Professional Documents
Culture Documents
PUBLIC-KEY CRYPTOGRAPHY :
THE RSA AND THE RABIN CRYPTOSYSTEMS
LUCRARE DE DIPLOM
Coordonator tiinific:
Conf. Dr. Septimiu Crivei
Student:
Mihnea Rdulescu
2008
PUBLIC-KEY CRYPTOGRAPHY :
THE RSA AND THE RABIN CRYPTOSYSTEMS
Scientific Coordinator:
Assoc. Prof. Dr. Septimiu Crivei
Student:
Mihnea Rdulescu
2008
To my fiance
ABSTRACT
Starting in the 50s, there has been a growing interest in securing sensitive digital data, for the
purpose of storing it safely, as well as transmitting it securely over unsecured communication
channels. To address some the drawbacks of symmetric-key cryptography (mainly the key
distribution and authentication issues), Diffie and Hellman set the stage in 1976 for what became
the standard entitled public-key cryptography. From the 90s on, the interest in digital data
security has drifted also to the realm of non-governmental computing, that is companies and
common computer users.
This papers main goal is to deliver an accurate image on the concepts of data security and
cryptography, by presenting the theory and applications of two of the fundamental public-key
cryptosystems used nowadays, namely the RSA and the Rabin cryptosystems. To prove the
usefulness and power of public-key cryptography from a practical standpoint, two software
applications have been designed, one for each cryptosystem, that implement every algorithm
inherent to the process of securing data (primes generation, key generation, encryption and
decryption). Also, the paper promotes public-key cryptography as an efficient means of testing
the speed of today's computer processors, due to the computational intensiveness of its
underlying operations.
ii
TABLE OF CONTENTS
Chapter 1 - Introduction to Cryptography.................................................................................3
1.1 Preliminaries..................................................................................................................3
1.2 Symmetric-key cryptosystems......................................................................................9
Chapter 2 - Mathematical Foundations of Public-key Cryptography....................................18
2.1 One-way and trapdoor functions.................................................................................18
2.2 The Euclidean algorithms............................................................................................21
2.3 Modular arithmetic......................................................................................................24
2.4 Primality testing methods............................................................................................45
Chapter 3 - Public-key Cryptosystems......................................................................................54
3.1 The RSA cryptosystem................................................................................................54
3.2 The Rabin cryptosystem..............................................................................................63
3.3 Applications of the RSA and the Rabin cryptosystems...............................................73
Chapter 4 - Implementing the RSA and the Rabin Cryptosystems.......................................81
4.1 Use cases......................................................................................................................83
4.2 Subsystem model.........................................................................................................84
4.3 Package diagram..........................................................................................................85
4.4 Class diagram...............................................................................................................87
4.5 Sequence diagram........................................................................................................98
4.6 Explaining the implementation..................................................................................100
4.7 Revealing the applications functionality..................................................................106
Chapter 5 Processor Core Benchmarking...........................................................................132
5.1 The concept of benchmarking....................................................................................132
5.2 Benchmark development fundamentals.....................................................................133
5.3 Implementing the benchmark.....................................................................................141
Conclusions.................................................................................................................................151
References...................................................................................................................................153
1
sends a message
communication channel
Alice
sends a message
receives a message
eavesdrops
Oscar
Bob
The story of Alice and Bob expresses the basic principles, foundations and challenges of
cryptography using allegory and abstraction to set the framework for a formal, rigorous and
systematic approach to the domain.
Alice and Bob are apparently ordinary people, which have some interesting twists to their
personalities: Bob is a stockbroker illicitly selling stock shares to speculators, while Alice is a
speculator herself, this being her primary reason for talking to Bob. Besides being concerned on
eavesdropping because of the illegality of their stock operations, Alice is worried about her
husband not knowing her involvement in the stock scheme, while Bob is preoccupied on his other
subversive enterprises not being discovered.
Alice communicates with Bob either by telephone or by e-mail. As they talk very often on the
phone, the telephone service becomes increasingly expensive, coupled with Alice being overly
miserly, one of Alices immediate goals is minimizing the cost of the phone call.
The telephone line connecting Alice to Bob is very noisy and prone to interferences as well as
communication failure. Due to these difficulties, at some times, Alice and Bob can hardly
communicate with each other. So Alice has to deal with network noise and failures.
It seems the pursuits of Alice and Bob are well-known to the Tax Authority and Secret Police,
governmental organizations which both have almost limitless resources and always listen to the
conversations between Alice and Bob. Because some of the favorite subjects of Alice and Bob
involve tax fraud and the overthrowing of the government, Alice has to ensure the confidentiality
of the conversation with Bob.
To further complicate matters, there is also a trust issue between Alice and Bob, because of some
previous deceitful behavior of Bob. As such, Alice has an extra authentication issue. [net01]
4
To summarize, for allowing Alice to successfully communicate with Bob, while taking into
account the inherent communication protocols, cryptography must be powerful enough to:
1.1.2 Terminology
Plaintext ( ) = a sequence of characters (either letters from the alphabet, numbers or bytes of
data) that is in a form at which no effort has been made to render the information unreadable and
thus, that can be easily read from and understood. [wiki]
Ciphertext ( ) = a sequence of characters (either letters from the alphabet, numbers or bytes of
data) that is encrypted using an encryption algorithm. Plaintext cannot be deduced from properly
encrypted ciphertext.
Key ( ) = a piece of information (or parameter) that controls the execution of a cryptography
algorithm. A key can be used either for encryption (obtaining the ciphertext out of the plaintext),
or decryption (obtaining the plaintext out of the ciphertext). In many cryptographic systems (see
Public-Key Cryptography), the key for encryption and the one for decryption are not the same.
plaintext
key
key
encryption
decryption
ciphertext
plaintext
Cryptanalysis = (derived from the Greek krypts, "hidden", and analein, "to loosen" or "to
untie") the studying and devising of methods and strategies to allow obtaining the meaning of
encrypted data, without having access to the secret information used to generate the encryption.
[wiki] In more formal terms, it means trying to compute the key that generated the encryption,
having access to only the ciphertext. [Cri06]
Cryptology = the science encompassing both cryptography and cryptanalysis, which studies the
security and safety behind data communication and storage.
an encryption rule
: P C,
a decryption rule
: C P,
a fundamental constraint:
and
should be efficiently
computable
Notes on cryptosystems:
In order to satisfy the fundamental constraint previously stated, the encryption function
P C must always be injective.
If P = C, each encryption rule
are permutations.
The following example uses the Caesar cipher, supposedly employed by the Romans during the
time of Julius Caesar to send orders from Rome to military commanders on the field and back. It
is a simple rotation cipher, in which each plaintext character is replaced by the
character to
Example:
English alphabet enriched with character space
shift to the right of 3 positions
English alphabet enriched with character space to
correspondence:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Encryption:
Plaintext: julius caesar
Numerical correspondence:
Encryption (using
):
Ciphertext: MXOLXVCFDHVDU
Decryption:
Ciphertext: MXOLXVCFDHVDU
Numerical correspondence:
Decryption (using
):
Steganography uses a supposedly harmless message cover (for instance, a digital picture) inside
which it adds its message, overwriting the least-significant bit(s) of (some of) the bytes of the
cover message. Therefore, the maximum length the hidden message can have, without spoiling its
concealment, is directly proportional to the length of the cover message. [wiki]
The main drawback of steganography against cryptography is that the discovery of the
information-hiding system used leads to steganography being utterly useless, while for
cryptography the information regarding the encryption system used is already assumed to be
known by an intruder.
Steganography might hold a significant advantage over cryptography in cases where even the
acknowledged existence of the communication between parties poses a problem. [Sta05]
8
K,
E and
D the encryption
and decryption rules, respectively. The given cryptosystem is said to be symmetric-key, if for
each key K
knowing only
depending on K, it is computationally
and
knowing only
. [Men96] Symmetric-
Since most of the symmetric-key cryptosystems employ the same plaintext and ciphertext spaces
(P = C) and many the same function for both encryption and decryption (
(P = C),
key K
function
: P P, where
: (P = C)
(1 byte = 8 bits)
and
Example:
is a 1-byte key,
= (125)10 = (01111101)2
Encryption:
Plaintext:
Base 2 correspondence:
Encryption using XOR:
Ciphertext:
Decryption:
Ciphertext:
Base 2 correspondence:
Decryption using XOR:
10
Plaintext:
Speed - of the two main types of cryptosystems in use today (symmetric-key and
asymmetric-key), the symmetric-key is the fastest by a large margin. In terms of the
practical computational intensiveness of its underlying operations, symmetric-key
cryptography is considered hundreds of times less intensive than its asymmetrical-key
counterpart. [wiki]
Small key size - the key size for symmetric-key cryptosystems is several orders of
magnitude smaller than the key size of asymmetric-key cryptosystems. [Cri06]
Disadvantages:
Key distribution problem - requires a communication channel that is both confidential and
authentic to exchange the symmetric-key securely between parties. [Men96] To reduce
the impact of being discovered by an opponent, the shared secret key should be changed
regularly and kept secure during distribution and when in service. Also, it is to be noted
that the number of keys required for communicating between parties increases
dramatically with each new party being added to the communication network. As such,
for a network of n users, the number of private keys required is
11
. [wiki]
key source
secured channel
unsecured channel
K
encryption
decryption
plaintext
source
Opponent
plaintext
destination
Alice
Oscar
Bob
A block cipher is a symmetric-key cryptographic scheme, in which the message (either plaintext
or ciphertext) is split into blocks (groups) of equally-sized data. The operations to be applied on
the message as a whole entity, are, in fact, reduced to the successive manipulation (for encryption
or decryption purposes) of the blocks of data composing the message.
Most of the remarkable symmetric-key cryptosystems in use today utilize block ciphers (our two
previous cryptosystem examples, namely the Caesar cipher and the XOR function, both operate
on block ciphers). The flagship of block-cipher cryptosystems today is the AES (Advanced
12
Encryption Standard), embraced in 2001 by the National Institute of Standards and Technology
(NIST) as the de-facto standard for protecting classified information in non-governmental
systems. [wiki]
AES works with a block size of 128 bits and three candidate key sizes (of 128, 192 or 256 bits,
respectively). Benefiting from a scalable key-size design, AES can be promoted as a
cryptosystem appropriate for diverse security needs (128-bit key size for secret-level data, while
196 and 256-bit key sizes for top secret data).
Key K
Plaintext
block
encryption
...
Plaintext
block
Ciphertext
block
encryption
Ciphertext
block
Key K
Ciphertext
block
decryption
...
Ciphertext
block
Plaintext
block
decryption
Plaintext
block
13
A stream cipher is a symmetric-key cryptographic scheme, in which the message stream (either
plaintext or ciphertext) is processed byte-by-byte (or bit-by-bit). [wiki] What sets stream ciphers
apart from block ciphers, is that the encryption (and, consequently, decryption) rules are not
restricted to using the same key for each iteration. Unlike in the case of block ciphers, where the
key space K was, in fact, composed out of one-element key sets, for stream ciphers a key
is made out of several (distinct) keys
, forming a keystream.
The most widespread stream-cipher cryptosystem of today (including its variations) is RC4,
employed in communication protocols such as SSL (Secure Socket Layer) and WEP (Wireless
Encryption Protocol). Because of its age (since 1987), it no longer represents a good informationsecurity choice for modern needs, although some systems still using it are adequately secure for
practical purposes. [wiki]
Working with stream ciphers can become a very profitable enterprise when the data buffer pool
of the system is severely limited, plaintext comes in quantities of unknowable length, the amount
of computations required to manipulate the data (for encryption or decryption) increases
exponentially with the amount of data processed at once, or when error propagation issues are of
concern to the system.
Key
Plaintext
byte
encryption
Key
...
Plaintext
byte
Ciphertext byte
encryption
Ciphertext byte
...
Key
Ciphertext
byte
decryption
Key
...
Ciphertext
byte
decryption
Plaintext byte
...
Plaintext byte
,K=
K,
Example:
English alphabet enriched with character space
English alphabet enriched with character space to
15
correspondence:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
and
Encryption:
Plaintext: vigenere
Numerical correspondence:
Encryption (using
):
Ciphertext: BRV_OSYN
Decryption:
Ciphertext: BRV_OSYN
Numerical correspondence:
Decryption (using
):
Plaintext: vigenere
The objective of an attack against a cryptosystem is deducing the plaintext from the ciphertext,
or, even more dramatically, to recover the encryption-decryption key itself. Careful searching and
identification of potentially secure cryptographic functions greatly reduces the chance of
success of such attacks.
ciphertext-only attack - the opponent has access only to some ciphertext and is trying to
deduce the encryption-decryption key or the plaintext solely by observing the ciphertext.
This is the least efficient type of attack, and, should it succeed, the underlying
cryptosystem is proven to be completely insecure. [Men96]
16
known plaintext attack - the intruder has a quantity of plaintext along with its
corresponding ciphertext and tries to detect the encryption-decryption protocol employed.
Such an attack is one step ahead in terms of efficiency to the ciphertext-only attack,
although not by a significant margin. [Men96]
chosen plaintext attack - the opponent has the opportunity to chose its own plaintexts
and be given their corresponding ciphertexts in return. [wiki]
chosen ciphertext attack - the adversary has access to the decryption equipment (but not
to the decryption key) for a limited amount of time as is able to decrypt any ciphertext of
its choosing. The goal of such an attack is to be able to determine the plaintext from
ciphertexts after the access to the decryption equipment has been terminated. [Men96]
17
K,
E and
D the encryption
and decryption rules, respectively. The given cryptosystem is said to be public-key (or
asymmetric-key), if for each key
depending on
and
such
. [Men96]
for any
such that
. [Men96]
Although there are many contenders for the status of one-way function, the existence of one-way
mappings has neither been proven nor dismissed, remaining as an open conjecture in
cryptography theory. [wiki] The security of each of the public-key cryptosystems is based on the
presumption of ininvertibility of the one-way function the cryptosystem is built upon.
18
to compute
be a
, it is reasonably easy
natural number
is a hard
Example:
Let
and
distinct primes,
. Compute
, such that
. Let
, such that
the number
and
, the
, given
and
as
not yet proven) that the computational difficulty of determining an inverse modulo
, for
and
Example:
Let
and
both primes,
Then,
and
. Given such a
number
, such that
distinct primes,
. Let
and a large
, the computation of
given
is rather
, such that
20
, for
Example:
Let
and
both primes,
and
. Then,
, such that
, it also finds
, such that
Example:
Compute
We have:
Therefore,
Computational algorithm:
Prototype: function Gcd(a, b) : result
Input: a, b
Output:
N, result =
Pseudocode:
if (a < b) then
temp := a
a := b
b := temp
endif
while (b > 0) do
r := a mod b
a := b
b:=r
endwhile
return a
22
, such that
. Then,
Example:
Determine u, v
, such that
Using a bottom-up approach to the solution of the example from the Euclidean algorithm, we
obtain:
Therefore,
and
Output:
and
, such that
Pseudocode:
if (a < b) then
temp := a
a := b
b := temp
endif
u2 := 1; u1 := 0; v2 := 0; v1 := 1
23
while (b > 0) do
endwhile
d := a; u := u2; v := v2
return (d, u, v)
. Then,
A partition of a set
is a set of subsets of
, having the
following properties:
For convenience, we may use the standard notation , rather than , to denote the equivalence
class
of
Also, since
, we have
, we have
24
Let
. Then, a number
, satisfying
Properties: [Cri06]
is invertible in
such that
which case
is a field every
is invertible
is prime
. Then,
such that:
Example:
Determine the inverse of
Output:
25
, in
Pseudocode:
(d, u, v) := ExtendedEuclid(a, n)
if (u < 0) then
u := u + n
endif
return u
, where
. Then:
if
if
if
if
equation
Example:
Solve the modular congruence equations:
1)
, therefore the solution to the equation is:
2)
, but, since
26
, for
3)
, and, since
Computational algorithm:
Prototype: function ModularCongruence(a, b, n) : x
Input:
Output: either one of the following:
to the equation
(no solution)
the solution vector , with
, to the equation
Pseudocode:
d := gcd(a, n)
if (d = 1) then
x := (ModularInverse(a,n) * b) mod n
else if (b mod d
0) then
x :=
else
y := ModularCongruence
for k := 1 to d 1 do
:=
endfor
endif
return x
27
,
,
,
,
, where:
,
,
Example:
Solve the modular congruences equations system:
and
,
, for
28
Computational algorithm:
Prototype: function ChineseRemainder(r, a, n) : (x, N)
Input:
Output:
(no solution)
Pseudocode:
existsSolution := true
for i := 1 to r - 1 do
for j := i + 1 to r do
if (Gcd(
1) then
existsSolution := false
x :=
endif
endfor
endfor
if (existsSolution = true) then
N := 1
for i := 1 to r do
N := N *
endfor
x := 0
for i := 1 to r do
:=
:= ModularInverse( ,
x :=
mod N
endfor
endif
return (x, N)
29
, can be very
and
compute
Example:
Let
. Compute
Steps:
1)
2)
3)
30
4)
,n
Output: result
2, b < n
, result =
mod n
Pseudocode:
if (b = 0) then
result := 0
else if (e = 0) then
result := 1
else
while e > 0
if (e mod 2 = 1) then
result := (result * b) mod n
endif
e := e / 2
b := (b * b) mod n
endwhile
endif
return result
31
modulo ,
is a number ,
.
satisfying it), then
is called a quadratic
residue modulo
if the equations lacks any solutions (
is called a
primes.
1) Eulers criterion:
, thus:
2)
, hence
3)
4) Law of quadratic reciprocity:
32
Note: In order to decisively speed up the Legendre symbol calculation, instead of factoring the
number
into primes to be able to apply the law of quadratic reciprocity until the symbol
evaluates to
or
one could use Eulers criterion to determine the symbols value, relying
Example:
1) Let
. Compute
Therefore,
modular equation
2) Let
. Compute
Therefore,
modular equation
33
Computational algorithm:
Prototype: function ComputeLegendreSymbol(a, p) : result
N, p
Input: a, p
3, p prime
Output: result
, result =
Pseudocode:
if (a
p) then
a := a mod p
endif
expr := ModularExponentiation(a, (p - 1) / 2, p)
if (expr = p - 1)
result := -1
else
result := expr
endif
return result
Problem
Solve the following modular equation:
,
where
prime
has a solution
we have
,
, because
,
. Also, because
is odd, it becomes
34
The solution depends on the choosing of the prime , allowing the next
cases:
1)
2)
3)
odd
such that
residue modulo .
3) Compute
4) Compute
5) Determine
6) Compute
.
,
until
One solution is
Case 2) [wiki]
One solution is
Case 3) [Cri06]
One solution is
Examples:
Solve the following modular equations:
35
is a quadratic non-
a)
At first, we notice that the corresponding Legendre symbol
, therefore the
3) Computing
4) Computing
5) Computing
6) Computing
b)
We begin by noticing that the corresponding Legendre symbol
, hence the
36
c)
We start by computing the corresponding Legendre symbol
, consequently the
Computational algorithm:
Prototype: function SolveCase1(a, p) : x
Input: a, p
, p
3, p prime,
, the equation
solutions
Output: one solution
to the equation
Pseudocode:
t := p - 1
s := 0
while (t mod 2 = 0) do
t := t / 2
s := s + 1
endwhile
d := 2
37
has
dFound := false
while ( (d < p) and (dFound = false) ) do
if (ComputeLegendreSymbol(d, p) = -1) then
dFound := true
else
d := d + 1
endif
endwhile
A := ModularExponentiation(a, t, p)
D := ModularExponentiation(d, t, p)
DInverse := ModularInverse(D, p)
k := 0
powerFound := false
while ( (k < Power(2, s - 1)) and (powerFound = false) ) do
if (ModularExponentiation(DInverse, 2 * k, p) = A) then
powerFound := true
else
k := k + 1
endif
endwhile
Dk := ModularExponentiation(D, k, p)
x := (ModularExponentiation(a, (t + 1) / 2, p) * Dk) mod p
return x
Computational algorithm:
Prototype: function SolveEquationModP(a, p) : x
Input: a, p
, p
38
has solutions
, x1, x2
if (p mod 8 = 1) then
x1 := SolveCase1(a, p)
else
if ( (p mod 8 = 3) or (p mod 8 = 7) ) then
x1 := ModularExponentiation(a, (p + 1) / 4, p)
else
if (ModularExponentiation(a, (p - 1) / 4, p) = 1) then
x1 := ModularExponentiation(a, (p + 3) / 8, p)
else
x1 := ( (2 * a) * ModularExponentiation((4 * a), (p - 5) / 8, p) ) mod p
endif
endif
endif
x2 := p - x1
return x = (x1, x2)
prime,
The starting point for solving such an equation is knowing the solution to the equation
. Consider
one solution is
one solution is
chosen such that
(depending on
one solution is
,
(depending on
39
for
, is:
Example:
Solve the modular equation
We know from the preceding examples that one solution to the equation
is
are:
Computational algorithm:
Prototype: function SolveEquationModPT(a, t, p) : x
Input: a, t, p
,t
2, p
Output: the solution vector (x[t, 1], x[t, 2]) to the equation
x[t, 1], x[t, 2]
Pseudocode:
40
has solutions
),
t) do
k := 0
kFound := false
while ( (k < p) and (kFound = false) ) do
possibleValue := x[index - 1, 1] + k * currentPower
if (ModularExponentiation(possibleValue, 2, modularPower) = a) then
x[index, 1] := possibleValue
kFound := true
else
k := k + 1
endif
endwhile
x[index, 2] := modularPower - x[index, 1]
currentPower := modularPower
modularPower := modularPower * p
index := index + 1
endwhile
return (x[t,1], x[t,2])
composite
is a quadratic residue
41
to each equation
where
4) Obtaining the final solution modulo
previous solutions
to the equations
Example:
Find the solution to the modular equation
, the
, the
(solved
at a previous example)
. Since
is
4) There are
Theorem, each having one solution. The solution to our main equation is the union of
these
separate solutions.
43
and
Computational algorithm:
Prototype: procedure BackTrackSolutionsModN(m, n, x, equationIndex, solutionIndex,
xFinal)
Input:
, x[i,1], x[i,2]
, xFinal[j]
, xFinal[j] < n,
Pseudocode:
if (equationIndex > m) then
xFinal[solutionIndex] := ChineseRemainder(m, solution, n);
solutionIndex := solutionIndex + 1
else
for i := 1 to 2 do
solution[equationIndex] := x[equationIndex, i]
call BackTrackSolutionsModN(m, n, x, equationIndex + 1, solutionIndex, xFinal)
endfor
endif
44
,x
Computational algorithm:
Prototype: function SolveEquationModN(m, n, x) : xFinal
Input:
, x[i,1], x[i,2]
,x
, xFinal[j]
, xFinal[j] < n,
Pseudocode:
solutionIndex := 1
call BackTrackSolutionsModN(m, n, x, 1, solutionIndex, xFinal)
return xFinal
For cryptography purposes, the fastest and most efficient primality tests are the probabilistic ones
(with the Miller-Rabin test being the most effective), their downside residing in the fact that,
regardless of the number of test iterations applied on the candidate prime, the candidate number
45
cannot be proven to be prime with 100% confidence, although its compositeness (if any) can be
established with absolute certainty.
and
. The map
2) if p is prime,
3) if
4) if
, p prime,
,
46
is called
, then
prime and
. Then,
Let
. If
, then
is prime.
. Then,
passing the Fermat test for a given base . The probability of a composite number
Fermats tests for
different bases
is at most
passing
Fermats tests, the probability that the tested number is prime is at least
A defining weakness of Fermats test are the Carmichael numbers. A natural composite number
is called a Carmichael number, if it passes Fermats test for any base . It has been proven that,
for a large-enough , the number of Carmichael numbers less than
is greater than
, and, as a
consequence to this fact, that the set of Carmichael numbers is infinite [Men96].
.
if
, for some
if
and
, then
, for every
47
, then
is a Carmichael number
. Let
, such that
and
. Also,
. Therefore,
is a Carmichael number.
Let
1)
failed Fermats primality test for the base
The number
conclude that
, therefore we can
N, n
3, k
Output: res
, corresponding to
if (result
1) then
return COMPOSITE
endif
endfor
return PRIME
be a prime number,
,
. Uniquely write
as
odd. Let
odd. Let
. Then, either:
or
, for some
[Men96]
be an odd number,
,
. Uniquely express
as
. If either:
or
, for some
then
is prime.
, if either
or
different bases
is
different Miller-Rabin tests, the probability that the tested number is prime is at least
.
49
Let
1)
1.
2.
3.
4.
5.
2)
1.
2.
3.
4.
5.
6.
3)
1.
2.
3.
4.
5.
Let
1)
1.
50
2.
Seeing that our number
can claim that
, we
N, n
3, k
Output: res
, corresponding to
, r,s
, r odd
for i :=1 to k do
Randomly choose a, 1 < a < n - 1
result := ModularExponentiation(a, r, n)
if ( (result
1) and (result
n - 1) ) then
j :=1
while ( (j
s - 1) and (result
n - 1) ) do
1) then
return COMPOSITE
endif
j := j + 1
endwhile
if (result
n - 1) then
return COMPOSITE
endif
endif
endfor
return PRIME
51
The algorithms for both tests employ operations of the same computational
complexity.
Both tests can determine composite numbers with absolute certainty. Since the set
of strong liars (bases for which a given composite number
Rabin test) is a narrow subset of the set of Fermat liars (bases for which a given
composite number
Fig. 2.4 Relationship between the Fermat and the strong liars for any composite
number
52
[Men96]
requires only half of the bases Fermats test would need in order to achieve the
same confidence on the primality of .
53
generates the keys required for the encryption and decryption processes.
2) Compute:
, where
function.
3) Select a random number
4) Determine
, such that
, such that
.
5) The keys are:
the public key:
the private key:
54
.
, that is
Encryption
Summary: Entity
encrypts a message
from .
to .
Decryption
Summary: Entity
from .
. Since
and
are primes,
, it is
.
Because
such that
cases:
if
is a multiple of , therefore
and, consequently,
if
55
, K=
Example:
English alphabet enriched with character space
English alphabet enriched with character space to
correspondence:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
The plaintext
is split into blocks of length , while the ciphertext is divided into blocks
Encryption:
Plaintext: rsa
Splitting: rs / a_
Numerical correspondence:
rs
a_
Encryption (using
):
56
Ciphertext: _MBAQG
_MB
AQG
Decryption:
Ciphertext: _MBAQG
Splitting: _MB / AQG
Numerical correspondence:
_MB
AQG
Decryption (using
):
Plaintext: rsa
rs
a_
in order to determine
as follows:
because
57
, for certain
since
have
then,
,
,
, such that
odd
and
, a proper factor of
is revealed as
until
the conditions above are fulfilled. The expected number of trials until
is
factored is .
[Men96]
In order to speed up the encryption process (by reducing the amount of operations
involved), one can select a small encryption exponent
However, let us consider the case in which the same plaintext message
sent to
. An eavesdropper intercepting
is encrypted is
distinct moduli
sent messages is
and, as such,
, with
58
, in favor of larger
, until
[Cri06]
If
is less than
and
,
of the
, such that
, that is
that
. We know
having access to the decryption equipment for a timespan and being able to decrypt any
chosen ciphertext, other than
as
, out of
as
To prevent such attacks, some structural constraints should be placed upon the plaintext
messages. If a decrypted plaintext
encryption
for
in the network
sent to at least two different entities has a change to decrypt the message as
follows:
If
we get
, for some
. Hence, we have:
, an eavesdropper is almost
keys
Both of the previously presented situations can be avoided by providing each entity in the
network with a unique modulus .
60
message space
,
. As such, finding a
private key
such that
and, consequently,
for which
and, as any factorization algorithm to this day, needs exponential time to succeed.
Therefore, for a sufficiently large modulo , this type of attack does not push a problem
to RSA.
. Regardless of the
unconcealed messages (
). If
and
is either
these unconcealed messages is negligibly small, so they do not pose a threat to the
security of RSA.
The primes
and , whose product is the modulus , should be of roughly the same size,
61
could be factored by
. Random choosing of
and
and
used to factor
the modulus , the random prime generation should be intractable. The best solution to
this would be using a true random generator (such as a device to measure the radioactive
decay of uranium atoms).
To avoid salting the message
), one could use a somewhat larger, but still computation-wise efficient encryption
exponent (like
modular multiplication).
If, due to the choosing of the encryption exponent
has the size less than
selection of
computed as
, that is:
Although speed in not quite the concern for RSA as it is for symmetric-key
cryptosystems, efficient polynomial-time algorithms should be used for all the operations
involved in the process:
modulo
) (see 2.3.1)
62
encryption
and
decryption
the
repeated
squaring
modular
or
(see 2.3.4)
generates the keys required for the encryption and decryption processes.
2) Compute
3) The keys are:
the public key:
the private key:
Encryption
Summary: Entity
encrypts a message
from .
to .
63
Decryption
Summary: Entity
received from
.
1) Receive the ciphertext
from .
satisfying
, K=
, such that
Example:
English alphabet enriched with character space
English alphabet enriched with character space to
correspondence:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
The plaintext
is split into blocks of length , while the ciphertext is divided into blocks
Encryption:
Plaintext: rabin
Splitting: rab / in_
Numerical correspondence:
64
rab
in_
Encryption (using
):
Ciphertext: _QAE_LFN
_QAE
_LFN
Decryption:
Ciphertext: _QAE_LFN
Splitting: _QAE / _LFN
Numerical correspondence:
_QAE
_LFN
Decryption (using
):
4 possible roots:
4 possible roots:
Plaintext: rabin
rab
in_
65
are the
, one adds ,
as follows:
digits of
in the base
as
. To add a
before replication:
after replicating the last digits of
Put differently, one observes that replicating the last digits of the representation of
(adding a
digits were
replicated.
. When the decryption is performed, the user can easily distinguish which of the four
messages
is the message
matching redundancy. After the solution has been found, the redundancy is removed as follows:
,
where
is the message
Note:
1) To ensure that only one of the messages
added redundancy should be long enough to avoid ambiguity. Todays standards impose a
redundancy of at least 64 bits.
2) To allow the use of redundancy, the initial message
is too long for such a purpose, it can be split into two messages
66
, K=
the message
, such that
Example:
English alphabet enriched with character space
English alphabet enriched with character space to
correspondence:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
redundancy of
decimal digits
Encryption:
Plaintext: rabin
Splitting: ra / bi / n_
Numerical correspondence:
ra
bi
n_
Encryption (using
):
Ciphertext: EOYPBFZMETJH
EOYP
BFZM
ETJH
Decryption:
Ciphertext: EOYPBFZMETJH
Splitting: EOYP / BFZM / ETJH
Numerical correspondence:
EOYP
BFZM
ETJH
Decryption (using
):
4 possible roots:
is
4 possible roots:
is the
is the
4 possible roots:
only value to match the replication
Plaintext: rabin
ra
bi
n_
68
knowing only the public key , is faced with the modular square root problem. The
only known efficient algorithm to determine
requires s decomposition into primes and, as such, the modular square root problem is
equivalent in terms of difficulty to the integer factorization problem.
is encrypted is sent to
. An eavesdropper intercepting
entities, using
distinct
sent
. By applying the
, with
. Since
simply by
There is but a single workaround to this situation, namely salting the message
, that is
, until
is obtained. Such an attack is generally not an issue to the Rabin cryptosystem, as the
salting of messages prior to their encryption is mandatory (see also 2)).
69
as
to the decryption machine. Two situations may arise, following the previous
assumption:
The decryption machine returns all of the four possible plaintexts
. The opponent searches for a plaintext
having the property
message
is obtained as
The decryption machine returns only one (probably the smallest root) of the four
possible plaintexts, namely the plaintext
property
determined as
. If
can be
can be factored.
To deter such attacks from being successful, it is enough for the decryption machine to
request the existence of a redundancy in any plaintext
that
70
. It is known
Assuming that an opponent who has access to the decryption equipment for a period of
time desires to decrypt the cyphertext
chosen ciphertext, other than
random number
as
and forward it
to the decryption machine. In return, the decryption machine gives the opponent the
decryption of , that is
plaintext message
as
redundancy to distinguish between the four roots of the modular squaring equation is
necessary.
To avoid such attacks, some structural constraints should be placed upon the plaintext
messages. If a decrypted plaintext
encryption
6) Message concealing
A message
. Regardless of the
). If
insignificantly small, posing no real threat to the security of the Rabin cryptosystem.
factorization of large integers, the constraints regarding the size of the modulus are the
same as in the case of RSA.
As in the case of RSA, some care must be taken when choosing the primes
whose product is the modulus .
should not be very small, otherwise
and
and ,
71
numbers close to
. Random choosing of
and
the situations.
Considering the significant amount of extra decryption computations (the Tonelli-Shanks
algorithm - see 2.3.5.2) when using a modulus
, the
random prime generation algorithm should eliminate primes having such a form.
and
factoring the
modulus , the random prime generation should be intractable. The best answer to this
issue would be relying on a true random generator (such as a device to measure the
atmospheric noise at a given time).
Any message plaintext that is to be encrypted using the Rabin cryptosystem should have a
redundancy of at least 64 bits in order to be able to easily discern between the four
message plaintexts obtained at decryption, so that no more than one message has the
expected redundancy.
Although not a general issue to the RSA, salting any message (regardless of its initial
length) is of the utmost importance to the security of the Rabin cryptosystem, since, more
often than not, the same message
using different moduli
added) should be large enough, in order to make attempts to extract the integer square
root of
required length.
72
Even if speed might be regarded as a second-rate concern to the Rabin cryptosystem (as
public-key cryptography is much slower than symmetric-key cryptography, anyway),
efficient polynomial-time algorithms ought to be used for all the operations involved in
the process:
(see 2.3.5)
key distribution issue - Prior to being able to communicate securely over insecure
channels (by using data encryption), the participants were forced to rely on the exchange
of the encryption-decryption keys using secure channels, other than the ones used for the
actual communication.
encryption of small amounts of data - The large disparity in terms of speed between the
public-key cryptography and its symmetric-key counterpart becomes non-essential when
small amounts of data are to be encrypted and decrypted. If such data is subjected to
transmission over an unsecured connection, then public-key cryptography (like RSA or
Rabin) becomes the only reasonable choice. Such situations mainly involve banking
transactions over the Internet, when the user provides the transactions front-end (the
website) with his/her confidential banking account (or credit card) credentials.
to be used
for any secure data exchange between the parties of the network.
Every participant
unsecured channel.
(the symmetric-key
cryptosystem key) using every available public key received from the parties,
obtaining the distinct ciphertexts ,
74
to its corresponding
Each participant
key sent).
At this point all the parties involved are in possession of the symmetric-key
cryptosystem key (whose security remains intact, due to the use of public-key
cryptography for its transmission) and are able to rely on it to secure each future
data exchange over the network.
digital signatures - Signatures are used for two purposes: the authentication beyond any
doubt of the parties involved in the communication (also the non-repudiation of any
messages sent) and the integrity check of the corresponding messages.
: P A,
a verification function
: (P
S
A)
a fundamental constraint:
,
75
P,
Due to the time constraints involved in message encryption and decryption as well as bandwidth
limitations, the signing function
, that is
that is to be
, such that
Hash functions, of which the most used today are MD5 and SHA-1, are employed to ensure
message integrity in areas such as cryptography, web downloads integrity and peer-to-peer
networking.
76
authentication - ensuring that the received message came indeed from Alice and not
from an intruder
integrity - certifying that the message has neither been damaged, nor forged, during its
transmission over the channel
had already been sent by Alice and received by Bob and whose
secure transmission was achieved using a cryptosystem of the protagonists choice (public-key or
symmetric-key). The following template chronologically details the steps required for a
successful digital signing and signature verification of the message involved in the
aforementioned transmission:
1) Alice generates her public-key cryptosystem key to be used for the message signing.
2) Alice sends the public key part of the generated key to Bob.
3) Alice uses a hash function
of the message
to Bob.
4) Alice encrypts the hash
.
8) Bob compares the hash
(that he previously
decrypted). If there is a match, than Bob becomes certain that the message
came
indeed from Alice and that it has not been damaged or forged. If not, then either the
message did not come from Alice, but from an opponent, or the message came from
Alice, but was damaged or forged during the transmission, or a mixture of these
situations. Either way, if there has been no match, Bob clearly knows that the message he
obtained is not reliable.
77
generates the keys required for the digital signing and signature verification
processes.
1) Generate two random and distinct prime numbers,
2) Compute:
, where
function.
3) Select a random number
4) Determine
, such that
, such that
, that is
.
5) The keys are:
the public key:
the private key:
Digital signing
Summary: Entity
1) Compute
message
, where
, obtained by applying a hash function (like MD5 or SHA-1) agreed upon with
entity .
2) Compute the signature
Signature verification
Summary: Entity
of the message
function as entity .
4) Verify if
message
unreliable.
generates the keys required for the digital signing and signature verification
processes.
1) Generate two random and distinct prime numbers,
2) Compute
3) The keys are:
the public key:
the private key:
Digital signing
Summary: Entity
1) Compute
message
, where
, obtained by applying a hash function (like MD5 or SHA-1) agreed upon with
entity .
2) Compute the signature
, where
79
(see 2.3.5.4).
Signature verification
Summary: Entity
received from
of the message
function as entity .
4) Verify if
message
unreliable.
Note:
1) When trying to compute the signature , one might apparently reach a dead end, if
not a quadratic residue modulo
is
, until
becomes a quadratic
80
Rabin cryptosystems, respectively. Both software products have been developed in the C#
programming language and utilize the .NET Framework 2.0.
In terms of the graphical user interface, both applications are made out of four sections (GUI
tabs), each section expressing a part of the fundamental functionality of a public-key
cryptosystem. The sections (tabs) and their functionalities are:
Primes Generation the random prime generation component, using a powerful true
random generator implementation.
Key Generation the public and private key generation component, using the primes
obtained in the Primes Generation section.
Encryption the content encryption section, which encrypts the data (any file) chosen by
the user, according to a public key obtained in the Key Generation section, corresponding
to a public-key cryptosystem (RSA or Rabin).
Decryption the content decryption section, whose purpose is to decrypt the data (any
file encrypted in the Encryption section), with respect to its corresponding private key,
received from the Key Generation section and corresponding to one of the public-key
cryptosystems (RSA or Rabin).
the software is (virtually) bug-free while, at the same time, favoring only the most efficient and
fast algorithms of the day, in order to distinguish it from other public-key cryptography solutions.
These two programs (the implementation of the RSA and Rabin cryptosystems, respectively)
present all the qualities expected in a software product, perhaps not quite up to the standards of
81
commercial software, but surely up to the demands of free and open-source solutions. Those
features could be succinctly summarized as:
General purpose software (security being a widespread concern)
Simple and intuitive GUI (able to present a variable amount of information, depending on
the users level of knowledge and interest in the matter, while, at the same time, hiding
any obscure and insignificant details)
Support for the serializing of data (primes and keys), to be able to successfully reuse it.
True randomness for the generated primes, as well as state-of-the-art
-bit encryption,
Taking into account the disparity in terms of speed between public-key and private-key
cryptography (see 3.3), the utility of the application can be expressed as follows:
Encryption of small amounts of data (any file up to
KB in size)
Both applications are identical in terms of architecture, design and graphical user interface,
the differences residing in the specific key generation, encryption and decryption algorithms
and their implementations, as defined by the cryptosystem each application is built upon.
Documenting the analysis and design of the application is done in conformity with the UML 2.1
standard and extra emphasis is being put on the implementation choices made.
82
Generate a random
prime number
<<extend>>
Use atmospheric
noise sensors
Generate a key
<<include>>
Select two distinct
prime numbers
<<include>>
Encrypt data
<<include>>
Select any public key
<<include>>
Select an encrypted
file
Decrypt data
<<extend>>
83
Select the
corresponding private
key
3rd Layer
2nd Layer
1 Layer
Data Model & Technical
Layer
84
Notes:
This architecture uses a relaxed layer interaction model, allowing the upper layer (UI) to
access the Data Model & Technical Layer for some of the operations.
Method calls from one subsystem (layer) to another can only be made by higher order
layers to lower order layers.
<<application>>
RSA_Cryptosystem_Application
<<import>>
PrimesGeneratorImplementation
<<import>>
<<import>>
RSAEncryptionDecryptionImple
mentation
<<import>>
<<import>>
<<technical>>
BigIntegerImplementation
85
<<application>>
Rabin_Cryptosystem_Application
<<import>>
PrimesGeneratorImplementation
<<import>>
<<import>>
RabinEncryptionDecryptionImple
mentation
<<import>>
<<import>>
<<technical>>
BigIntegerImplementation
86
Package RSA_Cryptosystem_Application:
87
88
89
Package PrimesGeneratorImplementation:
90
Package RSAEncryptionDecryptionImplementation:
Package BigIntegerImplementation:
91
92
Package Rabin_Cryptosystem_Application:
93
94
95
Package PrimesGeneratorImplementation:
identical to the package having the same name from the RSA Cryptosystem
Application
96
Package RabinEncryptionDecryptionImplementation:
97
Package BigIntegerImplementation:
identical to the package having the same name from the RSA Cryptosystem
Application
: RSA (Rabin)
Encryption
Decryption
: Primes
Generator
User
Generate a
random prime
number
Generate a random
BigInteger
Response : a random
BigInteger
If the BigInteger is
composite, increase it by 1
Response : a prime
BigInteger
Select two
primes
98
Encrypt the
BigInteger
Decrypt the
BigInteger
99
Primes Generation
Encryption
Decryption
For the generation of random primes, the GUI provides two methods:
Random strings input, for which the user is required to type two random
strings of his/her choice, each having a length of at least 50 characters.
Each random prime found can be saved as a binary file (*.RSAPrime or *.RabinPrime).
With respect to the key generation, the user must select two different primes (two
*.RSAPrime or *.RabinPrime files) to compute the public and the private keys. The
public and the private keys can then be saved as binary files, *.RSAPublicKey or
*.RabinPublicKey for public keys and *.RSAPrivateKey or *.RabinPrivateKey for
private keys. For the RSA cryptosystem, the public exponent is chosen to be
, unless
, in which case
is increased, until
(see 3.1.1).
For the encryption of data, the user should select a public key (*.RSAPublicKey or
*.RabinPublicKey), the file to be encrypted (having any format and length of less than or
equal to
Regarding the decryption of data, the user can choose an encrypted file (*.RSA or
*.Rabin) and the corresponding private key file (*.RSAPrivateKey or *.RabinPrivateKey).
To avoid selecting the wrong private key file, the application allows the option to
automatically determine the suitable private key file, as long as such a file exists in the
default private key folder.
All of the large integers and their inherent mathematical operations are handled by the
BigInteger class, from the package BigIntegerImplementation. As the class BigInteger
may work with large numbers of virtually any size as well as any numeration bases
, the following decisions have been made, regarding the representation of the
BigIntegers:
digits assigned to a BigInteger becomes small, resulting in fast execution speed for
the algorithms employing BigIntegers. This arrangement benefits the application
in terms of effectiveness, since each digit of a BigInteger occupies half of a
-bit
( byte) processor registry, the extra half being used for efficiently controlling
some of the overflow resulting from mathematical operations (such as addition,
subtraction, multiplication, division). For the visual representation of BigIntegers
-bit (
-bit (
-byte), which is
digits and
accommodate for squaring and for repeated squaring modular exponentiation (see
2.3.4) of a BigInteger.
101
Every possible inconsistency or error in the user input or accessed data is flagged as
such, the user being presented with an appropriate warning or error message and the task
execution being terminated.
Package PrimesGeneratorImplementation:
The two methods for generating a random prime, selectable at the GUI-level, are:
Random strings input, for which the random content taken into account of the
input is:
-
the total amount of time needed by the user to type each string
102
aforementioned website, of length equal to the size of the prime to be built, which
determines the digits of the random number.
After a random number has been found, using any of the two methods, the process of
primality testing commences. If the number is deemed to be prime, the algorithm
terminates, otherwise the current number is increased by 1, and the primality test is
repeated for the new numerical value. The primality test is two-phased, employing the
following steps:
-
Phase 2 If the candidate prime has passed the trial division test, it is subjected
to the most efficient primality test of today, namely the probabilistic Miller-Rabin
primality test.
For both cryptosystems, the Encryption class reads blocks of fixed size from the file to
be encrypted, converts the read data to BigInteger representation, encrypts the BigInteger
to another BigInteger and serializes the obtained BigInteger along with some information
regarding the binary block to a binary form in the output (encrypted) file. The encryption
must take into account special cases, such as reading a full block of data containing only
the
(null) byte, as well as salting the read BigInteger to reach its desired length, if the
block of read data is of a smaller size than the standard (fixed) size. The latter special case
may only occur when the last block of the file to be encrypted has been reached.
For both cryptosystems, the Decryption class reads each information regarding the
blocks of data of the plain (non-encrypted) file and deserializes (reads) each of the
103
BigInteger numbers from the encrypted file. Each BigInteger is then decrypted to another
BigInteger, whose binary form is then written to a file, taking into account the
representation constraints provided by the information block in the encrypted file.
The Encryption class for the RSA cryptosystem encrypts blocks of size of
(equivalent to a
bytes
The Encryption class for the Rabin cryptosystem encrypts blocks of size of
also, but those correspond to an
bytes
after which the BigInteger is extended further with 5 digits of salt, to render small
encryption exponent attacks useless (see 3.2.5.2)). Like in the case of RSA, the obtained
BigInteger has 95 digits. The Decryption reverses the process by decrypting each
BigInteger, removing the salt digits and then deleting the replication digits from the
decrypted number.
Package BigIntegerImplementation:
The BigInteger class of the package is intended to store large integers and execute any
usual mathematical operation on them. The BigInteger class represents the numbers digitby-digit, in a numeration basis of choice
(+, , *, /, %, <, >,
uses the BigInteger class is offered the typical and natural way of manipulating the
arithmetical operations on BigIntegers. The following specific arithmetic, abstract
algebra and computational operations have also been loaded into the BigInteger class, in
order to enhance its usefulness:
-
The greatest common divisor (gcd), using the standard Euclidean algorithm and
the extended Euclidean algorithm (see 2.2)
The modular exponentiation method, using the repeated squaring algorithm (see
2.3.4)
Great care has been taken to define the best data structures for storing large integers as
well as for every algorithm utilized in the BigInteger class to employ the best polynomialtime algorithms to date, without containing any inefficient exponential-time algorithms.
105
106
107
108
Key-generation log:
The public key modulus (as the product of the two primes) is
255235215826284313701798101197088601458103469857854153667313200621769019
034221179709130622772504141821993539384892128946799478964241416396175847
597984907761060421239911340101318473177772123618496745232599210571711148
220961035361794751559129467619043682206576507534384302934926283990822636
597719086248249285300093913414479817916338231367095648791450152194912786
908023115305787650130268343387129312098496936132254802175302234645565437
521635844989264520868278957369
657547388731086452922994090303139191230209796050550473023979376845624558
403188374875220330742798872158573712302185037107120361298162411169021481
292094267320945373035107119663429555638657821588686737972624959985908075
998760669982107758429172449433
3) Encryption testing:
Note: For the encryption, we will be using the public key component of the key obtained
at the key generation testing and the file boot.ini as the file to be encrypted.
110
Encryption log:
Plain number
141305629585215394297284896929800272417991205552816284875666447182661453
161116985349854143892016671389226678962179699568173336712184569076541493
348705053655859218493311673363755297217494528883951763210257924204930637
969070640194269254646737821267753519234533509574974028891148482127579281
610019182454203267334357957803765284573920613164905992474595171988770077
734062542559983430075786146837987066201123294957708853863888513943428394
02256579078158691755979893
111
Encrypted to number
180132248109472323179898199642301275053105278397677036155540903754731980
119744362566580985137346035916935951462542467301366456664714289600630823
147253592852261578321038960682890501958159035885179122391428962767452607
206227219463530557518116951211440075489308988828207915711942844994763163
272292027495314997973095208213137571129032247163076657321897220550777844
616983284744408804499362556759834210603383252264020940475275826456339431
870765833322420691890943460501
Plain number
882054190690688674192782416964482838912803791157796974758732467409211876
762669059660819403360239436951761334305710080268298109517276634338359028
629418378160961163408673545032119968673186121353501347854820327822144108
449051602056484494815225159865450685580339715227449142728997363170535801
924713159873398211075294032790310450907045584987250222253191206130195551
004924555860039011696944456005994386224565838136615514222386244013038154
6642249730146152812118016
Encrypted to number
206239766399106536113864063571159966113147547936046020546142808222160976
781259636935036131604251248139513789871232587211352041768453030730741037
648070349381353778748165493584122644317436741439547473818522409167285839
451148406815747274246269335397902752096765213215258757719073891929799798
676675460841039694090166743012384692764348342465381884320797550502479470
266186656065097843768323718238581992271124361945688692453199415189641856
551491941320568383709359340351
112
4) Decryption testing:
Note: For the decryption, we will be using the private key component of the key obtained
at the key generation testing and the file boot.ini.RSA as the file to be decrypted.
113
Decryption log:
Encrypted number
180132248109472323179898199642301275053105278397677036155540903754731980
119744362566580985137346035916935951462542467301366456664714289600630823
147253592852261578321038960682890501958159035885179122391428962767452607
206227219463530557518116951211440075489308988828207915711942844994763163
272292027495314997973095208213137571129032247163076657321897220550777844
616983284744408804499362556759834210603383252264020940475275826456339431
870765833322420691890943460501
Decrypted to number
141305629585215394297284896929800272417991205552816284875666447182661453
161116985349854143892016671389226678962179699568173336712184569076541493
348705053655859218493311673363755297217494528883951763210257924204930637
969070640194269254646737821267753519234533509574974028891148482127579281
610019182454203267334357957803765284573920613164905992474595171988770077
734062542559983430075786146837987066201123294957708853863888513943428394
02256579078158691755979893
Encrypted number
206239766399106536113864063571159966113147547936046020546142808222160976
781259636935036131604251248139513789871232587211352041768453030730741037
648070349381353778748165493584122644317436741439547473818522409167285839
451148406815747274246269335397902752096765213215258757719073891929799798
676675460841039694090166743012384692764348342465381884320797550502479470
114
266186656065097843768323718238581992271124361945688692453199415189641856
551491941320568383709359340351
Decrypted to number
882054190690688674192782416964482838912803791157796974758732467409211876
762669059660819403360239436951761334305710080268298109517276634338359028
629418378160961163408673545032119968673186121353501347854820327822144108
449051602056484494815225159865450685580339715227449142728997363170535801
924713159873398211075294032790310450907045584987250222253191206130195551
004924555860039011696944456005994386224565838136615514222386244013038154
6642249730146152812118016
115
The RSA Cryptosystem Application testing allowed us to reach the following conclusions:
The whole process, starting from the prime generation, continuing with the key
generation, the encryption of data and, finally, the data decryption, is reliable,
since the file boot.ini was encrypted and then successfully decrypted to an
identical file.
116
117
118
119
Key-generation log:
3) Encryption testing:
Note: For the encryption, we will be using the public key component of the key obtained
at the key generation testing and the file encode.exe as the file to be encrypted.
120
121
Encryption log:
Plain number
887658009923512448177096566588506019064245397302061357464554980517301230
501083117573284658643528768282678498107503927824127235870288471841368372
986121431983864472492008051894603767851531545041588192953142083489182898
906609595065623853475733434531683587007456901263341675445407795301195760
547458590866704498577243175204207700633870438957261246233626251814238897
5289682983965164931988763214155776334805988278272
Encrypted to number
483007008228219873829899902238964584096637539588939663034491964352581738
875779088776622083769657924381436022803847978975528424704029935631922654
248139130654725166182334586363829001586042213279161485934445145285576744
162475259037850601680212460132458134713859373176992884028677105551503082
481802914809884884173156786398698723006316477556873999451631208818927218
490832883528850149848749954112280150791538108532109062521013573284790204
52315223284000005621467822995
122
Plain number
230390953837795621315864343260983594345582788881673324457087403921245597
235810833293187178601804887311499926973162860281984111832428818227346073
140140336080188486235311967474345041855361639416655870061769439345740570
998171783013895075709415641092744334893537931356778231644369465625584911
936676213101431486706995380701995926797698863243512208755080604819862260
31906194843650665794185518543470704657430740992
Encrypted to number
533382393346692702758090740845315513464857018030991256133778712670547680
795516065716717989716619858015085064055102356008386301416258181898487994
099858668541786050694377794809210444068923856984512521786895432912077905
635319900801224904189238210870692206259230175682729180119044149998649770
053620003240030500563308537136288782703673067860731858568411773373994337
513308442514190985397453958319502706326566372644885192028137263588487876
29073061744736467271053340490
Plain number
698447937459492709496472146340593186526839584508897574948364862873968365
657588004375751039266457251771335887618443797557812416080561222116560752
843125738339389863131759698423295210708305875658480804067053331225581395
719985164789948207111982798902740033156889891191749355209812435806923046
381647288854748933130880402595010254432273065406032320507922143156865023
5132982777853313830253155438209705500906768650253
123
Encrypted to number
341858195308298897885932766092714144216681897348725524119544788544167048
244632056906099366629396552615431308927776248404865669690764747366697759
825559846461358498096078552651753523157634390818217877578630463990882977
449697273312440912703768463371541632791207746148727092710315203894956103
197092313052140613636871632814349429595725772035010242850201437591288465
386956546772124147996253581962911369414455941013635146439124908754850387
10789748610318163140636259807
Plain number
109552614542685840451852158253083577554052712894843129168598074645684106
636256151152338774689517723521703706336634661582764331707894644937005936
354926523974447473277279448614237031917010197277476103403324247038280408
517110742936331013562879433908389324969495920190155998428106322139126651
623888667148349395813630596920257048585385392591867976742020030442117103
17320606889253405956766828167688341494419738017716
Encrypted to number
399631374475041066810052133866542700536592745312399777654835088822049805
917984256474461757402884263309408624677749494115860120651794437619098634
971730085576182606743815886134890378899068473403393493359928396055250919
438031428223041256338359393041440364527172103605707078013978586657525600
805749843854722228418785554162425462508276147542370614994802415775088643
889379916183938376156686843973335625250144744137872055005458531172305340
39427478216552637359540850272
Plain number
300237884000300490070773100969335466675007838027364735247876320195086972
875714300531415998413068073458567456623426341475873989613618121430258660
124
912967507670673972106571728149082080326313496595670779672734162679511272
007775171541526010323932477289464733594222101524985960062168250650411979
351619670302071981716340134614369895226224641039231124420252808271799079
0747710872732357619471186914755302870252861259776
Encrypted to number
215898514742984573715272132863436335925968218793635803622397638814182429
519799553689782684321187235597664801813217722041074934725111580987773931
352215908391473339644754719759303754656437308761861927668058322578102999
605340471871933460450179110633144681372147482461792341685253500355574870
505801512889524022995253211366825570295323717179411808150941195228005216
195081752219113018269063660737458027197944661923576479553881646234724560
66729052163378758297286290201
125
4) Decryption testing:
Note: For the decryption, we will be using the private key component of the key obtained
at the key generation testing and the file encode.exe.Rabin as the file to be decrypted.
126
Decryption log:
Encrypted number
483007008228219873829899902238964584096637539588939663034491964352581738
875779088776622083769657924381436022803847978975528424704029935631922654
248139130654725166182334586363829001586042213279161485934445145285576744
162475259037850601680212460132458134713859373176992884028677105551503082
481802914809884884173156786398698723006316477556873999451631208818927218
490832883528850149848749954112280150791538108532109062521013573284790204
52315223284000005621467822995
Decrypted to number
887658009923512448177096566588506019064245397302061357464554980517301230
501083117573284658643528768282678498107503927824127235870288471841368372
986121431983864472492008051894603767851531545041588192953142083489182898
906609595065623853475733434531683587007456901263341675445407795301195760
547458590866704498577243175204207700633870438957261246233626251814238897
5289682983965164931988763214155776334805988278272
Encrypted number
533382393346692702758090740845315513464857018030991256133778712670547680
127
795516065716717989716619858015085064055102356008386301416258181898487994
099858668541786050694377794809210444068923856984512521786895432912077905
635319900801224904189238210870692206259230175682729180119044149998649770
053620003240030500563308537136288782703673067860731858568411773373994337
513308442514190985397453958319502706326566372644885192028137263588487876
29073061744736467271053340490
Decrypted to number
230390953837795621315864343260983594345582788881673324457087403921245597
235810833293187178601804887311499926973162860281984111832428818227346073
140140336080188486235311967474345041855361639416655870061769439345740570
998171783013895075709415641092744334893537931356778231644369465625584911
936676213101431486706995380701995926797698863243512208755080604819862260
31906194843650665794185518543470704657430740992
Encrypted number
341858195308298897885932766092714144216681897348725524119544788544167048
244632056906099366629396552615431308927776248404865669690764747366697759
825559846461358498096078552651753523157634390818217877578630463990882977
449697273312440912703768463371541632791207746148727092710315203894956103
197092313052140613636871632814349429595725772035010242850201437591288465
386956546772124147996253581962911369414455941013635146439124908754850387
10789748610318163140636259807
Decrypted to number
698447937459492709496472146340593186526839584508897574948364862873968365
657588004375751039266457251771335887618443797557812416080561222116560752
843125738339389863131759698423295210708305875658480804067053331225581395
719985164789948207111982798902740033156889891191749355209812435806923046
128
381647288854748933130880402595010254432273065406032320507922143156865023
5132982777853313830253155438209705500906768650253
Encrypted number
399631374475041066810052133866542700536592745312399777654835088822049805
917984256474461757402884263309408624677749494115860120651794437619098634
971730085576182606743815886134890378899068473403393493359928396055250919
438031428223041256338359393041440364527172103605707078013978586657525600
805749843854722228418785554162425462508276147542370614994802415775088643
889379916183938376156686843973335625250144744137872055005458531172305340
39427478216552637359540850272
Decrypted to number
109552614542685840451852158253083577554052712894843129168598074645684106
636256151152338774689517723521703706336634661582764331707894644937005936
354926523974447473277279448614237031917010197277476103403324247038280408
517110742936331013562879433908389324969495920190155998428106322139126651
623888667148349395813630596920257048585385392591867976742020030442117103
17320606889253405956766828167688341494419738017716
Encrypted number
215898514742984573715272132863436335925968218793635803622397638814182429
519799553689782684321187235597664801813217722041074934725111580987773931
352215908391473339644754719759303754656437308761861927668058322578102999
605340471871933460450179110633144681372147482461792341685253500355574870
505801512889524022995253211366825570295323717179411808150941195228005216
195081752219113018269063660737458027197944661923576479553881646234724560
66729052163378758297286290201
129
Decrypted to number
300237884000300490070773100969335466675007838027364735247876320195086972
875714300531415998413068073458567456623426341475873989613618121430258660
912967507670673972106571728149082080326313496595670779672734162679511272
007775171541526010323932477289464733594222101524985960062168250650411979
351619670302071981716340134614369895226224641039231124420252808271799079
0747710872732357619471186914755302870252861259776
130
The whole process, starting from the prime generation, continuing with the key
generation, the encryption of data and, finally, the data decryption, is reliable,
since the file encode.exe was encrypted and then successfully decrypted to an
identical file.
131
The diverse needs in quantifying computer behavior have led to the appearance of many types of
benchmarks, each measuring a particular quality or set of qualities of a system.
Based on the generality of the properties they quantify, benchmarks are split into [Hen07]:
component-level benchmarks, which measure the quality of certain hardware or
software components taken in particular, such as:
-
132
software components: operating system, database management system (TPCC), compiler, virtual machine
5.2.1 Justification
While not a goal all by itself, the development of a benchmark based on the computational profile
of public-key cryptography can be envisioned as a collateral benefit to implementing an
asymmetric-key cryptosystem.
Such a benchmark would be a processor core integer benchmark, belonging to the class of
hardware component-level synthetic benchmarks due to the following reasons:
133
Three out of the four operations (key generation, encryption and decryption) are fully
deterministic, therefore they require the same amount of computations for a given test
data, regardless of any external factors.
-bit
integer processor registers, ignores the eight double floating point registers and has a very
small (under 1 MB) memory footprint (not counting the GUI and the managed
environment). As the data required can be loaded from the disc prior to the tests
inception, the benchmark has no interference with the hard disc, nor with any devices
whose access to is controlled by the OS kernel. As such, the benchmark isolates the
desired processor core for a reliable testing experience.
Being by far the most demanding in terms of resource usage of the cryptographic operations,
while also belonging to the class of fully deterministic algorithms, the decryption protocol is the
operation of choice to be used by the benchmark, since, due to its lengthy execution, it
emphasizes the potential differences between processor cores speed, while, at the same time,
nullifying the possible inconsistencies caused by application overhead.
the benchmark, as most of the contemporary PCs are having a Microsoft Windows OS installed
and are capable of executing the .NET Framework 2.0.
Although the .NET Framework has been unofficially ported to some extent to other platforms
(the Mono Project on Linux), these conversions are not 100% compatible with the original
version, mostly because they are running on completely different operating system kernels.
Therefore, such platforms are not targeted by the application, since, in order to ensure a
consistent testing experience, a benchmark cannot hope to test a processor core speed in itself,
but, more likely, a processor core speed when running on a certain operating system architecture.
Benchmarking applications have traditionally been considered heavy-duty applications that need
to run as closely to the machine-level as possible. According to the aforementioned ideology, it
would seem rather strange to choose an intermediate language programming paradigm (.NET)
over native code-generating languages in a domain as demanding and needing extreme accuracy
as benchmarking. However, as it will be pointed out in the subsequent section, the .NET
Framework is not only a good choice, but the best choice for this purpose on the MS Windows
platform.
Aiming at the CPU ensures the best optimization (machine code generated specifically) for the
architecture the processor is based on, while addressing the Windows version ensures a smooth,
consistent experience of the application when running on different versions of the OS. This is
something that a native-code compiled application cannot hope to achieve.
135
As an example to illustrating the previously-stated theoretical point, the case of the GNU family
of native-code compilers (GCC, G++, GCJ, etc.) is exposed below, which is one of the most
remarkable portable compilers to date.
Moreover, specifying
athlon, athlon-tbird - AMD Athlon CPU with MMX, 3dNOW!, enhanced 3dNOW! and
SSE prefetch instructions support.
athlon-4, athlon-xp, athlon-mp - Improved AMD Athlon CPU with MMX, 3dNOW!,
enhanced 3dNOW! and full SSE instruction set support.
k8, opteron, athlon64, athlon-fx - AMD K8 core based CPUs with x86-64 instruction set
support. (This supersets MMX, SSE, SSE2, 3dNOW!, enhanced 3dNOW! and 64-bit
instruction set extensions.)
Observing these optimizations options, one can easily notice the broad range of processor
families supported. One the other hand, the developer of the applications targeting the GCC
compiler cannot know in advance which type of processor the user would possess. It has, thusly,
three choices in distributing his application, none of which are fully satisfactory, at least
compared to the .NET solution of on-the-spot fully-optimized compilation of intermediate code:
1) use the least common denominator of the optimizations (that is use the i686 processor
with the -march flag) and optimize for no CPU in particular. This way no processor gets
an advantage over the other, but, on the other hand, no processor executes at its full
potential. This solution seems equitable to all CPU architectures, but, in fact, it is limiting
to all.
2) use the i686 platform, but perform tuning settings for a particular processor family (such
as mtune=pentium4) that is expected to be prevalent among the users. This would allow
the Intel Pentium 4 architecture to obtain an unfair advantage over other CPUs, since, not
only would these run unoptimized, but would also have to overcome an improper
optimization.
3) supply the application in source code format and let the user compile it for its specific
configuration. While this is an acceptable solution for the Linux world, it is inadequate to
be used with the Microsoft Windows OS, where users expect binaries and may not even
have a compiler installed.
137
That is not to say that public-key cryptography (more specifically, the decryption protocol)
cannot be put to good use in testing multi-core processor systems by employing a certain degree
of concurrency (many threads running simultaneously), but reliably testing a single processor
core is a lengthy process (taking up to tens of seconds) and, obviously, accurate parallelization
testing would visibly increase this duration.
Since modern operating system kernels (including the Microsoft Windows NT-based OSs, the
officially supported hosts for the .NET Framework) are running tens of processes containing
hundreds of threads overall, it becomes clear that true parallel execution is all but impossible on
most of the systems in use nowadays. Thus, systems must employ at least a certain degree of
concurrency, regardless of the amount of processors (or processor cores) existing in their
underlying architectures.
The solution that most OSs have chosen to implement is the priority-based and Round-Robin
preemptive scheduling, which utilizes both external and internal means of establishing and
adjusting process and thread priorities. The granularity of this operation is at thread level, rather
than at process level, but process priority does contribute at defining the priority of its contained
threads.
As the benchmark is created for the Microsoft Windows platform it behooves us to expose the
process and thread scheduling mechanisms of MS Windows, although many concepts are
implemented similarly in the other contemporary operating systems of today, such as Linux, Sun
Solaris and Apple MacOS.
138
In the MS Windows OS, each process is given a priority at creation-time, that will influence the
priorities of its threads. These priorities, as made available through the Win32 API, are: [MSDN]
idle referring to processes whose threads run only when the system is in idle state. The
threads of these processes are preempted by any thread of a process having a higher
priority. An example of such a process would be the screen saver.
normal for processes with no special requirements in terms of scheduling.
high designed for processes that perform time-critical tasks and must be executed
without delay. The threads of these processes preempt the threads of other processes
belonging to a normal or idle priority class. Extra attention must be paid when assigning a
process high priority, because a high-priority class application can use almost all of the
available CPU time, leading to the starvation of other processes. A user desiring to run a
process with the high priority must possess administrative rights. A typical high-priority
process is the Windows Task Manager, which must allow for a quick response time,
irrespective of the overall load of the system.
real-time designated for processes that need the highest possible priority. The threads of
these processes preempt the threads of all other processes, including also system services.
Real-time processes must be used only as a last resort solution, because, when run for
more than a few milliseconds, they cause the whole system to become unresponsive. A
user wanting to run a process with the real-time priority must have administrative rights.
139
We need our benchmark application to run at the highest possible priority to ensure very reliable
results, without interfering with system services and other essential processes. As such, the
priority of the choice for the benchmark is the high process priority. A small drawback to this
decision is that the user of the application must be granted administrative privileges on the
system.
MS Windows lets the user define a priority value for any thread, through the Win32 API. This
value, together with the priority class of the thread's process, determines the thread's base
priority level. The operating system scheduler (dispatcher) may alter the thread priority within a
certain range of the base priority level. The priority values for threads are listed below: [Sol00]
idle - No CPU time slices will be assigned to this thread, unless all the other threads of the
process are in an idle state (waiting or blocked).
lowest significantly diminished priority
below normal reduced priority
normal Unless specific priority values are specified, any thread is given this priority
value at creation-time.
above normal slightly elevated priority
highest Such a thread receives the highest priority allowed, considering the priority
class of its containing process.
time-critical A thread belonging to this category monopolizes the processor time-slices
assigned to its parent process. This priority value is not made available through the .NET
Framework.
Considering that we require our benchmarking thread to run virtually uninterrupted (without
being subject to the Windows dispatcher), we must assign it the highest priority value. In
conjunction with the high process priority class, this should amount for minimal thread
preemption and, therefore, a reliable and consistent testing experience. However, since the .NET
Framework involves a managed execution environment, one must not make any assumptions as
to the bijective binding of managed threads to operating system threads. This correspondence
must be enforced explicitly.
140
Benchmark System
Start the benchmark
<<include>>
User
<<include>>
Request all the benchmark
results
141
Web
application
3rd Layer
2nd Layer
1 Layer
Data Model & Technical
Layer
142
Notes:
This architecture uses a relaxed layer interaction model, allowing the upper layer (UI) to
access the Data Model & Technical Layer for some of the operations.
Method calls from one subsystem (layer) to another can only be made by higher order
layers to lower order layers.
This is the package diagram for the processor benchmark desktop application.
<<application>>
ProcessorBenchmark
<<import>>
ResultsHandler
<<import>>
<<import>>
<<technical>>
BigIntegerImplementation
SystemInformation
143
144
Package ResultsHandler:
Package SystemInformation:
145
Package BigIntegerImplementation:
identical to the package having the same name from the RSA (Rabin) Cryptosystem
Application
: Results
Manager
: System
Information
User
Start
benchmark
Generate system
information
Get system
information
Decrypt data
146
<<device>>
Apache Web Server
<<device>>
Desktop PC
<<web application>>
ProcessorCoreBenchmarkR
esults.cgi
<<HTTP>>
<<desktop application>>
ProcessorBenchmark.exe
<<text file>>
ProcessorCoreBenchmarkR
esults.txt
147
1) Desktop application
start the processor core benchmark, which will test the performance of the first
CPU core, submit the result (using a POST request) to the web application and
also display the benchmark result inside the desktop applications GUI
view the overall benchmark results provided by the web application, while also
highlighting the current test result inside the web page (using a GET request), if
such a test has been performed during the applications execution
148
2) Web application
149
simply accessing the web page displays the results of all the benchmarks to date
sending a GET request to the web application, containing a particular test result
information, will signal the web application to render all the benchmarks results,
while highlighting the supplied result
sending a POST request to the web application, containing a new test result, will
trigger the web application to add it to its external benchmark results file
150
Conclusions
CONCLUSIONS
In the past 10 years, computer data security has become an ever-increasing concern to
governments, as well as companies and even end-users, since almost any information nowadays
is processed and stored in its electronic form, rather than using classical (traditional) means such
as pen & paper, dossiers, file cabinets, typewriters, etc. Even if sometimes information is
presented on traditional support (paper), it is still developed and maintained using electronic
devices.
In this context, it is the duty of cryptography not only to secure data for (indefinite) safekeeping,
but also to safely transmit important (sensitive) digital content over unsecured communication
channels. In an era of computer networks (physical or virtual) and the Internet, symmetric-key
cryptography cannot cope all-by-itself with the demands of secure digital systems. Therefore, in
modern-day data security systems, symmetric-key cryptosystems are coupled with public-key
cryptosystems, in an effort to solve the issues of safe symmetric-key exchange and for devising
of authentication (and non-repudiation) protocols.
The two computer applications (RSA Cryptosystem Application and Rabin Cryptosystem
Application) present a successful approach to securing limited amounts of data, as well as
providing a safe container for symmetric-key cryptosystem keys, that are about to be distributed
over unsecured communication channels. The power of the application resides in the strength of
its algorithms, the efficiency of its implementation and its large key size of 1536 bits, while its
accessibility is enhanced by the use of intuitive graphical user interface, suitable for users having
different levels of knowledge (or even no knowledge) of cryptography and its inherent protocols.
The processor core benchmark, which provides both the desktop benchmarking application
actually fulfilling the performance evaluation and the web application storing and revealing the
cumulated results of individual tests, has proven to be very reliable, allowing only minimal
fluctuations between the results of successive tests involving the same computer processor, as
well as establishing a processor core speed hierarchy that is in concordance with that of
prestigious computer hardware magazines.
151
152
References
REFERENCES
[Agr04] M. Agrawal, N. Kayal, N. Saxena, PRIMES is in P, Annals of Mathematics 160, 781793, 2004
[Bis03] D. Bishop, Cryptography with Java Applets, Jones and Bartlett Publishers Inc., 2003
[Cri06] S. Crivei, Computational Algebra: Lecture Notes, unpublished, 2006
[Elk07] R. El-Khalil, A. D. Keromytis, Hydan: Hiding Information in Program Binaries, The 9th
International Conference on Information and Communications Security (ICICS 2007),
Zhengzhou, China, 2007
[Han94] P. B. Hansen, Multiple-length Division Revisited: a Tour of the Minefield, Software Practice and Experience, vol. 24(6), 579601, 1994
[Hen07] J. L. Hennesy, D. A. Patterson, Computer Architecture: A Quantitative Approach,
Morgan Kaufmann Publishers, 2007
[Kob94] N. Koblitz, A Course in Number Theory and Cryptography Second Edition, SpringerVerlag, 1994
[Men96] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC
Press, 1996
[Pan99] J. Pan, Software Testing, 18-849b Dependable Embedded Systems, Spring 1999
[Sch96] B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorthms, and Source
Code in C, John Wiley & Sons, Inc., 1996
[Sol00] D. A. Solomon, M. E. Russinovich, Inside Microsoft Windows 2000, Microsoft Press,
2000
[Sta05] W. Stallings, Cryptography and Network Security Principles and Practices, Fourth
Edition, Prentice Hall, 2005
[Sti95] D. Stinson, Cryptography: Theory and Practice, CRC Press, 1995
153
References
154