ebook img

Handbook of Applied Cryptography PDF

789 Pages·1997·6.348 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Handbook of Applied Cryptography

Chapter Overview of Cryptography ContentsinBrief 1.1 Introduction §?§N§?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 1 1.2 Informationsecurityandcryptography §?§&§?§?§?§N§?§?§&§?§?§?§&§ 2 1.3 Backgroundonfunctions §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 6 1.4 Basicterminologyandconcepts§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 11 1.5 Symmetric-keyencryption §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 15 1.6 Digitalsignatures §?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 22 1.7 Authenticationandidentification §?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 24 1.8 Public-keycryptography §?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 25 1.9 Hashfunctions §?§?§?§&§?§?§?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 33 1.10 Protocolsandmechanisms §?§&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 33 1.11 Keyestablishment,management,andcertification §N§?§?§&§?§?§?§&§ 35 1.12 Pseudorandomnumbersandsequences §?§&§?§?§?§N§?§?§&§?§?§?§&§ 39 1.13 Classesofattacksandsecuritymodels §?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 41 1.14 Notesandfurtherreferences §&§?§?§&§?§?§?§&§?§?§?§N§?§?§&§?§?§?§&§ 45 1.1 Introduction Cryptographyhasalongandfascinatinghistory.Themostcompletenon-technicalaccount ofthesubjectisKahn’sTheCodebreakers. Thisbooktracescryptographyfromitsinitial andlimitedusebytheEgyptianssome 4000yearsago,to the twentiethcenturywhereit playedacrucialroleintheoutcomeofbothworldwars. Completedin1963,Kahn’sbook coversthoseaspectsofthehistorywhichweremostsignificant(uptothattime)tothedevel- opmentofthesubject. Thepredominantpractitionersoftheartwerethoseassociatedwith themilitary,thediplomaticserviceandgovernmentingeneral. Cryptographywasusedas atooltoprotectnationalsecretsandstrategies. Theproliferationofcomputersandcommunicationssystemsinthe1960sbroughtwith itademandfromtheprivatesectorformeanstoprotectinformationindigitalformandto providesecurityservices.BeginningwiththeworkofFeistelatIBMintheearly1970sand culminatingin1977withtheadoptionasaU.S.FederalInformationProcessingStandard for encryptingunclassified information, DES, the Data Encryption Standard, is the most well-knowncryptographicmechanisminhistory. Itremainsthestandardmeansforsecur- ingelectroniccommerceformanyfinancialinstitutionsaroundtheworld. Themoststrikingdevelopmentinthehistoryofcryptographycamein1976whenDiffie andHellmanpublishedNewDirectionsinCryptography.Thispaperintroducedtherevolu- tionaryconceptofpublic-keycryptographyandalsoprovidedanewandingeniousmethod 1 2 Ch.1 OverviewofCryptography forkeyexchange,thesecurityofwhichisbasedontheintractabilityofthediscreteloga- rithmproblem. Althoughtheauthorshadnopracticalrealizationofapublic-keyencryp- tionschemeatthetime,theideawasclearanditgeneratedextensiveinterestandactivity inthecryptographiccommunity.In1978Rivest,Shamir,andAdlemandiscoveredthefirst practicalpublic-keyencryptionandsignaturescheme,nowreferredtoasRSA.TheRSA schemeisbasedonanotherhardmathematicalproblem,theintractabilityoffactoringlarge integers. Thisapplicationofahardmathematicalproblemtocryptographyrevitalizedef- fortstofindmoreefficientmethodstofactor. The1980ssawmajoradvancesinthisarea butnonewhichrenderedtheRSAsysteminsecure. Anotherclassofpowerfulandpractical public-keyschemeswasfoundbyElGamalin1985. Thesearealsobasedonthediscrete logarithmproblem. Oneofthemostsignificantcontributionsprovidedbypublic-keycryptographyisthe digital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9796)wasadopted. ItisbasedontheRSApublic-keyscheme. In1994theU.S.Govern- mentadoptedtheDigitalSignatureStandard,amechanismbasedontheElGamalpublic- keyscheme. Thesearchfornewpublic-keyschemes,improvementstoexistingcryptographicmec- hanisms,andproofsofsecuritycontinuesatarapidpace. Variousstandardsandinfrastruc- turesinvolvingcryptographyarebeingputinplace. Securityproductsarebeingdeveloped toaddressthesecurityneedsofaninformationintensivesociety. Thepurposeofthisbookistogiveanup-to-datetreatiseoftheprinciples,techniques, andalgorithmsof interestin cryptographicpractice. Emphasishas beenplaced onthose aspectswhicharemostpracticalandapplied. Thereaderwillbemadeawareofthebasic issuesandpointedtospecificrelatedresearchintheliteraturewheremoreindepthdiscus- sionscanbefound. Duetothevolumeofmaterialwhichiscovered,mostresultswillbe statedwithoutproofs. Thisalsoservesthepurposeofnotobscuringtheveryappliednature ofthesubject. Thisbookisintendedforbothimplementersandresearchers. Itdescribes algorithms,systems,andtheirinteractions. Chapter1 is atutorialonthemanyandvariousaspectsofcryptography. It doesnot attempttoconveyallofthedetailsandsubtletiesinherenttothesubject. Itspurposeisto introducethebasicissuesandprinciplesandtopointthereadertoappropriatechaptersinthe bookformorecomprehensivetreatments. Specifictechniquesareavoidedinthischapter. 1.2 Information security and cryptography Theconceptofinformationwillbetakentobeanunderstoodquantity. Tointroducecryp- tography,anunderstandingofissuesrelatedtoinformationsecurityingeneralisnecessary. Informationsecuritymanifestsitselfinmanywaysaccordingtothesituationandrequire- ment. Regardlessofwhoisinvolved,toonedegreeoranother,allpartiestoatransaction musthaveconfidencethatcertainobjectivesassociatedwithinformationsecurityhavebeen met. SomeoftheseobjectivesarelistedinTable1.1. Overthecenturies,anelaboratesetofprotocolsandmechanismshasbeencreatedto dealwithinformationsecurityissueswhentheinformationisconveyedbyphysicaldoc- uments. Often the objectives of information security cannot solely be achieved through mathematicalalgorithmsandprotocolsalone,butrequireproceduraltechniquesandabid- anceoflawstoachievethedesiredresult. Forexample,privacyoflettersisprovidedby sealedenvelopesdeliveredbyanacceptedmailservice. The physicalsecurityofthe en- velopeis,forpracticalnecessity,limitedandsolawsareenactedwhichmakeitacriminal ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.2 Informationsecurityandcryptography 3 privacy keepinginformationsecretfromallbutthosewhoareautho- orconfidentiality rizedtoseeit. dataintegrity ensuringinformationhasnotbeenalteredbyunauthorizedor unknownmeans. entity authentication corroboration of the identity of an entity (e.g., a person, a oridentification computerterminal,acreditcard,etc.). message corroboratingthesourceofinformation;alsoknownasdata authentication originauthentication. signature ameanstobindinformationtoanentity. authorization conveyance,toanotherentity,ofofficialsanctiontodoorbe something. validation ameanstoprovidetimelinessofauthorizationtouseorma- nipulateinformationorresources. accesscontrol restrictingaccesstoresourcestoprivilegedentities. certification endorsementofinformationbyatrustedentity. timestamping recordingthetimeofcreationorexistenceofinformation. witnessing verifyingthecreationorexistenceofinformationbyanentity otherthanthecreator. receipt acknowledgementthatinformationhasbeenreceived. confirmation acknowledgementthatserviceshavebeenprovided. ownership a means to provide an entity with the legal right to use or transferaresourcetoothers. anonymity concealingtheidentityofanentityinvolvedinsomeprocess. non-repudiation preventingthedenialofpreviouscommitmentsoractions. revocation retractionofcertificationorauthorization. Table1.1:Someinformationsecurityobjectives. offensetoopenmailforwhichoneisnotauthorized. Itissometimesthecasethatsecurity isachievednotthroughtheinformationitselfbutthroughthephysicaldocumentrecording it. Forexample,papercurrencyrequiresspecialinksandmaterialtopreventcounterfeiting. Conceptually,thewayinformationisrecordedhasnotchangeddramaticallyovertime. Whereas information was typically stored and transmitted on paper, much of it now re- sidesonmagneticmediaandis transmittedvia telecommunicationssystems, somewire- less. Whathaschangeddramaticallyistheabilitytocopyandalterinformation. Onecan makethousandsofidenticalcopiesofapieceofinformationstoredelectronicallyandeach isindistinguishablefromtheoriginal. Withinformationonpaper,thisismuchmorediffi- cult. Whatisneededthenforasocietywhereinformationismostlystoredandtransmitted in electronicformis a means to ensure informationsecurity which is independentof the physicalmediumrecordingorconveyingitandsuchthattheobjectivesofinformationse- curityrelysolelyondigitalinformationitself. Oneofthefundamentaltoolsusedininformationsecurityisthesignature.Itisabuild- ingblockformanyotherservicessuchasnon-repudiation,dataoriginauthentication,iden- tification,andwitnessing,tomentionafew. Havinglearnedthebasicsinwriting,anindi- vidualistaughthowtoproduceahandwrittensignatureforthepurposeofidentification. Atcontractagethesignatureevolvestotakeonaveryintegralpartoftheperson’sidentity. Thissignatureisintendedtobeuniquetotheindividualandserveasameanstoidentify, authorize,andvalidate. Withelectronicinformationtheconceptofasignatureneedstobe HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 4 Ch.1 OverviewofCryptography redressed; itcannotsimplybesomethinguniquetothe signerandindependentofthein- formationsigned. Electronicreplicationofitissosimplethatappendingasignaturetoa documentnotsignedbytheoriginatorofthesignatureisalmostatriviality. Analoguesofthe“paperprotocols”currentlyinusearerequired. Hopefullythesenew electronicbasedprotocolsareatleastasgoodasthosetheyreplace. Thereisauniqueop- portunityforsocietytointroducenewandmoreefficientwaysofensuringinformationse- curity.Muchcanbelearnedfromtheevolutionofthepaperbasedsystem,mimickingthose aspectswhichhaveserveduswellandremovingtheinefficiencies. Achievinginformationsecurityinanelectronicsocietyrequiresavastarrayoftechni- calandlegalskills. Thereis,however,noguaranteethatalloftheinformationsecurityob- jectivesdeemednecessarycanbeadequatelymet. Thetechnicalmeansisprovidedthrough cryptography. 1.1 Definition Cryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofin- formationsecuritysuchasconfidentiality,dataintegrity,entityauthentication,anddataori- ginauthentication. Cryptographyisnottheonlymeansofprovidinginformationsecurity,butratheronesetof techniques. Cryptographicgoals Of all the information security objectives listed in Table 1.1, the following four form a frameworkuponwhichtheotherswillbederived:(1)privacyorconfidentiality(“ 1.5,“ 1.8); (2)dataintegrity(“ 1.9);(3)authentication(“ 1.7);and(4)non-repudiation(“ 1.6). 1. Confidentialityisaserviceusedtokeepthecontentofinformationfromallbutthose authorizedtohaveit. Secrecyisatermsynonymouswithconfidentialityandprivacy. Therearenumerousapproachestoprovidingconfidentiality,rangingfromphysical protectiontomathematicalalgorithmswhichrenderdataunintelligible. 2. Data integrityis aservicewhichaddressesthe unauthorizedalteration ofdata. To assuredataintegrity,onemusthavetheabilitytodetectdatamanipulationbyunau- thorizedparties. Datamanipulationincludessuchthingsasinsertion,deletion,and substitution. 3. Authenticationisaservicerelatedtoidentification.Thisfunctionappliestobothenti- tiesandinformationitself. Twopartiesenteringintoacommunicationshouldidentify eachother. Informationdeliveredoverachannelshouldbeauthenticatedastoorigin, dateoforigin,datacontent,timesent,etc. Forthesereasonsthisaspectofcryptog- raphy is usually subdivided into two majorclasses: entity authenticationand data origin authentication. Data originauthenticationimplicitlyprovidesdata integrity (forifamessageismodified,thesourcehaschanged). 4. Non-repudiationisaservicewhichpreventsanentityfromdenyingpreviouscommit- mentsoractions. Whendisputesariseduetoanentitydenyingthatcertainactions were taken, a means to resolve the situationis necessary. For example, one entity mayauthorizethepurchaseofpropertybyanotherentityandlaterdenysuchautho- rizationwasgranted. Aprocedureinvolvingatrustedthirdpartyisneededtoresolve thedispute. Afundamentalgoalofcryptographyistoadequatelyaddressthesefourareasinboth theoryand practice. Cryptographyis aboutthe preventionand detectionof cheatingand othermaliciousactivities. Thisbookdescribesanumberofbasiccryptographictools(primitives)usedtoprovide informationsecurity. Examplesofprimitivesincludeencryptionschemes(“ 1.5and“ 1.8), ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.2 Informationsecurityandcryptography 5 hashfunctions(“ 1.9),anddigitalsignatureschemes(“ 1.6). Figure1.1providesaschematic listingoftheprimitivesconsideredandhowtheyrelate. Manyofthesewillbebrieflyintro- ducedinthischapter,withdetaileddiscussionlefttolaterchapters.Theseprimitivesshould Arbitrarylength hashfunctions Unkeyed One-waypermutations Primitives Randomsequences Block ciphers Symmetric-key ciphers Stream Arbitrarylength ciphers hashfunctions(MACs) Security Symmetric-key Primitives Primitives Signatures Pseudorandom sequences Identificationprimitives Public-key ciphers Public-key Signatures Primitives Identificationprimitives Figure1.1:Ataxonomyofcryptographicprimitives. beevaluatedwithrespecttovariouscriteriasuchas: 1. levelofsecurity. Thisisusuallydifficulttoquantify.Oftenitisgivenintermsofthe numberofoperationsrequired(usingthebestmethodscurrentlyknown)todefeatthe intendedobjective. Typicallythelevelofsecurityisdefinedbyanupperboundon theamountofworknecessarytodefeattheobjective. Thisissometimescalledthe workfactor(see“ 1.13.4). 2. functionality. Primitiveswillneedtobe combinedtomeetvariousinformationse- curityobjectives. Whichprimitivesaremosteffectiveforagivenobjectivewillbe determinedbythebasicpropertiesoftheprimitives. 3. methodsofoperation. Primitives,whenappliedinvariouswaysandwithvariousin- puts,willtypicallyexhibitdifferentcharacteristics;thus,oneprimitivecouldprovide HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 6 Ch.1 OverviewofCryptography verydifferentfunctionalitydependingonitsmodeofoperationorusage. 4. performance. Thisreferstotheefficiencyofaprimitiveinaparticularmodeofop- eration. (Forexample,anencryptionalgorithmmayberatedbythenumberofbits persecondwhichitcanencrypt.) 5. ease of implementation. This refers to the difficultyof realizingthe primitive in a practicalinstantiation. Thismightincludethecomplexityofimplementingtheprim- itiveineitherasoftwareorhardwareenvironment. Therelativeimportanceofvariouscriteriaisverymuchdependentontheapplication andresourcesavailable. Forexample,inanenvironmentwherecomputingpowerislimited onemayhavetotradeoffaveryhighlevelofsecurityforbetterperformanceofthesystem asawhole. Cryptography,overtheages,hasbeenanartpractisedbymanywhohavedevisedad hoc techniques to meet some of the information security requirements. The last twenty yearshavebeenaperiodoftransitionasthedisciplinemovedfromanarttoascience.There are now several international scientific conferences devoted exclusively to cryptography andalsoaninternationalscientificorganization,theInternationalAssociationforCrypto- logicResearch(IACR),aimedatfosteringresearchinthearea. Thisbookisaboutcryptography: thetheory,thepractice,andthestandards. 1.3 Background on functions Whilethisbookisnotatreatiseonabstractmathematics,afamiliaritywithbasicmathe- maticalconceptswillprovetobeuseful. Oneconceptwhichisabsolutelyfundamentalto cryptographyisthatofafunctioninthemathematicalsense. Afunctionisalternatelyre- ferredtoasamappingoratransformation. 1.3.1 Functions (1-1, one-way, trapdoor one-way) Asetconsistsofdistinctobjectswhicharecalledelementsoftheset. Forexample,aset« mightconsistoftheelements‹ ,› ,fi ,andthisisdenoted«⁄fl(cid:144)(cid:176)–‹(cid:27)†(cid:146)›(cid:146)†(cid:146)fi(cid:146)‡ . 1.2 Definition Afunctionisdefinedbytwosets« and· andarule(cid:181) whichassignstoeach elementin« preciselyoneelementin · . Theset« iscalledthedomainofthefunction and· thecodomain.If¶ isanelementof« (usuallywritten¶(cid:132)•h« )theimageof¶ isthe elementin· whichtherule(cid:181) associateswith¶ ;theimage‚ of¶ isdenotedby‚Ffl(cid:31)(cid:181)(cid:14)„”¶(cid:12)» . Standardnotationforafunction(cid:181) fromset« toset · is (cid:181)O…(cid:16)«(cid:190)‰f¿(cid:147)· . If‚7•x· ,thena preimageof‚ isanelement¶(cid:140)•(cid:2)« forwhich(cid:181)(cid:14)„”¶R»Afl~‚ . Thesetofallelementsin· which haveatleastonepreimageiscalledtheimageof(cid:181) ,denoted(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» . 1.3 Example (function)Consider the sets«ˆfl˜(cid:176)–‹(cid:27)†(cid:146)›(cid:127)†Ufi(cid:146)‡ , ·˜fl¯(cid:176)V˘K†(cid:127)˙(cid:20)†(cid:146)¨(cid:20)†(cid:146)(cid:201)K‡ ,and the rule (cid:181) from« to · definedas (cid:181)(cid:14)„´‹K»(cid:143)fl(cid:129)˙ , (cid:181)(cid:14)„˚›ƒ»(cid:143)fl(cid:129)(cid:201) , (cid:181)(cid:14)„´fiƒ»"fl(cid:153)˘ . Figure1.2showsaschematicof thesets« , · andthefunction (cid:181) . Thepreimageoftheelement ˙ is ‹ . Theimageof (cid:181) is (cid:176)V˘(cid:20)†(cid:146)˙(cid:20)†(cid:146)(cid:201)K‡ . ¸ Thinkingofafunctionintermsoftheschematic(sometimescalledafunctionaldia- gram)giveninFigure1.2,eachelementinthedomain« haspreciselyonearrowedline originatingfromit. Eachelementinthecodomain· canhaveanynumberofarrowedlines incidenttoit(includingzerolines). ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.3 Backgroundonfunctions 7 ˇ 1 ˛ 2 (cid:209) ˝ — 3 (cid:204) 4 Figure1.2:Afunction(cid:210) fromaset(cid:211) ofthreeelementstoaset(cid:212) offourelements. Oftenonlythedomain« andtherule(cid:181) aregivenandthecodomainisassumedtobe theimageof(cid:181) . Thispointisillustratedwithtwoexamples. 1.4 Example (function)Take«\flI(cid:176)–˘(cid:20)†(cid:127)˙K†(cid:127)¨K†(cid:146)(cid:213)(cid:146)(cid:213)U(cid:213)(cid:16)†(cid:146)˘‘(cid:214)(cid:27)‡ andlet(cid:181) betherulethatforeach¶(cid:11)•h« , (cid:181)(cid:14)„”¶R»Hfl(cid:141)(cid:215)(cid:145)(cid:216) ,where(cid:215)(cid:145)(cid:216) istheremainderwhen¶Q(cid:217) isdividedby˘(cid:20)˘ . Explicitlythen (cid:181)(cid:14)„(cid:135)˘(cid:20)»Hfl|˘(cid:218)(cid:181)(cid:14)„(cid:135)˙(cid:20)»HflD(cid:201) (cid:181)(cid:14)„´¨‘»HflD(cid:219) (cid:181)(cid:14)„´(cid:201)‘»Hfl|(cid:220) (cid:181)(cid:14)„(cid:135)(cid:220)(cid:20)»HflD¨ (cid:181)(cid:14)„(cid:135)(cid:221)(cid:20)»Hfl|¨(cid:218)(cid:181)(cid:14)„(cid:135)(cid:222)(cid:20)»HflD(cid:220) (cid:181)(cid:14)„´(cid:223)‘»HflD(cid:219) (cid:181)(cid:14)„´(cid:219)‘»Hfl|(cid:201) (cid:181)(cid:14)„(cid:135)˘‘(cid:214)(cid:20)»(cid:4)fl|˘K(cid:213) Theimageof(cid:181) istheset·Ifl(cid:31)(cid:176)V˘K†(cid:127)¨K†(cid:127)(cid:201)(cid:20)†(cid:146)(cid:220)(cid:20)†(cid:146)(cid:219)K‡ . ¸ 1.5 Example (function)Take«\flI(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:146)(cid:213)U(cid:213)(cid:146)(cid:213)Q†(cid:127)˘‘(cid:214)U(cid:224)´ÆK‡ andlet(cid:181) betherule(cid:181)(cid:14)„”¶(cid:12)»(fl~(cid:215) (cid:216) ,where (cid:215) (cid:216) istheremainderwhen¶(cid:16)(cid:217) isdividedby˘(cid:20)(cid:214)(cid:146)(cid:224)˚Æ"(cid:226)x˘ forall¶-•(cid:11)« . Hereitisnotfeasible to writedown (cid:181) explicitlyasin Example1.4, butnonethelessthe functionis completely specifiedbythedomainandthemathematicaldescriptionoftherule(cid:181) . ¸ (i) 1-1functions 1.6 Definition A function (or transformation) is ˘(cid:2)‰(cid:142)˘ (one-to-one) if each element in the codomain· istheimageofatmostoneelementinthedomain« . 1.7 Definition Afunction(ortransformation)is ª˚(cid:228)(cid:230)(cid:229)(cid:146)ª ifeachelementinthecodomain · is theimageofatleastoneelementinthedomain. Equivalently,afunction(cid:181)N…<«(cid:190)‰f¿(cid:231)· is ontoif(cid:192)(cid:22)`^„˚(cid:181)(cid:14)»Hfl(cid:31)· . 1.8 Definition Ifafunction(cid:181)N…(cid:18)«Ł‰f¿Ø· is˘3‰Z˘ and(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)»HflI· ,then(cid:181) iscalledabijection. 1.9 Fact If (cid:181)N…(cid:230)« ‰f¿ · is ˘Z‰(cid:159)˘ then (cid:181)A…(cid:230)« ‰f¿ (cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» is a bijection. In particular, if (cid:181)O…(cid:27)«(cid:160)‰(cid:230)¿Ø· is˘"‰~˘ ,and« and· arefinitesetsofthesamesize,then(cid:181) isabijection. In terms of the schematic representation, if (cid:181) is a bijection, then each element in · hasexactlyonearrowedlineincidentwithit. ThefunctionsdescribedinExamples1.3and 1.4arenotbijections. InExample1.3theelement¨ isnottheimageofanyelementinthe domain. InExample1.4eachelementinthecodomainhastwopreimages. 1.10 Definition If(cid:181) isabijectionfrom« to· thenitisasimplemattertodefineabijectionŒ from· to« asfollows:foreach‚(cid:133)•{· defineŒ(cid:14)„”‚(cid:230)»Hfl(cid:141)¶ where¶(cid:140)•(cid:2)« and(cid:181)(cid:14)„(cid:6)¶R»Hfl(cid:141)‚ . This functionŒ obtainedfrom(cid:181) iscalledtheinversefunctionof(cid:181) andisdenotedbyŒZfl|(cid:181)3º3(cid:236) . HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 8 Ch.1 OverviewofCryptography ˇ (cid:239) ˛ ˛ 1 1 ˝ ˝ 2 2 (cid:209) — — (cid:209) (cid:204) (cid:204) 3 3 (cid:237) (cid:237) 4 4 (cid:238) (cid:238) 5 5 Figure1.3:Abijection(cid:210) anditsinverse(cid:240)(cid:136)æ(cid:141)(cid:210)<(cid:242)(cid:16)(cid:243) . 1.11 Example (inversefunction)Let«\fl(cid:144)(cid:176)–‹(cid:27)†(cid:146)›(cid:127)†Ufi(cid:127)†(cid:146)(cid:244)K†(cid:146)ıV‡ ,and·Ifl(cid:31)(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:127)(cid:201)K†(cid:127)(cid:220)K‡ ,andconsider the rule (cid:181) givenby the arrowededges in Figure 1.3. (cid:181) is a bijectionandits inverseŒ is formedsimplybyreversingthearrowsontheedges.ThedomainofŒ is· andthecodomain is« . ¸ Note that if (cid:181) is a bijection, then so is (cid:181)3ºf(cid:236) . In cryptography bijections are used as thetoolforencryptingmessagesandtheinversetransformationsareusedtodecrypt. This willbemadeclearerin“ 1.4whensomebasicterminologyisintroduced. Noticethatifthe transformationswere not bijections then it would not be possible to always decrypt to a uniquemessage. (ii) One-wayfunctions Thereare certaintypes of functionswhichplay significantrolesin cryptography. At the expenseofrigor,anintuitivedefinitionofaone-wayfunctionisgiven. 1.12 Definition Afunction (cid:181) fromaset« toaset · iscalledaone-wayfunctionif (cid:181)(cid:14)„”¶(cid:12)» is “easy”tocomputeforall¶-•{« butfor“essentiallyall”elements‚(cid:149)•(cid:134)(cid:192)(cid:22)`(cid:29)„˚(cid:181)(cid:14)» itis“com- putationallyinfeasible”tofindany¶(cid:11)•h« suchthat(cid:181)(cid:14)„”¶(cid:12)»Hfl~‚ . 1.13 Note (clarificationoftermsinDefinition1.12) (i) Arigorousdefinitionoftheterms“easy”and“computationallyinfeasible”isneces- sarybutwoulddetractfromthesimpleideathatisbeingconveyed. Forthepurpose ofthischapter,theintuitivemeaningwillsuffice. (ii) Thephrase“foressentiallyallelementsin · ”referstothefactthatthereareafew values‚e•(cid:132)· forwhichitiseasytofindan¶(cid:140)•(cid:2)« suchthat‚efl(cid:31)(cid:181)(cid:14)„(cid:6)¶R» . Forexample, onemaycompute‚~fl(cid:246)(cid:181)(cid:14)„(cid:6)¶R» forasmallnumberof¶ valuesandthenforthese,the inverseisknownbytablelook-up. Analternatewaytodescribethispropertyofa one-way functionis the following: for a random‚(cid:142)•(cid:153)(cid:192)(cid:22)`(cid:29)„´(cid:181)(cid:14)» it is computationally infeasibletofindany¶(cid:11)•Z« suchthat(cid:181)(cid:14)„”¶R»Afl7‚ . Theconceptofaone-wayfunctionisillustratedthroughthefollowingexamples. 1.14 Example (one-wayfunction)Take«(cid:247)flł(cid:176)V˘K†(cid:127)˙(cid:20)†(cid:146)¨(cid:20)†U(cid:213)(cid:146)(cid:213)(cid:146)(cid:213)Q†(cid:127)˘(cid:20)(cid:221)K‡ anddefine (cid:181)(cid:14)„(cid:6)¶R»(cid:9)fl(cid:153)(cid:215)(cid:145)(cid:216) forall (cid:216) ¶(cid:11)•h« where(cid:215)V(cid:216) istheremainderwhen¨ isdividedby˘(cid:20)(cid:222) . Explicitly, ¶ ˘ø˙ ¨ (cid:201)(cid:218)(cid:220) (cid:221) (cid:222) (cid:223) (cid:219)ø˘(cid:20)(cid:214)ˆ˘(cid:20)˘(cid:218)˘‘˙ø˘‘¨ø˘(cid:20)(cid:201)ˆ˘(cid:20)(cid:220)ø˘‘(cid:221) (cid:181)(cid:14)„”¶(cid:12)» ¨ø(cid:219)(cid:218)˘(cid:20)(cid:214)ˆ˘(cid:20)¨ø(cid:220)ˆ˘(cid:20)(cid:220)ø˘‘˘ø˘‘(cid:221)ø˘‘(cid:201) (cid:223) (cid:222) (cid:201)(cid:218)˘‘˙ ˙ (cid:221) ˘ Givenanumberbetween˘ and˘‘(cid:221) ,itisrelativelyeasytofindtheimageofitunder(cid:181) . How- ever,givenanumbersuchas(cid:222) ,withouthavingthetableinfrontofyou,itishardertofind ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter. ' 1.3 Backgroundonfunctions 9 ¶ giventhat(cid:181)(cid:14)„”¶(cid:12)»Hfl|(cid:222) . Ofcourse,ifthenumberyouaregivenis¨ thenitisclearthat¶wfl(cid:31)˘ iswhatyouneed;butformostoftheelementsinthecodomainitisnotthateasy. ¸ One must keep in mind that this is an example which uses very small numbers; the importantpoint hereis thatthere is adifferencein the amount of workto compute (cid:181)(cid:14)„”¶(cid:12)» andtheamountofworktofind¶ given (cid:181)(cid:14)„”¶R» . Evenforverylargenumbers, (cid:181)(cid:14)„”¶R» canbe computedefficientlyusingtherepeatedsquare-and-multiplyalgorithm(Algorithm2.143), whereastheprocessoffinding¶ from(cid:181)(cid:14)„”¶(cid:12)» ismuchharder. 1.15 Example (one-wayfunction)Aprimenumberisapositiveintegergreaterthan1whose onlypositiveintegerdivisorsare1anditself. Selectprimesœ(cid:133)fl(cid:159)(cid:201)(cid:20)(cid:223)‘(cid:221)(cid:20)˘‘˘ ,ß(cid:136)fl(cid:159)(cid:220)‘¨(cid:20)(cid:219)‘(cid:219)(cid:20)¨ ,form (cid:228)(cid:151)fl(cid:252)œQß(cid:149)flØ˙(cid:20)(cid:221)‘˙(cid:20)(cid:201)‘(cid:221)‘(cid:220)(cid:20)¨‘(cid:222)(cid:20)˙‘¨ ,and let«(cid:253)fl(cid:160)(cid:176)–˘(cid:20)†(cid:146)˙(cid:20)†(cid:127)¨K†(cid:146)(cid:213)U(cid:213)(cid:146)(cid:213)Q†(cid:22)(cid:228)(cid:134)‰(cid:31)˘(cid:27)‡ . Define a function (cid:181) on« by (cid:181)(cid:14)„”¶(cid:12)»(cid:136)fl(cid:153)(cid:215) (cid:216) foreach¶(cid:144)•(cid:141)« ,where(cid:215) (cid:216) istheremainderwhen¶(cid:16)(cid:254) isdividedby(cid:228) . For instance,(cid:181)(cid:14)„(cid:135)˙‘(cid:201)(cid:20)(cid:223)‘(cid:219)(cid:20)(cid:219)‘(cid:219)‘˘(cid:20)»Afl)˘‘(cid:219)‘(cid:223)(cid:20)˘‘¨(cid:20)(cid:219)‘(cid:201)‘˙(cid:20)˘‘(cid:201) since˙‘(cid:201)‘(cid:223)(cid:20)(cid:219)‘(cid:219)(cid:20)(cid:219)‘˘(cid:146)(cid:254)(cid:7)fl)(cid:220)(cid:20)(cid:223)‘(cid:223)(cid:20)˘‘(cid:219)‘(cid:201)(cid:20)(cid:219)‘(cid:223)(cid:20)(cid:220)‘(cid:219)N(cid:255)(cid:146)(cid:228)w(cid:226)-˘(cid:20)(cid:219)‘(cid:223)‘˘(cid:20)¨‘(cid:219)(cid:20)(cid:201)‘˙‘˘(cid:20)(cid:201) . Computing(cid:181)(cid:14)„(cid:6)¶R» isarelativelysimplethingtodo,buttoreversetheprocedureismuchmore difficult;thatis,givenaremaindertofindthevalue¶ whichwasoriginallycubed(raised tothethirdpower). Thisprocedureisreferredtoasthecomputationofamodularcuberoot withmodulus(cid:228) . Ifthefactorsof(cid:228) areunknownandlarge,thisisadifficultproblem;how- ever,ifthefactorsœ andß of(cid:228) areknownthenthereisanefficientalgorithmforcomputing modularcuberoots. (See“ 8.2.2(i)fordetails.) ¸ Example1.15 leads oneto consideranothertype of functionwhich will prove to be fundamentalinlaterdevelopments. (iii) Trapdoorone-wayfunctions 1.16 Definition A trapdoor one-way function is a one-way function (cid:181)A…f« ‰(cid:230)¿ · with the additionalpropertythatgivensomeextrainformation(calledthetrapdoorinformation)it becomesfeasibletofindforanygiven‚(cid:154)•{(cid:192)(cid:22)`(cid:29)„˚(cid:181)(cid:14)» ,an¶(cid:11)•Z« suchthat(cid:181)(cid:14)„”¶(cid:12)»(fl7‚ . Example1.15illustratestheconceptofatrapdoorone-wayfunction. Withtheaddi- tionalinformationofthefactorsof(cid:228)(cid:149)flI˙‘(cid:221)(cid:20)˙‘(cid:201)(cid:20)(cid:221)‘(cid:220)‘¨(cid:20)(cid:222)‘˙(cid:20)¨ (namely,œZflI(cid:201)‘(cid:223)(cid:20)(cid:221)‘˘(cid:20)˘ andß(cid:152)flI(cid:220)‘¨‘(cid:219)(cid:20)(cid:219)‘¨ , each of which is five decimal digitslong) it becomesmuch easierto invert the function. Thefactorsof˙‘(cid:221)(cid:20)˙‘(cid:201)‘(cid:221)(cid:20)(cid:220)‘¨(cid:20)(cid:222)‘˙‘¨ arelargeenoughthatfindingthembyhandcomputationwould bedifficult. Ofcourse,anyreasonablecomputerprogramcouldfindthefactorsrelatively quickly. If,ontheotherhand,oneselectsœ and ß tobeverylargedistinctprimenumbers (eachhavingabout100decimaldigits)then,bytoday’sstandards,itisadifficultproblem, evenwiththemostpowerfulcomputers,todeduceœ andß simplyfrom(cid:228) . Thisisthewell- known integer factorization problem (see “ 3.2) and a source of many trapdoor one-way functions. Itremainstoberigorouslyestablishedwhetherthereactuallyareany(true)one-way functions. That is to say, no one has yet definitively proved the existence of such func- tionsunderreasonable(andrigorous)definitionsof“easy”and“computationallyinfeasi- ble”. Sincetheexistenceofone-wayfunctionsisstillunknown,theexistenceoftrapdoor one-wayfunctionsisalsounknown. However,thereareanumberofgoodcandidatesfor one-wayandtrapdoorone-wayfunctions. Manyofthesearediscussedinthisbook,with emphasisgiventothosewhicharepractical. One-way and trapdoor one-way functions are the basis for public-key cryptography (discussedin“ 1.8). Theimportanceoftheseconceptswillbecomeclearerwhentheirappli- cationtocryptographictechniquesisconsidered. Itwillbeworthwhiletokeeptheabstract conceptsofthissectioninmindasconcretemethodsarepresented. HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone. 10 Ch.1 OverviewofCryptography 1.3.2 Permutations Permutationsarefunctionswhichareoftenusedinvariouscryptographicconstructs. 1.17 Definition Let beafinitesetofelements. Apermutationœ on isabijection(Defini- (cid:0) (cid:0) tion1.8)from toitself(i.e.,œO… x‰f¿ ). (cid:0) (cid:1)(cid:0) (cid:2)(cid:0) 1.18 Example (permutation)Letxfl(cid:159)(cid:176)V˘K†(cid:127)˙K†(cid:127)¨(cid:20)†(cid:146)(cid:201)(cid:20)†(cid:146)(cid:220)K‡ . ApermutationœA… |‰f¿ isdefinedas (cid:0) (cid:3)(cid:0) (cid:4)(cid:0) follows: œQ„(cid:135)˘‘»(cid:4)fl(cid:31)¨(cid:20)†(cid:12)œQ„(cid:135)˙‘»(cid:4)fl(cid:31)(cid:220)(cid:20)†(cid:12)œQ„(cid:135)¨‘»Hfl|(cid:201)(cid:20)†(cid:12)œQ„(cid:135)(cid:201)‘»Hfl|˙(cid:20)†(cid:12)œQ„(cid:135)(cid:220)‘»Hfl|˘(cid:20)(cid:213) Apermutationcanbedescribedinvariousways.Itcanbedisplayedasaboveorasanarray: ˘(cid:218)˙ˆ¨(cid:218)(cid:201)ø(cid:220) œhfl † (1.1) ¨(cid:218)(cid:220)ˆ(cid:201)(cid:218)˙ø˘ where the top row in the array is the domainand the bottomrow is the image under the mappingœ . Ofcourse,otherrepresentationsarepossible. ¸ Sincepermutationsarebijections,theyhaveinverses. Ifapermutationiswrittenasan array(see1.1),itsinverseiseasilyfoundbyinterchangingtherowsinthearrayandreorder- ingtheelementsinthenewtoprowifdesired(thebottomrowwouldhavetobereordered ˘ø˙(cid:218)¨ˆ(cid:201)(cid:218)(cid:220) correspondingly).Theinverseofœ inExample1.18isœ º3(cid:236) fl (cid:213) (cid:220)ø(cid:201)(cid:218)˘ˆ¨(cid:218)˙ 1.19 Example (permutation)Let« bethesetofintegers(cid:176)–(cid:214)(cid:20)†(cid:127)˘K†(cid:127)˙K†(cid:146)(cid:213)(cid:146)(cid:213)U(cid:213)(cid:14)†(cid:22)œQßN‰7˘(cid:27)‡ whereœ andß aredistinctlargeprimes(forexample,œ andß areeachabout100decimaldigitslong),and supposethatneitherœH‰(cid:2)˘ norß<‰(cid:29)˘ isdivisibleby3. ThenthefunctionœQ„”¶(cid:12)»Hfl~(cid:215) (cid:216) ,where(cid:215) (cid:216) istheremainderwhen¶ (cid:254) isdividedbyœQß ,canbeshowntobeapermutation. Determining theinversepermutationiscomputationallyinfeasiblebytoday’sstandardsunlessœ and ß areknown(cf.Example1.15). ¸ 1.3.3 Involutions Anothertypeoffunctionwhichwillbereferredtoin “ 1.5.3isaninvolution. Involutions havethepropertythattheyaretheirowninverses. 1.20 Definition Let beafinitesetandlet (cid:181) beabijectionfrom to (i.e., (cid:181)N… (cid:151)‰(cid:230)¿ ). (cid:0) (cid:0) (cid:0) (cid:5)(cid:0) (cid:6)(cid:0) The function (cid:181) is calledan involutionif (cid:181)IflŁ(cid:181) º3(cid:236) . An equivalentway of statingthis is (cid:181)(cid:14)„´(cid:181)(cid:14)„”¶(cid:12)»(cid:135)»(fl~¶ forall¶(cid:11)• . (cid:7)(cid:0) 1.21 Example (involution)Figure 1.4 is an example of an involution. In the diagram of an involution,notethatif istheimageof then istheimageof . ¸ (cid:8) (cid:9) (cid:9) (cid:8) ¤ c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.