Aprocedureinvolvingatrustedthirdpartyisneededtoresolve thedispute. Afundamentalgoalofcryptographyistoadequatelyaddressthesefourareasinboth theoryand practice. Cryptographyis aboutthe preventionand detectionof cheatingand othermaliciousactivities. Thisbookdescribesanumberofbasiccryptographictools(primitives)usedtoprovide informationsecurity. Examplesofprimitivesincludeencryptionschemes(x1.5andx1.8), (cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. x1.2Informationsecurityandcryptography 5 hashfunctions(x1.9),anddigitalsignatureschemes(x1.6).Figure1.1providesaschematic listingoftheprimitivesconsideredandhowtheyrelate. Manyofthesewillbebrieflyintro- ducedinthischapter,withdetaileddiscussionlefttolaterchapters.Theseprimitivesshould Arbitrarylength hashfunctions Unkeyed One-waypermutations Primitives Randomsequences Block ciphers Symmetric-key ciphers Stream Arbitrarylength ciphers hashfunctions(MACs) Security Symmetric-key Primitives Primitives Signatures Pseudorandom sequences Identificationprimitives Public-key ciphers Public-key Signatures Primitives Identificationprimitives Figure1.1:Ataxonomyofcryptographicprimitives. beevaluatedwithrespecttovariouscriteriasuchas: 1. levelofsecurity. Thisisusuallydifficulttoquantify.Oftenitisgivenintermsofthe numberofoperationsrequired(usingthebestmethodscurrentlyknown)todefeatthe intendedobjective. Typicallythelevelofsecurityisdefinedbyanupperboundon theamountofworknecessarytodefeattheobjective. Thisissometimescalledthe workfactor(seex1.13.4). 2. functionality. Primitiveswillneedtobe combinedtomeetvariousinformationse- curityobjectives. Whichprimitivesaremosteffectiveforagivenobjectivewillbe determinedbythebasicpropertiesoftheprimitives. 3. methodsofoperation.Primitives,whenappliedinvariouswaysandwithvariousin- puts,willtypicallyexhibitdifferentcharacteristics;thus,oneprimitivecouldprovide HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 6 Ch.1OverviewofCryptography verydifferentfunctionalitydependingonitsmodeofoperationorusage. 4. performance. Thisreferstotheefficiencyofaprimitiveinaparticularmodeofop- eration. (Forexample,anencryptionalgorithmmayberatedbythenumberofbits persecondwhichitcanencrypt.) 5. ease of implementation. This refers to the difficultyof realizingthe primitivein a practicalinstantiation. Thismightincludethecomplexityofimplementingtheprim- itiveineitherasoftwareorhardwareenvironment. Therelativeimportanceofvariouscriteriaisverymuchdependentontheapplication andresourcesavailable. Forexample,inanenvironmentwherecomputingpowerislimited onemayhavetotradeoffaveryhighlevelofsecurityforbetterperformanceofthesystem asawhole. Cryptography,overtheages,hasbeenanartpractisedbymanywhohavedevisedad hoc techniques to meet some of the information security requirements. The last twenty yearshavebeenaperiodoftransitionasthedisciplinemovedfromanarttoascience. There are now several internationalscientific conferencesdevoted exclusively to cryptography andalsoaninternationalscientificorganization,theInternationalAssociationforCrypto- logicResearch(IACR),aimedatfosteringresearchinthearea. Thisbookisaboutcryptography:thetheory,thepractice,andthestandards. 1.3 Background on functions Whilethisbookisnotatreatiseonabstractmathematics,a familiaritywithbasicmathe- maticalconceptswillprovetobeuseful. Oneconceptwhichisabsolutelyfundamentalto cryptographyisthatofafunctioninthemathematicalsense. Afunctionisalternatelyre- ferredtoasamappingoratransformation. 1.3.1 Functions (1-1, one-way, trapdoor one-way) Asetconsistsofdistinctobjectswhicharecalledelementsoftheset. Forexample,asetX mightconsistoftheelementsa,b,c,andthisisdenotedX =fa;b;cg. 1.2 Definition AfunctionisdefinedbytwosetsX andY andarulef whichassignstoeach elementinX preciselyoneelementinY. ThesetX iscalledthedomainofthefunction andY thecodomain.IfxisanelementofX (usuallywrittenx2X)theimageofxisthe elementinY whichtherulef associateswithx;theimageyofxisdenotedbyy =f(x). Standardnotationforafunctionf fromsetX tosetY isf: X −! Y. Ify 2 Y,thena preimageofyisanelementx2Xforwhichf(x)=y. ThesetofallelementsinY which haveatleastonepreimageiscalledtheimageoff,denotedIm(f). 1.3 Example (function)Consider the sets X = fa;b;cg, Y = f1;2;3;4g,and the rule f fromX toY definedasf(a) = 2,f(b) = 4,f(c) = 1. Figure1.2showsaschematicof thesetsX,Y andthefunctionf. Thepreimageoftheelement2isa. Theimageoff is f1;2;4g. (cid:3) Thinkingofafunctionintermsoftheschematic(sometimescalledafunctionaldia- gram)giveninFigure1.2,eachelementinthedomainX haspreciselyonearrowedline originatingfromit. EachelementinthecodomainY canhaveanynumberofarrowedlines incidenttoit(includingzerolines). (cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. x1.3Backgroundonfunctions 7 f 1 a 2 X b Y 3 c 4 Figure1.2:Afunctionf fromasetXofthreeelementstoasetY offourelements. OftenonlythedomainX andtherulef aregivenandthecodomainisassumedtobe theimageoff. Thispointisillustratedwithtwoexamples. 1.4 Example (function)TakeX =f1;2;3;:::;10gandletfbetherulethatforeachx2X, f(x)=rx,whererx istheremainderwhenx2isdividedby11. Explicitlythen f(1)=1 f(2)=4 f(3)=9 f(4)=5 f(5)=3 f(6)=3 f(7)=5 f(8)=9 f(9)=4 f(10)=1: Theimageoff isthesetY =f1;3;4;5;9g. (cid:3) 1.5 Example (function)TakeX =f1;2;3;:::;1050gandletf betherulef(x)=rx,where rx istheremainderwhenx2 isdividedby1050+1forallx 2 X. Hereitisnotfeasible to writedownf explicitlyasin Example1.4, butnonethelessthefunctionis completely specifiedbythedomainandthemathematicaldescriptionoftherulef. (cid:3) (i) 1-1functions 1.6 Definition A function (or transformation)is 1 − 1 (one-to-one)if each element in the codomainY istheimageofatmostoneelementinthedomainX. 1.7 Definition Afunction(ortransformation)isontoifeachelementinthecodomainY is theimageofatleastoneelementinthedomain. Equivalently,afunctionf: X −! Y is ontoifIm(f)=Y. 1.8 Definition Ifafunctionf: X −!Y is1−1andIm(f)=Y,thenf iscalledabijection. 1.9 Fact If f: X −! Y is 1 − 1 then f: X −! Im(f) is a bijection. In particular, if f: X −!Y is1−1,andX andY arefinitesetsofthesamesize,thenf isabijection. In terms of the schematic representation,if f is a bijection, then each elementin Y hasexactlyonearrowedlineincidentwithit. ThefunctionsdescribedinExamples1.3and 1.4arenotbijections. InExample1.3theelement3isnottheimageofanyelementinthe domain. InExample1.4eachelementinthecodomainhastwopreimages. 1.10 Definition Iff isabijectionfromXtoY thenitisasimplemattertodefineabijectiong fromY toXasfollows:foreachy 2Y defineg(y)=xwherex2Xandf(x)=y. This functiongobtainedfromf iscalledtheinversefunctionoff andisdenotedbyg =f−1. HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 8 Ch.1OverviewofCryptography f g a 1 1 a b 2 2 b X c 3 Y Y 3 c X d 4 4 d e 5 5 e Figure1.3:Abijectionf anditsinverseg=f−1. 1.11 Example (inversefunction)LetX =fa;b;c;d;eg,andY =f1;2;3;4;5g,andconsider therulef givenby thearrowededgesin Figure1.3. f is a bijectionandits inverseg is formedsimplybyreversingthearrowsontheedges.ThedomainofgisY andthecodomain isX. (cid:3) Note that if f is a bijection, then so is f−1. In cryptographybijections are used as thetoolforencryptingmessagesandtheinversetransformationsareusedtodecrypt. This willbemadeclearerinx1.4whensomebasicterminologyisintroduced.Noticethatifthe transformationswere not bijections then it would not be possible to always decryptto a uniquemessage. (ii) One-wayfunctions Thereare certaintypes of functionswhichplay significantrolesin cryptography. At the expenseofrigor,anintuitivedefinitionofaone-wayfunctionisgiven. 1.12 Definition Afunctionf fromasetX toasetY iscalleda one-wayfunctioniff(x)is “easy”tocomputeforallx 2 X butfor“essentiallyall”elementsy 2 Im(f)itis“com- putationallyinfeasible”tofindanyx2X suchthatf(x)=y. 1.13 Note (clarificationoftermsinDefinition1.12) (i) Arigorousdefinitionoftheterms“easy”and“computationallyinfeasible”isneces- sarybutwoulddetractfromthesimpleideathatisbeingconveyed.Forthepurpose ofthischapter,theintuitivemeaningwillsuffice. (ii) Thephrase“foressentiallyallelementsinY”referstothefactthatthereareafew valuesy 2Y forwhichitiseasytofindanx2Xsuchthaty =f(x). Forexample, onemaycomputey = f(x)forasmallnumberofxvaluesandthenforthese,the inverseisknownbytablelook-up. Analternatewaytodescribethispropertyofa one-wayfunctionis thefollowing: for a randomy 2 Im(f) it is computationally infeasibletofindanyx2X suchthatf(x)=y. Theconceptofaone-wayfunctionisillustratedthroughthefollowingexamples. 1.14 Example (one-wayfunction)TakeX = f1;2;3;:::;16ganddefinef(x) = rx forall x2X whererx istheremainderwhen3xisdividedby17. Explicitly, x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 f(x) 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1 Givenanumberbetween1and16,itisrelativelyeasytofindtheimageofitunderf. How- ever,givenanumbersuchas7,withouthavingthetableinfrontofyou,itishardertofind (cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. x1.3Backgroundonfunctions 9 xgiventhatf(x)=7. Ofcourse,ifthenumberyouaregivenis3thenitisclearthatx=1 iswhatyouneed;butformostoftheelementsinthecodomainitisnotthateasy. (cid:3) One must keep in mind that this is an examplewhich uses very small numbers; the importantpointhereis thatthere is adifferencein theamountof workto computef(x) andtheamountofworktofindxgivenf(x). Evenforverylargenumbers,f(x)canbe computedefficientlyusingtherepeatedsquare-and-multiplyalgorithm(Algorithm2.143), whereastheprocessoffindingxfromf(x)ismuchharder. 1.15 Example (one-wayfunction)Aprimenumberisapositiveintegergreaterthan1whose onlypositiveintegerdivisorsare1anditself. Selectprimesp = 48611,q = 53993,form n = pq = 2624653723,and let X = f1;2;3;:::;n − 1g. Define a functionf on X byf(x) = rx foreachx 2 X,whererx istheremainderwhenx3 isdividedbyn. For instance,f(2489991)= 1981394214since24899913 = 5881949859(cid:1)n+1981394214. Computingf(x)isarelativelysimplethingtodo,buttoreversetheprocedureismuchmore difficult;thatis,givenaremaindertofindthevaluexwhichwasoriginallycubed(raised tothethirdpower). Thisprocedureisreferredtoasthecomputationofamodularcuberoot withmodulusn. Ifthefactorsofnareunknownandlarge,thisisadifficultproblem;how- ever,ifthefactorspandqofnareknownthenthereisanefficientalgorithmforcomputing modularcuberoots. (Seex8.2.2(i)fordetails.) (cid:3) Example1.15leads oneto consideranothertypeof functionwhich will proveto be fundamentalinlaterdevelopments. (iii) Trapdoorone-wayfunctions 1.16 Definition A trapdoor one-wayfunction is a one-way function f: X −! Y with the additionalpropertythatgivensomeextrainformation(calledthetrapdoorinformation)it becomesfeasibletofindforanygiveny 2Im(f),anx2X suchthatf(x)=y. Example1.15illustratestheconceptofatrapdoorone-wayfunction. With theaddi- tionalinformationofthefactorsofn=2624653723(namely,p=48611andq =53993, each of which is five decimaldigitslong) it becomesmuch easier to invertthefunction. Thefactorsof2624653723arelargeenoughthatfindingthembyhandcomputationwould bedifficult. Ofcourse,anyreasonablecomputerprogramcouldfindthefactorsrelatively quickly. If,ontheotherhand,oneselectspandqtobeverylargedistinctprimenumbers (eachhavingabout100decimaldigits)then,bytoday’sstandards,itisadifficultproblem, evenwiththemostpowerfulcomputers,todeducepandqsimplyfromn. Thisisthewell- known integer factorization problem (see x3.2) and a source of many trapdoor one-way functions. Itremainstoberigorouslyestablishedwhetherthereactuallyareany(true)one-way functions. That is to say, no one has yet definitively proved the existence of such func- tionsunderreasonable(andrigorous)definitionsof“easy”and“computationallyinfeasi- ble”. Sincetheexistenceofone-wayfunctionsisstillunknown,theexistenceoftrapdoor one-wayfunctionsisalsounknown. However,thereareanumberofgoodcandidatesfor one-wayandtrapdoorone-wayfunctions. Manyofthesearediscussedinthisbook,with emphasisgiventothosewhicharepractical. One-way and trapdoor one-way functionsare the basis for public-key cryptography (discussedinx1.8).Theimportanceoftheseconceptswillbecomeclearerwhentheirappli- cationtocryptographictechniquesisconsidered.Itwillbeworthwhiletokeeptheabstract conceptsofthissectioninmindasconcretemethodsarepresented. HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
Description: