Skip to content

Commit

Permalink
fixed problems with hash symbol
Browse files Browse the repository at this point in the history
  • Loading branch information
hi-im-buggy committed Oct 4, 2020
1 parent ad0dbee commit 52e0127
Show file tree
Hide file tree
Showing 12 changed files with 382 additions and 12 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
I"�<h2 id="elliptic-curves">Elliptic Curves</h2>
<p>These curves have the form $y^{2} = x^{3} + ax + b$.</p>

<p>For the purposes of cryptography, those elliptic curves are considered whose variables and coefficients are restricted to a finite field (either $Z_{p}$ or $GF(2^{n})$; we will consider only the former).</p>

<h2 id="elliptic-curves-over-z_p">Elliptic Curves over $Z_{p}$</h2>
<p>We consider the congruence $y^{2} \equiv x^{3} + ax + b$ (mod $p$), where $a$ and $b$ are constants in $Z_{p}$ such that $4a^{3} + 27b^{2} \not\equiv 0$ (mod $p$). This is equivalent to the set $E_{p}(a,b)$, consisting of solutions to the congruence together with the point at infinity $\mathfrak{O}$.</p>

<p>The number of points in $E_{p}(a,b)$ is denoted by $\mypound E$ and satisfies $p + 1 - 2\sqrt{p} \leq \mypound E \leq p + 1 + 2\sqrt{p}$.</p>

<p>A binary operation, called “addition” and denoted by $+$, is defined on $E_{p}(a,b)$. Under this operation, $E_{p}(a,b)$ forms an abelian group. Refer to slides (21 to 26) for details of addition, doubling, scalar multiplication and additive inverses of points.</p>

<h2 id="elliptic-curve-cryptography-ecc">Elliptic Curve Cryptography (ECC)</h2>
<p>ECC relies on the computational infeasibility of determining $k$ given $kP$ and $P$, even though it is relatively easy to determine $kP$ given $k$ and $P$. This is called the elliptic curve discrete logarithm problem (ECDLP).</p>

<h2 id="hierarchical-access-control-using-ecc">Hierarchical Access Control using ECC</h2>
<p>Refer to slides (32 to 34) for a general overview of hierarchical access control. In the system described by Chung et al., the security classes having higher clearance use publicly available information to determine the secret keys of any lower-clearance classes. Here and elsewhere, the terms “higher-clearance class” and “lower-clearance class” are equivalent to “predecessor class” and “successor class” respectively.</p>

<h3 id="relationship-building-phase">Relationship-building Phase</h3>
<p>The central authority or CA determines the hierarchical structure among the security classes and their relative clearances.</p>

<h3 id="key-generation-phase">Key Generation Phase</h3>
<p>First, a large prime $p$, an elliptic curve $E_{p}(a,b)$ and a function $m: E_{p}(a,b) \rightarrow \mathbb{Z}$ over $Z_{p}$ are selected.</p>

<p>For each security class $SC_{j}$, the CA now:</p>

<p><strong>Step 1.</strong> Assigns a base point $G_{j}$, a secret key $sk_{j}$ and a sub-secret key $s_{j}$.</p>

<p><strong>Step 2.</strong> Computes $s_{i}G_{j} = (a_{j,i},b_{j,i})$ for all predecessor classes $SC_{i}$ of $SC_{j}$. In other words, it computes the product of the base point with the sub-secret key of each of the higher-clearance classes. The resulting point is converted into a number $m(a_{j,i},b_{j,i})$ using the function $m(\cdot)$.</p>

<p><strong>Step 3.</strong> Computes a polynomial $f_{j}(x)$ using the above numbers as:</p>

<p>$f_{j}(x) \equiv \prod_{SC_{i} \geq SC_{j}} (x - m(a_{j,i},b_{j,i})) + sk_{j}$ (mod $p$). [*]</p>

<p><strong>Step 4.</strong> Sends $sk_{j}$ and $s_{j}$ through a secure channel and announces $p$, $m(\cdot)$, $G_{j}$ and $f_{j}(x)$ publicly.</p>

<p>[*] Note that the zeroes of $f_{j}(x) - sk_{j}$ are the numbers obtained from $s_{i}G_{j}$ using $m(\cdot)$.</p>

<h3 id="key-derivation-phase">Key Derivation Phase</h3>
<p>In this phase, a security class $SC_{i}$ finds the secret keys $sk_{j}$ of all successor classes $SC_{j} \geq SC_{i}$, i.e., all classes with lower clearance.</p>

<p>First it computes $s_{i}G_{j} = (a_{j,i},b_{j,i})$, i.e., multiplies its sub-secret key with the lower class’s base point. It converts this point to a number using $m(\cdot)$. This number is $m(a_{j,i},b_{j,i})$.</p>

<p>By the definiton of $f_{j}$, this number is a root of $f_{j}(x) - sk_{j}$, i.e., $f_{j}(m(a_{j,i},b_{j,i})) - sk_{j} \equiv 0$ (mod $p$). Therefore, $f_{j}(m(a_{j,i},b_{j,i})) \equiv sk_{j}$ (mod $p$), and $SC_{i}$ has found $sk_{j}$.</p>

<p><strong>Note.</strong> The function $m(x,y)$ is generally defined using a hash function as $m(x,y) = h(x \Vert y)$, where $\Vert$ is a bit concatenation operator. The intermediate $m(\cdot)$ was introduced in this description for convenience.</p>

<h3 id="an-example">An Example</h3>
<p>Let us assume that the CA has completed the relationship-building phase and the key generation phase. Further, suppose that $SC_{2}$ would like to find the secret key $sk_{5}$ of its successor class $SC_{5}$. Other predecessor classes of $SC_{5}$ are, say, $SC_{1}$ and $SC_{4}$.</p>

<p>Therefore, for $SC_{5}$, the CA has computed $s_{1}G_{5} = (a_{5,1},b_{5,1})$, $s_{2}G_{5} = (a_{5,2},b_{5,2})$ and $s_{4}G_{5} = (a_{5,4},b_{5,4})$. From these, the public polynomial $f_{5}$ is computed and announced: $f_{5} \equiv (x - m(a_{5,1},b_{5,1}))(x - m(a_{5,2},b_{5,2}))(x - m(a_{5,4},b_{5,4})) + sk_{5}$ (mod $p$).</p>

<p>Now, $SC_{2}$ needs to find $sk_{5}$. It does this using $s_{2}$ (which only it knows), $m(\cdot)$, $G_{5}$ and $f_{5}$ (which are public).</p>

<p>First, it computes $s_{2}G_{5} = (a_{5,2},b_{5,2})$. This is converted to a number using $m(\cdot)$ ( i.e., $m(a_{5,2},b_{5,2})$ is calculated) and substituted in $f_{5}(x)$.</p>

<p>By the definiton of $f_{5}$, this number is a root of $f_{5}(x) - sk_{5}$. Therefore, $f_{5}(m(a_{5,2},b_{5,2})) \equiv sk_{5}$ (mod $p$), and $SC_{2}$ has found $sk_{5}$.</p>

<p>It is clear the successor classes of $SC_{5}$ have no way to determine $sk_{5}$ using $f_{5}$.</p>

:ET

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
I"�<h2 id="elliptic-curves">Elliptic Curves</h2>
<p>These curves have the form $y^{2} = x^{3} + ax + b$.</p>

<p>For the purposes of cryptography, those elliptic curves are considered whose variables and coefficients are restricted to a finite field (either $Z_{p}$ or $GF(2^{n})$; we will consider only the former).</p>

<h2 id="elliptic-curves-over-z_p">Elliptic Curves over $Z_{p}$</h2>
<p>We consider the congruence $y^{2} \equiv x^{3} + ax + b$ (mod $p$), where $a$ and $b$ are constants in $Z_{p}$ such that $4a^{3} + 27b^{2} \not\equiv 0$ (mod $p$). This is equivalent to the set $E_{p}(a,b)$, consisting of solutions to the congruence together with the point at infinity $\mathfrak{O}$.</p>

<p>The number of points in $E_{p}(a,b)$ is denoted by $# E$ and satisfies $p + 1 - 2\sqrt{p} \leq # E \leq p + 1 + 2\sqrt{p}$.</p>

<p>A binary operation, called “addition” and denoted by $+$, is defined on $E_{p}(a,b)$. Under this operation, $E_{p}(a,b)$ forms an abelian group. Refer to slides (21 to 26) for details of addition, doubling, scalar multiplication and additive inverses of points.</p>

<h2 id="elliptic-curve-cryptography-ecc">Elliptic Curve Cryptography (ECC)</h2>
<p>ECC relies on the computational infeasibility of determining $k$ given $kP$ and $P$, even though it is relatively easy to determine $kP$ given $k$ and $P$. This is called the elliptic curve discrete logarithm problem (ECDLP).</p>

<h2 id="hierarchical-access-control-using-ecc">Hierarchical Access Control using ECC</h2>
<p>Refer to slides (32 to 34) for a general overview of hierarchical access control. In the system described by Chung et al., the security classes having higher clearance use publicly available information to determine the secret keys of any lower-clearance classes. Here and elsewhere, the terms “higher-clearance class” and “lower-clearance class” are equivalent to “predecessor class” and “successor class” respectively.</p>

<h3 id="relationship-building-phase">Relationship-building Phase</h3>
<p>The central authority or CA determines the hierarchical structure among the security classes and their relative clearances.</p>

<h3 id="key-generation-phase">Key Generation Phase</h3>
<p>First, a large prime $p$, an elliptic curve $E_{p}(a,b)$ and a function $m: E_{p}(a,b) \rightarrow \mathbb{Z}$ over $Z_{p}$ are selected.</p>

<p>For each security class $SC_{j}$, the CA now:</p>

<p><strong>Step 1.</strong> Assigns a base point $G_{j}$, a secret key $sk_{j}$ and a sub-secret key $s_{j}$.</p>

<p><strong>Step 2.</strong> Computes $s_{i}G_{j} = (a_{j,i},b_{j,i})$ for all predecessor classes $SC_{i}$ of $SC_{j}$. In other words, it computes the product of the base point with the sub-secret key of each of the higher-clearance classes. The resulting point is converted into a number $m(a_{j,i},b_{j,i})$ using the function $m(\cdot)$.</p>

<p><strong>Step 3.</strong> Computes a polynomial $f_{j}(x)$ using the above numbers as:</p>

<p>$f_{j}(x) \equiv \prod_{SC_{i} \geq SC_{j}} (x - m(a_{j,i},b_{j,i})) + sk_{j}$ (mod $p$). [*]</p>

<p><strong>Step 4.</strong> Sends $sk_{j}$ and $s_{j}$ through a secure channel and announces $p$, $m(\cdot)$, $G_{j}$ and $f_{j}(x)$ publicly.</p>

<p>[*] Note that the zeroes of $f_{j}(x) - sk_{j}$ are the numbers obtained from $s_{i}G_{j}$ using $m(\cdot)$.</p>

<h3 id="key-derivation-phase">Key Derivation Phase</h3>
<p>In this phase, a security class $SC_{i}$ finds the secret keys $sk_{j}$ of all successor classes $SC_{j} \geq SC_{i}$, i.e., all classes with lower clearance.</p>

<p>First it computes $s_{i}G_{j} = (a_{j,i},b_{j,i})$, i.e., multiplies its sub-secret key with the lower class’s base point. It converts this point to a number using $m(\cdot)$. This number is $m(a_{j,i},b_{j,i})$.</p>

<p>By the definiton of $f_{j}$, this number is a root of $f_{j}(x) - sk_{j}$, i.e., $f_{j}(m(a_{j,i},b_{j,i})) - sk_{j} \equiv 0$ (mod $p$). Therefore, $f_{j}(m(a_{j,i},b_{j,i})) \equiv sk_{j}$ (mod $p$), and $SC_{i}$ has found $sk_{j}$.</p>

<p><strong>Note.</strong> The function $m(x,y)$ is generally defined using a hash function as $m(x,y) = h(x \Vert y)$, where $\Vert$ is a bit concatenation operator. The intermediate $m(\cdot)$ was introduced in this description for convenience.</p>

<h3 id="an-example">An Example</h3>
<p>Let us assume that the CA has completed the relationship-building phase and the key generation phase. Further, suppose that $SC_{2}$ would like to find the secret key $sk_{5}$ of its successor class $SC_{5}$. Other predecessor classes of $SC_{5}$ are, say, $SC_{1}$ and $SC_{4}$.</p>

<p>Therefore, for $SC_{5}$, the CA has computed $s_{1}G_{5} = (a_{5,1},b_{5,1})$, $s_{2}G_{5} = (a_{5,2},b_{5,2})$ and $s_{4}G_{5} = (a_{5,4},b_{5,4})$. From these, the public polynomial $f_{5}$ is computed and announced: $f_{5} \equiv (x - m(a_{5,1},b_{5,1}))(x - m(a_{5,2},b_{5,2}))(x - m(a_{5,4},b_{5,4})) + sk_{5}$ (mod $p$).</p>

<p>Now, $SC_{2}$ needs to find $sk_{5}$. It does this using $s_{2}$ (which only it knows), $m(\cdot)$, $G_{5}$ and $f_{5}$ (which are public).</p>

<p>First, it computes $s_{2}G_{5} = (a_{5,2},b_{5,2})$. This is converted to a number using $m(\cdot)$ ( i.e., $m(a_{5,2},b_{5,2})$ is calculated) and substituted in $f_{5}(x)$.</p>

<p>By the definiton of $f_{5}$, this number is a root of $f_{5}(x) - sk_{5}$. Therefore, $f_{5}(m(a_{5,2},b_{5,2})) \equiv sk_{5}$ (mod $p$), and $SC_{2}$ has found $sk_{5}$.</p>

<p>It is clear the successor classes of $SC_{5}$ have no way to determine $sk_{5}$ using $f_{5}$.</p>

:ET
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
I"%<h2 id="introduction-to-cryptography">Introduction to Cryptography</h2>
<p>Cryptography is the study of mathematical techniques related to various aspects of information security.
Refer to slides for definitions of “adversary” (passive and active) and “channel” (secure and unsecure).</p>

<p>Encryption using the key $e$ and decryption using the key $d$ are represented as $E_{e}(\cdot)$ and $D_{d}(\cdot)$ respectively. The plaintext message is represented as $M$ and the ciphertext as $C$.</p>

<p>The aim in cryptography is for an encryption scheme to be unbreakable, i.e., for the problem of plaintext recovery (without prior knowledge of the key pair) to be computationally infeasible.</p>

<h2 id="symmetric-and-asymmetric-encryption">Symmetric and Asymmetric Encryption</h2>
<p>In symmetric-key encryption, the same key can be used for encryption as well as decryption. The key needs to be conveyed to the receiver via a secure channel for this form of communication.</p>

<p>In asymmetric-key encryption, however, there are two keys - a private and a public key. Each person has his or her own private key, known to no one else, and a public key, which is available to everyone. The private key can be used to decrypt a message encrypted using the public key, and vice versa. RSA is a common algorithm for asymmetric encryption.</p>

<h2 id="the-rsa-public-key-cryptosystem">The RSA Public-Key Cryptosystem</h2>
<p>This cryptosystem relies on modular arithmetic (specifically, Euler’s Theorem) and the computational infeasibility of factoring large numbers.
We will consider that Alice would like to send a message $M$ to her friend Bob.</p>

<p>The key includes a number $n$, which is the product of two large, distinct primes $p$ and $q$.
We know that $\phi(n) = (p-1)(q-1)$.</p>

<p>Both Alice and Bob have a private and a public key each. Their public keys are known to each other, while their private keys are not. Alice uses Bob’s public key $(e,n)$ to encrypt the message, and Bob decrypts it using his private key $(d,n)$.</p>

<p>$e$ and $d$ are numbers such that $d \equiv e^{-1}$ (mod $\phi(n)$), i.e., $ed \equiv 1$ (mod $\phi(n)$).</p>

<p>According to Euler’s Theorem,
if $gcd(a,n) = 1$, then $a^{\phi(n)} \equiv 1$ (mod n).</p>

<p>As $p$ and $q$ are both large primes, we take them both to be coprime to $M$, the plaintext message. Consequently, $gcd(M,n) = 1$.</p>

<h3 id="encryption">Encryption</h3>
<p>Alice raises the message $M$ to the power of Bob’s public key $e$ and takes the remainder modulo $n$ to obtain the ciphertext $C$, i.e.,</p>

<p>$C \equiv M^{e}$ (mod n).</p>

<h3 id="decryption">Decryption</h3>
<p>Bob receives the ciphertext $C$. To decrypt it, he raises it to the power of his private key $d$ and takes the remainder modulo $n$.</p>

<p>$C^{d} \equiv M^{ed}$ (mod n).</p>

<p>However, since $ed \equiv 1$ (mod $\phi(n)$), we know that $ed = k \phi(n) + 1$ for some $k$. Substituting this,</p>

<p>$M^{ed} = M^{k \phi(n) + 1}$</p>

<p>$= M^{k \phi(n)} \cdot M^{1}$</p>

<p>$= {(M^{\phi(n)})}^{k} \cdot M$</p>

<p>$\equiv 1^{k} \cdot M$ (mod n), by Euler’s Theorem and since $gcd(M,n) = 1$</p>

<p>$\equiv M$ (mod n).</p>

<p>Since $M &lt; n$, the above yields $M$ itself, and Bob has decrypted the message.</p>

<h3 id="an-example">An Example</h3>

<p>Let the message be encoded as a number, say $M = 6$.</p>

<p>Let $p = 13, q = 17$. Therefore $n = 221$ and $\phi(n) = 192$.</p>

<p>Suppose $e = 77$. Since $d = e^{-1}$ (mod $\phi(n)$), $d = 5$.</p>

<p><strong>Encryption.</strong> $C \equiv M^{e}$ (mod n) $\equiv 6^{77}$ (mod 221) $= 197$.</p>

<p>Hence $C = 197$ is the ciphertext.</p>

<p><strong>Decryption.</strong> $M \equiv C^{d}$ (mod n) $\equiv 197^{5}$ (mod 221) $\equiv 6$ (mod 221).</p>

<p>Hence the plaintext message $M = 6$ is retrieved and can be decoded to obtain the original message.</p>
:ET
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
I""<p>Prof. Ashok Kumar Das</p>
:ET
Loading

0 comments on commit 52e0127

Please sign in to comment.