Академический Документы
Профессиональный Документы
Культура Документы
2008
BABE-BOLYAI UNIVERSITY CLUJ-NAPOCA FACULTY OF MATHEMATICS AND COMPUTER SCIENCE DEPARTMENT OF COMPUTER SCIENCE
2008
To my fiance
ABSTRACT
Starting in the 50s, there has been a growing interest in securing sensitive digital data, for the purpose of storing it safely, as well as transmitting it securely over unsecured communication channels. To address some the drawbacks of symmetric-key cryptography (mainly the key distribution and authentication issues), Diffie and Hellman set the stage in 1976 for what became the standard entitled public-key cryptography. From the 90s on, the interest in digital data security has drifted also to the realm of non-governmental computing, that is companies and common computer users. This papers main goal is to deliver an accurate image on the concepts of data security and cryptography, by presenting the theory and applications of two of the fundamental public-key cryptosystems used nowadays, namely the RSA and the Rabin cryptosystems. To prove the usefulness and power of public-key cryptography from a practical standpoint, two software applications have been designed, one for each cryptosystem, that implement every algorithm inherent to the process of securing data (primes generation, key generation, encryption and decryption). Also, the paper promotes public-key cryptography as an efficient means of testing the speed of today's computer processors, due to the computational intensiveness of its underlying operations.
This work is organized into five chapters, as follows: Chapter 1 Introduction to Cryptography explains the basics of cryptography (terminology and the symmetric-key cryptography), in order to allow a smooth transition to the main topic of the paper, as well as provide the reader with an understanding of the reasons that made symmetric-key cryptography insufficient for modern-day data security tasks.
Chapter 2 Mathematical Foundations of Public-key Cryptography displays the mathematical background of public-key cryptosystems (Euclidean algorithms, modular arithmetic, modular equations and equation systems, primality testing), each mathematical model being tested against an example and then converted into a suitable computational algorithm. Chapter 3 Public-key Cryptosystems focuses on detailing the structure, algorithms and real-world applicability (encryption of small amounts of data, symmetric-key exchange and digital signatures) of two remarkable cryptosystems (RSA and Rabin), while relying on the mathematical background exposed in the previous chapter. Chapter 4 Implementing the RSA and the Rabin Cryptosystems covers the steps needed for developing a powerful and up-to-date public-key encryption software application for each cryptosystem (outline, analysis and design, implementation, testing), conforming strictly to the encryption security standards of today and even trying to surpass them in some respects. Chapter 5 Processor Core Benchmarking unlocks a rather innovative aspect of public-key cryptography, that of employing its underlying computationally-demanding algorithms as an effective way of assessing the relative performance of the processor cores of modern-day CPUs.
ii
TABLE OF CONTENTS
Chapter 1 - Introduction to Cryptography.................................................................................3 1.1 Preliminaries..................................................................................................................3 1.2 Symmetric-key cryptosystems......................................................................................9 Chapter 2 - Mathematical Foundations of Public-key Cryptography....................................18 2.1 One-way and trapdoor functions.................................................................................18 2.2 The Euclidean algorithms............................................................................................21 2.3 Modular arithmetic......................................................................................................24 2.4 Primality testing methods............................................................................................45 Chapter 3 - Public-key Cryptosystems......................................................................................54 3.1 The RSA cryptosystem................................................................................................54 3.2 The Rabin cryptosystem..............................................................................................63 3.3 Applications of the RSA and the Rabin cryptosystems...............................................73 Chapter 4 - Implementing the RSA and the Rabin Cryptosystems.......................................81 4.1 Use cases......................................................................................................................83 4.2 Subsystem model.........................................................................................................84 4.3 Package diagram..........................................................................................................85 4.4 Class diagram...............................................................................................................87 4.5 Sequence diagram........................................................................................................98 4.6 Explaining the implementation..................................................................................100 4.7 Revealing the applications functionality..................................................................106 Chapter 5 Processor Core Benchmarking...........................................................................132 5.1 The concept of benchmarking....................................................................................132 5.2 Benchmark development fundamentals.....................................................................133 5.3 Implementing the benchmark.....................................................................................141 Conclusions.................................................................................................................................151 References...................................................................................................................................153 1
communication channel
Alice
receives a message
Bob
Oscar
The story of Alice and Bob expresses the basic principles, foundations and challenges of cryptography using allegory and abstraction to set the framework for a formal, rigorous and systematic approach to the domain. Alice and Bob are apparently ordinary people, which have some interesting twists to their personalities: Bob is a stockbroker illicitly selling stock shares to speculators, while Alice is a speculator herself, this being her primary reason for talking to Bob. Besides being concerned on eavesdropping because of the illegality of their stock operations, Alice is worried about her husband not knowing her involvement in the stock scheme, while Bob is preoccupied on his other subversive enterprises not being discovered.
Alice communicates with Bob either by telephone or by e-mail. As they talk very often on the phone, the telephone service becomes increasingly expensive, coupled with Alice being overly miserly, one of Alices immediate goals is minimizing the cost of the phone call.
The telephone line connecting Alice to Bob is very noisy and prone to interferences as well as communication failure. Due to these difficulties, at some times, Alice and Bob can hardly communicate with each other. So Alice has to deal with network noise and failures.
It seems the pursuits of Alice and Bob are well-known to the Tax Authority and Secret Police, governmental organizations which both have almost limitless resources and always listen to the conversations between Alice and Bob. Because some of the favorite subjects of Alice and Bob involve tax fraud and the overthrowing of the government, Alice has to ensure the confidentiality of the conversation with Bob.
One of the tactics employed by the agents of the previously-mentioned organizations is to telephone Alice and pretend to be Bob. As Alice has never met Bob in person, another challenge arises for her, namely the identification problem.
To further complicate matters, there is also a trust issue between Alice and Bob, because of some previous deceitful behavior of Bob. As such, Alice has an extra authentication issue. [net01] 4
To summarize, for allowing Alice to successfully communicate with Bob, while taking into account the inherent communication protocols, cryptography must be powerful enough to:
maintain a minimal cost of equipment and active network connection retain information consistency even over a faulty connection ensure confidentiality of the information being passed across the channel securely identify and authenticate the protagonists
1.1.2 Terminology
Plaintext ( ) = a sequence of characters (either letters from the alphabet, numbers or bytes of data) that is in a form at which no effort has been made to render the information unreadable and thus, that can be easily read from and understood. [wiki]
Ciphertext ( ) = a sequence of characters (either letters from the alphabet, numbers or bytes of data) that is encrypted using an encryption algorithm. Plaintext cannot be deduced from properly encrypted ciphertext.
Key ( ) = a piece of information (or parameter) that controls the execution of a cryptography algorithm. A key can be used either for encryption (obtaining the ciphertext out of the plaintext), or decryption (obtaining the plaintext out of the ciphertext). In many cryptographic systems (see Public-Key Cryptography), the key for encryption and the one for decryption are not the same.
key
key
plaintext
encryption
ciphertext
decryption
plaintext
Cryptanalysis = (derived from the Greek krypts, "hidden", and analein, "to loosen" or "to untie") the studying and devising of methods and strategies to allow obtaining the meaning of encrypted data, without having access to the secret information used to generate the encryption. [wiki] In more formal terms, it means trying to compute the key that generated the encryption, having access to only the ciphertext. [Cri06]
Cryptology = the science encompassing both cryptography and cryptanalysis, which studies the security and safety behind data communication and storage.
Cryptosystem = a suite of notations and algorithms required to implement a particular form of encryption and decryption. [wiki] Formally, a cryptosystem can be defined as a 5-tuple (P, C, K, E, D): [Sti95] P is a finite set of possible plaintexts C is a finite set of possible ciphertexts K is a finite set of possible keys (the keyspace) E is a finite set of possible encryption functions (encryption rules) D is a finite set of possible decryption functions (decryption rules) K, there are: an encryption rule a decryption rule : P C, : C P, 6 E D
P should be efficiently
Notes on cryptosystems: In order to satisfy the fundamental constraint previously stated, the encryption function P C must always be injective. If P = C, each encryption rule and each decryption rule are permutations.
The following example uses the Caesar cipher, supposedly employed by the Romans during the time of Julius Caesar to send orders from Rome to military commanders on the field and back. It is a simple rotation cipher, in which each plaintext character is replaced by the the right, modulo the size of the alphabet. character to
Example: English alphabet enriched with character space shift to the right of 3 positions English alphabet enriched with character space to correspondence:
_
0
A
1
B
2
C
3
D
4
E
5
F
6
G
7
H
8
I
9
J
10
K
11
L
12
M
13
N
14
O
15
P
16
Q
17
R
18
S
19
T
20
U
21
V
22
W
23
X
24
Y
25
Z
26
Ciphertext: MXOLXVCFDHVDU
Steganography uses a supposedly harmless message cover (for instance, a digital picture) inside which it adds its message, overwriting the least-significant bit(s) of (some of) the bytes of the cover message. Therefore, the maximum length the hidden message can have, without spoiling its concealment, is directly proportional to the length of the cover message. [wiki]
The main drawback of steganography against cryptography is that the discovery of the information-hiding system used leads to steganography being utterly useless, while for cryptography the information regarding the encryption system used is already assumed to be known by an intruder.
Steganography might hold a significant advantage over cryptography in cases where even the acknowledged existence of the communication between parties poses a problem. [Sta05] 8
Modern steganographic techniques involve hiding the secret message inside: digital pictures (BMP, JPEG, TIF, PNG, PhotoCD file formats) digital music (WAV, MP3, OGG file formats) digital binary files (executables) [Elk07]
and decryption rules, respectively. The given cryptosystem is said to be symmetric-key, if for each key K depending on K, it is computationally knowing only . [Men96] Symmetric-
Since most of the symmetric-key cryptosystems employ the same plaintext and ciphertext spaces (P = C) and many the same function for both encryption and decryption ( (P = C), function , key K : (P = C)
K ), the term symmetric-key becomes completely justified. Such a is called an involution. [Men96] 9
: P P, where
Formalization of the XOR cryptosystem: P=C=K= , (1 byte = 8 bits) , and and , where the XOR, from the lowest to the
Example:
is a 1-byte key,
= (125)10 = (01111101)2
Plaintext:
Speed - of the two main types of cryptosystems in use today (symmetric-key and asymmetric-key), the symmetric-key is the fastest by a large margin. In terms of the practical computational intensiveness of its underlying operations, symmetric-key cryptography is considered hundreds of times less intensive than its asymmetrical-key counterpart. [wiki] Small key size - the key size for symmetric-key cryptosystems is several orders of magnitude smaller than the key size of asymmetric-key cryptosystems. [Cri06]
Disadvantages:
Key distribution problem - requires a communication channel that is both confidential and authentic to exchange the symmetric-key securely between parties. [Men96] To reduce the impact of being discovered by an opponent, the shared secret key should be changed regularly and kept secure during distribution and when in service. Also, it is to be noted that the number of keys required for communicating between parties increases dramatically with each new party being added to the communication network. As such, for a network of n users, the number of private keys required is . [wiki]
11
key source
secured channel
Opponent Oscar
A block cipher is a symmetric-key cryptographic scheme, in which the message (either plaintext or ciphertext) is split into blocks (groups) of equally-sized data. The operations to be applied on the message as a whole entity, are, in fact, reduced to the successive manipulation (for encryption or decryption purposes) of the blocks of data composing the message.
Most of the remarkable symmetric-key cryptosystems in use today utilize block ciphers (our two previous cryptosystem examples, namely the Caesar cipher and the XOR function, both operate on block ciphers). The flagship of block-cipher cryptosystems today is the AES (Advanced 12
Encryption Standard), embraced in 2001 by the National Institute of Standards and Technology (NIST) as the de-facto standard for protecting classified information in non-governmental systems. [wiki]
AES works with a block size of 128 bits and three candidate key sizes (of 128, 192 or 256 bits, respectively). Benefiting from a scalable key-size design, AES can be promoted as a cryptosystem appropriate for diverse security needs (128-bit key size for secret-level data, while 196 and 256-bit key sizes for top secret data).
...
Ciphertext block
Ciphertext block
...
Plaintext block
Plaintext block
13
A stream cipher is a symmetric-key cryptographic scheme, in which the message stream (either plaintext or ciphertext) is processed byte-by-byte (or bit-by-bit). [wiki] What sets stream ciphers apart from block ciphers, is that the encryption (and, consequently, decryption) rules are not restricted to using the same key for each iteration. Unlike in the case of block ciphers, where the key space K was, in fact, composed out of one-element key sets, for stream ciphers a key is made out of several (distinct) keys , , forming a keystream. K
The most widespread stream-cipher cryptosystem of today (including its variations) is RC4, employed in communication protocols such as SSL (Secure Socket Layer) and WEP (Wireless Encryption Protocol). Because of its age (since 1987), it no longer represents a good informationsecurity choice for modern needs, although some systems still using it are adequately secure for practical purposes. [wiki]
Working with stream ciphers can become a very profitable enterprise when the data buffer pool of the system is severely limited, plaintext comes in quantities of unknowable length, the amount of computations required to manipulate the data (for encryption or decryption) increases exponentially with the amount of data processed at once, or when error propagation issues are of concern to the system.
Key
Key
Plaintext byte
encryption
...
Plaintext byte
encryption
...
Ciphertext byte
Ciphertext byte
Key
Key
Ciphertext byte
decryption
...
Ciphertext byte
decryption
...
Plaintext byte
Plaintext byte
Fig.1.7 Stream cipher decryption diagram 1.2.4 A simple steam cipher encryption-decryption example
The following example uses the Vigenre cipher, a cryptosystem developed by the Italian mathematician Giovan Batista Belaso, published in the year 1553 A.D. and misattributed to Blaise de Vigenre. [wiki]
Example: English alphabet enriched with character space English alphabet enriched with character space to correspondence:
15
_
0
A
1
B
2
C
3
D
4
E
5
F
6
G
7
H
8
I
9
J
10
K
11
L
12
M
13
N
14
O
15
P
16
Q
17
R
18
S
19
T
20
U
21
V
22
W
23
X
24
Y
25
Z
26
and
Ciphertext: BRV_OSYN
The objective of an attack against a cryptosystem is deducing the plaintext from the ciphertext, or, even more dramatically, to recover the encryption-decryption key itself. Careful searching and identification of potentially secure cryptographic functions greatly reduces the chance of success of such attacks.
ciphertext-only attack - the opponent has access only to some ciphertext and is trying to deduce the encryption-decryption key or the plaintext solely by observing the ciphertext. This is the least efficient type of attack, and, should it succeed, the underlying cryptosystem is proven to be completely insecure. [Men96]
16
known plaintext attack - the intruder has a quantity of plaintext along with its corresponding ciphertext and tries to detect the encryption-decryption protocol employed. Such an attack is one step ahead in terms of efficiency to the ciphertext-only attack, although not by a significant margin. [Men96] chosen plaintext attack - the opponent has the opportunity to chose its own plaintexts and be given their corresponding ciphertexts in return. [wiki] chosen ciphertext attack - the adversary has access to the decryption equipment (but not to the decryption key) for a limited amount of time as is able to decrypt any ciphertext of its choosing. The goal of such an attack is to be able to determine the plaintext from ciphertexts after the access to the decryption equipment has been terminated. [Men96]
17
and decryption rules, respectively. The given cryptosystem is said to be public-key (or asymmetric-key), if for each key K and encryption-decryption pair depending on
K, it is computationally infeasible [Men96] (impossible for practical goals) to compute knowing only .
Although there are many contenders for the status of one-way function, the existence of one-way mappings has neither been proven nor dismissed, remaining as an open conjecture in cryptography theory. [wiki] The security of each of the public-key cryptosystems is based on the presumption of ininvertibility of the one-way function the cryptosystem is built upon.
18
Integer Multiplication function (revealing the Integer Factorization Problem) Let P be the set of all the prime numbers greater or equal to . Let map, where to compute natural number . Even for large primes be a
, it is reasonably easy
, but determing the unique decomposition of a large into the product of two distinct primes is a hard
computational problem. The Integer Factorization Problem is at the foundation of most of the one-way (trapdoor) functions utilized in public-key cryptography. Possible trapdoor (trivial): one of the primes factoring the number n.
. Such a number n is difficult to factor using pen-and-paper methods, although any contemporary computer would find its unique decomposition in negligible time. However, the computational cost required for factoring such a natural number increases exponentially with its size (number of digits). In 2005, a computer network employing 80 AMD Opteron processors needed several months to factorize a 663-bit (roughly 200 decimal digit) number [wiki].
RSA encryption function (revealing the RSA Problem) Let , , distinct primes, . Compute , such that . Let and , given , the and .
and (randomly) choose a natural odd number Determine , with the property that
. [Cri06] Even when choosing large numbers computation of , such that the number , then computing as is rather forthright, while finding an
not yet proven) that the computational difficulty of determining an inverse modulo
without knowing s decomposition into primes (the RSA Problem), is computationally equivalent to the Integer Factorization Problem. 19
, for
and
and
Rabin encryption function (revealing the Modular Square Root Problem) Let , , distinct primes, and a large given . Let , the computation of , such that is rather
is significantly more difficult. Possible trapdoor: one of the primes factoring the number , which leads to a computationally feasible solution. The Modular Square Root Problem is proven to be computationally equivalent to the Integer Factorization Problem [Cri06].
20
, for
and
. Then,
. Given such a number , it is remarkably difficult to determine the corresponding . , such that
Example: Compute .
We have: Therefore, .
Computational algorithm: Prototype: function Gcd(a, b) : result Input: a, b Output: Pseudocode: if (a < b) then temp := a a := b b := temp endif while (b > 0) do r := a mod b a := b b:=r endwhile return a 22
N N, result =
Using a bottom-up approach to the solution of the example from the Euclidean algorithm, we obtain: Therefore, , and .
Computational algorithm: [Cri06] Prototype: function ExtendedEuclid(a, b) : (d, u, v) Input: a, b Output: Pseudocode: if (a < b) then temp := a a := b b := temp endif u2 := 1; u1 := 0; v2 := 0; v1 := 1 23
N
and , such that
while (b > 0) do
is a set of subsets of
, having the
For convenience, we may use the standard notation , rather than , to denote the equivalence class of and the standard equality sign to denote the equivalence relation of , , we have , we can safely assume that .
24
Let
. Then, a number
, satisfying
is called the modular multiplicative inverse (or simply modular inverse) of modulo .
Properties: [Cri06] is invertible in which case is a field every is invertible is prime such that , in
Determining a modular inverse: Let Using the extended Euclidean algorithm, we can easily obtain . , , . Then, such that:
The problem is successively equivalent to: Applying the extended Euclidean algorithm, we get .
equation
Example: Solve the modular congruence equations: 1) , therefore the solution to the equation is:
26
3) , and, since whose general solution is: , thus, the final solution is: , the equation is equivalent to ,
Computational algorithm: Prototype: function ModularCongruence(a, b, n) : x Input: Output: either one of the following: the unique solution (no solution) the solution vector , with , to the equation to the equation
Pseudocode: d := gcd(a, n) if (d = 1) then x := (ModularInverse(a,n) * b) mod n else if (b mod d x := else y := ModularCongruence for k := 1 to d 1 do := endfor endif return x 0) then
27
, ,
and
, , for :
28
Computational algorithm: Prototype: function ChineseRemainder(r, a, n) : (x, N) Input: Output: (x, N), such that (x mod N) solves the system, or (no solution) vectors of size , with ,
existsSolution := false x := endif endfor endfor if (existsSolution = true) then N := 1 for i := 1 to r do N := N * endfor x := 0 for i := 1 to r do := := ModularInverse( , x := endfor endif return (x, N) mod N )
29
, can be very
time-consuming, using the traditional step-by-step multiplication (for e 1 multiplications) and applying the modulo after each multiplication (for e 1 modulo operations). A more powerful and time-conserving solution to this challenge is the repeated squaring modular exponentiation method.
Applying the repeated squaring modular exponentiation method: [wiki] 1) Convert the exponent e to binary notation, that is write the exponent as , 2) Using 1), write 3) , and
=
compute =
Steps: 1) 2)
3)
30
4)
Computational algorithm: [Sch96] Prototype: function ModularExponentiation(b, e, n) : result Input: b, e, n Output: result Pseudocode: if (b = 0) then result := 0 else if (e = 0) then result := 1 else while e > 0 if (e mod 2 = 1) then result := (result * b) mod n endif e := e / 2 b := (b * b) mod n endwhile endif return result ,n 2, b < n mod n
, result =
31
Legendre symbol: [Kob94] Let , , prime. We now introduce the Legendre symbol, denoted by ,
, thus:
32
Note: In order to decisively speed up the Legendre symbol calculation, instead of factoring the number into primes to be able to apply the law of quadratic reciprocity until the symbol , or one could use Eulers criterion to determine the symbols value, relying
evaluates to
2) Let
. Compute
33
N, p
3, p prime , result =
a := a mod p endif expr := ModularExponentiation(a, (p - 1) / 2, p) if (expr = p - 1) result := -1 else result := expr endif return result
Problem
Solve the following modular equation: , where quadratic residue modulo .
prime
has a solution we have , , . Also, because is odd, it becomes , because
34
The solution depends on the choosing of the prime , allowing the next 1) 2) 3)
cases:
Case 1) - using the Tonelli-Shanks algorithm [Cri06] 1) Uniquely write 2) Choose a random number residue modulo . 3) Compute 4) Compute 5) Determine 6) Compute One solution is . , until . . , , odd such that is a quadratic non-
35
a) At first, we notice that the corresponding Legendre symbol equation has a solution. Seeing that of the problem. 1) Writing 2) Testing for quadratic non-residues modulo is a quadratic non-residue modulo . . , therefore the
b) We begin by noticing that the corresponding Legendre symbol equation has a solution. Observing that , hence the
36
c)
We start by computing the corresponding Legendre symbol has a solution. Remarking that the problem. First, we compute solutions to the equation are: , consequently the , thus the equation
Computational algorithm: Prototype: function SolveCase1(a, p) : x Input: a, p solutions Output: one solution Pseudocode: t := p - 1 s := 0 while (t mod 2 = 0) do t := t / 2 s := s + 1 endwhile d := 2 37 to the equation , p 3, p prime, , the equation has
dFound := false while ( (d < p) and (dFound = false) ) do if (ComputeLegendreSymbol(d, p) = -1) then dFound := true else d := d + 1 endif endwhile A := ModularExponentiation(a, t, p) D := ModularExponentiation(d, t, p) DInverse := ModularInverse(D, p) k := 0 powerFound := false while ( (k < Power(2, s - 1)) and (powerFound = false) ) do if (ModularExponentiation(DInverse, 2 * k, p) = A) then powerFound := true else k := k + 1 endif endwhile Dk := ModularExponentiation(D, k, p) x := (ModularExponentiation(a, (t + 1) / 2, p) * Dk) mod p return x
Computational algorithm: Prototype: function SolveEquationModP(a, p) : x Input: a, p , p 3, p prime, the equation has solutions , x1, x2
38
if (p mod 8 = 1) then x1 := SolveCase1(a, p) else if ( (p mod 8 = 3) or (p mod 8 = 7) ) then x1 := ModularExponentiation(a, (p + 1) / 4, p) else if (ModularExponentiation(a, (p - 1) / 4, p) = 1) then x1 := ModularExponentiation(a, (p + 3) / 8, p) else x1 := ( (2 * a) * ModularExponentiation((4 * a), (p - 5) / 8, p) ) mod p endif endif endif x2 := p - x1 return x = (x1, x2)
prime,
The starting point for solving such an equation is knowing the solution to the equation . Consider apply the following algorithm: one of the solutions of the previous modular equation. We then
one solution is one solution is chosen such that (depending on ) satisfies the equation , , . ,
39
Therefore, the previously-stated algorithm has at most the equation solution and on ,
known from the beginning. The final solution, depending on the for , is:
We know from the preceding examples that one solution to the equation is . . Let us begin the algorithm to determine the solution to the equation
are:
Computational algorithm: Prototype: function SolveEquationModPT(a, t, p) : x Input: a, t, p ,t 2, p 3, p prime, the equation has solutions ),
Output: the solution vector (x[t, 1], x[t, 2]) to the equation x[t, 1], x[t, 2] Pseudocode: 40
(x[1,1], x[1,2]) := SolveEquationModP(a, p) currentPower := p modularPower := p * p index := 2 while (index k := 0 kFound := false while ( (k < p) and (kFound = false) ) do possibleValue := x[index - 1, 1] + k * currentPower if (ModularExponentiation(possibleValue, 2, modularPower) = a) then x[index, 1] := possibleValue kFound := true else k := k + 1 endif endwhile x[index, 2] := modularPower - x[index, 1] currentPower := modularPower modularPower := modularPower * p index := index + 1 endwhile return (x[t,1], x[t,2]) t) do
composite
. Then, solving this
type of equation is reduced to: 1) Verifying that, for each equation modulo , otherwise the equation , , is a quadratic residue
41
3) Determining the solution where 4) Obtaining the final solution modulo previous solutions (
to each equation
to the equations
1) We now check if the following equations are solvable: equation has a solution . Because equation admits a solution is a quadratic residue modulo , the . Since is a quadratic residue modulo , the
2) We now move on to solving the equations: at a previous example) is Hence, the solution to this equation is . Since , one solution of the equation . has the solution (solved
4) There are
Theorem, each having one solution. The solution to our main equation is the union of these separate solutions.
and
43
Computational algorithm: Prototype: procedure BackTrackSolutionsModN(m, n, x, equationIndex, solutionIndex, xFinal) Input: a set of primes such that vector of size (m, 2), with x[i,1], x[i,2] is the solution vector to the equations equationIndex is the index of the equation generating a solution solutionIndex is the index of the solution inside the vector xFinal , xFinal[j] , xFinal[j] < n, , x[i,1], x[i,2] , ,x
Output: the solution vector xFinal of size Pseudocode: if (equationIndex > m) then
xFinal[solutionIndex] := ChineseRemainder(m, solution, n); solutionIndex := solutionIndex + 1 else for i := 1 to 2 do solution[equationIndex] := x[equationIndex, i] call BackTrackSolutionsModN(m, n, x, equationIndex + 1, solutionIndex, xFinal) endfor endif
44
Computational algorithm: Prototype: function SolveEquationModN(m, n, x) : xFinal Input: a set of primes such that vector of size (m, 2), with x[i,1], x[i,2] is the solution vector to the equations Output: the solution vector xFinal of size Pseudocode: solutionIndex := 1 call BackTrackSolutionsModN(m, n, x, 1, solutionIndex, xFinal) return xFinal , xFinal[j] , xFinal[j] < n, , x[i,1], x[i,2] , ,x
is prime. It is important to distinguish between primality testing and integer factorization testing. Although in the case of nave primality tests, the integer factorization is implicit, competent primality tests do not involve the decomposition (if any) of the candidate prime into its proper factors.
Types of primality tests: [wiki] nave (inefficient deterministic methods) - trial division, Sieve of Eratosthenes slow deterministic methods (requiring exponential time) - cyclotomy test, elliptic curve primality test fast deterministic methods (requiring polynomial time) - AKS primality test [Agr04] probabilistic methods (requiring polynomial time) - Fermat, Solovay-Strassen, MillerRabin primality tests
For cryptography purposes, the fastest and most efficient primality tests are the probabilistic ones (with the Miller-Rabin test being the most effective), their downside residing in the fact that, regardless of the number of test iterations applied on the candidate prime, the candidate number 45
cannot be proven to be prime with 100% confidence, although its compositeness (if any) can be established with absolute certainty.
Eulers totient function. [Cri06] Eulers totient function properties: [Cri06] 1) if 2) if p is prime, 3) if 4) if , p prime, , ,
46
Fermats little theorem [Men96] Let , prime and . Then, . Fermats little theorem is a is a prime number, and, by applying the . particular case of Eulers totient theorem, in which property 2) of Eulers totient function, we obtain Fermats primality test Let , . If , then is prime.
Let
. Then,
passing the Fermat test for a given base . The probability of a composite number Fermats tests for different bases is at most
Fermats tests, the probability that the tested number is prime is at least
A defining weakness of Fermats test are the Carmichael numbers. A natural composite number is called a Carmichael number, if it passes Fermats test for any base . It has been proven that, for a large-enough , the number of Carmichael numbers less than is greater than
, and, as a
consequence to this fact, that the set of Carmichael numbers is infinite [Men96].
Distinguishing the Carmichael numbers Let , odd and composite. Let . if if , for some and , then is not a Carmichael number , then is a Carmichael number be a set of primes, such that
, for every
47
Carmichael number example: Let . Let and Fermats primality test example: Let 1) 2) 3) 4) 5) 6) Seeing that, for 6 bases of our choosing, the number primality test, we can conclude that . has passed Fermats , such that . Therefore, . Also, is a Carmichael number. ,
Let 1) The number conclude that failed Fermats primality test for the base is not a prime, with complete confidence. , therefore we can
N, n
3, k
Output: res complete certainty) or prime Pseudocode: for i :=1 to k do Randomly choose a, 1 < a < n - 1
, corresponding to
result := ModularExponentiation(a, n - 1, n) 48
if (result
1) then
Miller-Rabin primality test Let , be an odd number, . If either: . Uniquely express as , , odd. Let
, or
, if either
. Regarded from a distinct perspective, the Miller-Rabin test for a given base passing the Miller-Rabin test for
different bases
different Miller-Rabin tests, the probability that the tested number is prime is at least .
49
Miller-Rabin primality test example: Let 1) 1. 2. 3. 4. 5. 2) 1. 2. 3. 4. 5. 6. 3) 1. 2. 3. 4. 5. Observing that our number bases, we can infer that . 1) 1. has passed the Miller-Rabin test for 3 different is a prime, with a probability of at least
Let
50
2. Seeing that our number can claim that has failed the Miller-Rabin test for the base , we
Output: res complete certainty) or prime Pseudocode: Write for i :=1 to k do Randomly choose a, 1 < a < n - 1 , r,s
*
, corresponding to
, r odd
result := ModularExponentiation(a, r, n) if ( (result j :=1 while ( (j s - 1) and (result n - 1) ) do 1) and (result n - 1) ) then
51
Speed. The Miller-Rabin average-case amount of computations is much smaller than Fermats, becoming approximatively equal to Fermats amount of computations only for the worst-case.
The algorithms for both tests employ operations of the same computational complexity.
Both tests can determine composite numbers with absolute certainty. Since the set of strong liars (bases for which a given composite number passes the Miller-
Rabin test) is a narrow subset of the set of Fermat liars (bases for which a given composite number passes Fermats test), the Miller-Rabin test generally requires in order to prove its
a smaller amount of bases, to be tested against a number compositeness, than Fermats. Fermat liars for
Fig. 2.4 Relationship between the Fermat and the strong liars for any composite number [Men96]
52
is a prime, is, for both tests, directly . However, since the for the Miller-Rabin test
for Fermats test, it becomes clear that the Miller -Rabin test
requires only half of the bases Fermats test would need in order to achieve the same confidence on the primality of .
53
, function. 3) Select a random number 4) Determine , . 5) The keys are: the public key: the private key: ,
, where
54
Encryption Summary: Entity encrypts a message , using the public key received from entity .
from . , .
Decryption Summary: Entity decrypts the encrypted message from . . received from , using the private key .
Reliability of the decryption algorithm We need to prove that enough to prove that: . Since and are primes, , it is
is a multiple of , therefore .
and, consequently, if , we apply Fermats theorem and obtain . The same reasoning can be applied analogously for proving that
55
Example: English alphabet enriched with character space English alphabet enriched with character space to
_
0
correspondence:
Q
17
A
1
B
2
C
3
D
4
E
5
F
6
G
7
H
8
I
9
J
10
K
11
L
12
M
13
N
14
O
15
P
16
R
18
S
19
T
20
U
21
V
22
W
23
X
24
Y
25
Z
26
The plaintext
is split into blocks of length , while the ciphertext is divided into blocks
Encryption (using
Decryption: Ciphertext: _MBAQG Splitting: _MB / AQG Numerical correspondence: Plaintext: rsa rs a_ _MB AQG ):
Decryption (using
efficient algorithm for determining the proper factors of a given composite number. or if, as an extra acquired information, the opponent also knows the decryption exponent , he/she can easily factor because as follows: , for certain
57
since have
, such that
odd
after finding a number , satisfying the previous relations for a single chosen number , , a proper factor of is revealed as
until is
the conditions above are fulfilled. The expected number of trials until factored is .
[Men96]
In order to speed up the encryption process (by reducing the amount of operations involved), one can select a small encryption exponent to be used for each encryption.
However, let us consider the case in which the same plaintext message sent to , destinations using the same encryption exponent , but . An eavesdropper intercepting messages out of the
is encrypted is ,
distinct moduli
sent messages is
, , with
By applying the Chinese remainder theorem, one obtains a solution . Since and, as such,
58
There are two solutions to this issue: refraining from using small encryptions exponents, like ones, an usual choice being salting the message , that is appending a distinct and appropriately long , in favor of larger
3) Forward search attack If a ciphertext message is very short and/or predictable, an eavesdropper can decrypt it , until is obtained. Such an attack
[Cri06] is a small number (the most natural case) and is less than of the size of the modulus , there can be determined knowing
exists an algorithm through which the decryption exponent only the public key .
Such a situation can be avoided by choosing at first the decryption exponent , such that size of the modulus and s number of digits exceeds
, of the ,
, such that
5) Adaptive chosen ciphertext attack [Cri06] Let that be plaintext messages, whose correspondent ciphertexts are . . We know
having access to the decryption equipment for a timespan and being able to decrypt any chosen ciphertext, other than itself, without posessing the decryption key . This attack , conceal the ciphertext as
and present it to the decryption machine. In turn, the decryption machine provides the opponent with which the adversary determines the plaintext message as . , out of
To prevent such attacks, some structural constraints should be placed upon the plaintext messages. If a decrypted plaintext encryption violates any of the imposed constraints, its
6) Common modulus attack [Cri06] If a central trusted authority designates a single public key modulus encryption-decryption exponent pair situations may arise: any entity in the network can easily factor , since knowing the private key a public-key pair allows the user to easily factor in the network for and one distinct
sent to at least two different entities has a change to decrypt the message as follows:
If we get
, then, using the corollary to the extended Euclidean theorem, , for some . Hence, we have:
Because, with a high probability, always able to decrypt the plaintext keys .
Both of the previously presented situations can be avoided by providing each entity in the network with a unique modulus .
60
7) Cycling attacks [Cri06] Let message space be a ciphertext. Since an encryption is, in fact, a permutation on the , . As such, finding a private key . such that for which and, consequently, means obtaining the
and, as any factorization algorithm to this day, needs exponential time to succeed. Therefore, for a sufficiently large modulo , this type of attack does not push a problem to RSA.
8) Message concealing [Men96] A message may be considered unconcealed if and the encryption exponent ). If and . Regardless of the , there are always some is either
these unconcealed messages is negligibly small, so they do not pose a threat to the security of RSA.
factorization into primes. Considering the rapid improvement in computer technology, using even the previously-considered suitable 768 bit (96 bytes) modulus has become a rather risky enterprise.
The primes
and , whose product is the modulus , should be of roughly the same size, is not very small, otherwise could be factored by
61
trial division by all the natural numbers close to generally eliminates this problem.
. Random choosing of
and
and
used to factor
the modulus , the random prime generation should be intractable. The best solution to this would be using a true random generator (such as a device to measure the radioactive decay of uranium atoms). To avoid salting the message (required when using small encryption exponents like
), one could use a somewhat larger, but still computation-wise efficient encryption exponent (like modular multiplication). If, due to the choosing of the encryption exponent has the size less than selection of , the decryption exponent , then, either the is of , which only requires modular squarings and one
appropriate size, or a sufficiently large decryption exponent the encryption exponent The size of the message integer -th order root of computed as .
should be large enough, in order to foil attempts to extract the , that is:
The size of the message may be increased through salting to reach the required length.
Although speed in not quite the concern for RSA as it is for symmetric-key cryptosystems, efficient polynomial-time algorithms should be used for all the operations involved in the process: key generation - the Miller-Rabin primality test (to check if a randomly generated number is prime) (see 2.4.2), the extended Euclidean algorithm (to compute the decryption exponent exponent modulo ) (see 2.3.1) 62 as the inverse of the encryption
encryption
and
decryption
the
repeated
squaring or
modular )
1) Generate two random and distinct prime numbers, 2) Compute 3) The keys are: the public key: the private key:
Encryption Summary: Entity encrypts a message from . , . , using the public key received from entity .
63
Decryption Summary: Entity . 1) Receive the ciphertext from . , , , satisfying , decrypts the encrypted message received from , using the private key
, such that ,
Example: English alphabet enriched with character space English alphabet enriched with character space to
_
0
correspondence:
Q
17
A
1
B
2
C
3
D
4
E
5
F
6
G
7
H
8
I
9
J
10
K
11
L
12
M
13
N
14
O
15
P
16
R
18
S
19
T
20
U
21
V
22
W
23
X
24
Y
25
Z
26
The plaintext
is split into blocks of length , while the ciphertext is divided into blocks
rab in_ ):
Encryption (using
Decryption: Ciphertext: _QAE_LFN Splitting: _QAE / _LFN Numerical correspondence: _QAE _LFN ):
Decryption (using
Plaintext: rabin
65
More formally, let us consider the initial message , where redundancy to the message matching the last digits of before replication: after replicating the last digits of : , one adds , as follows: are the
as
. To add a ,
Put differently, one observes that replicating the last digits of the representation of -digit size redundancy) can be seen as: , where replicated. is the message before replication and is the message after its last
(adding a
digits were
. When the decryption is performed, the user can easily distinguish which of the four messages is the message , by selecting the only message of the four with
matching redundancy. After the solution has been found, the redundancy is removed as follows: , where is the initial message, prior to the applying of the redundancy, while is the message
Note: 1) To ensure that only one of the messages has matching redundancy, the added redundancy should be long enough to avoid ambiguity. Todays standards impose a redundancy of at least 64 bits. 2) To allow the use of redundancy, the initial message accommodate a -digit replication, that is: , where If the initial message and is the size of the modulus must be small enough to
is too long for such a purpose, it can be split into two messages
66
the message
Example: English alphabet enriched with character space English alphabet enriched with character space to
_
0
correspondence:
Q
17
A
1
B
2
C
3
D
4
E
5
F
6
G
7
H
8
I
9
J
10
K
11
L
12
M
13
N
14
O
15
P
16
R
18
S
19
T
20
U
21
V
22
W
23
X
24
Y
25
Z
26
redundancy of
decimal digits is split into blocks of length , while the ciphertext is divided into
):
Encryption (using
Decryption: Ciphertext: EOYPBFZMETJH Splitting: EOYP / BFZM / ETJH Numerical correspondence: EOYP BFZM ETJH ): is
Decryption (using
4 possible roots: the only value to match the replication 4 possible roots: only value to match the replication 4 possible roots: only value to match the replication
is the
is the
Plaintext: rabin ra bi n_
68
knowing only the public key , is faced with the modular square root problem. The only known efficient algorithm to determine out of the equation requires s decomposition into primes and, as such, the modular square root problem is equivalent in terms of difficulty to the integer factorization problem.
2) Small encryption exponent Let us consider the highly probable situation (much more so than in the case of RSA) in which the same plaintext message moduli , , is encrypted is sent to entities, using messages out of the distinct sent
. An eavesdropper intercepting
We can remark that, in most of the real-life situations, Chinese remainder theorem, one obtains a solution and, as such, , with
There is but a single workaround to this situation, namely salting the message
, that is
appending a distinct and appropriately long pseudorandom bitstream, prior to each encryption modulo .
3) Forward search attack As in the case of RSA, a ciphertext message that is very short and/or predictable can be , until
is obtained. Such an attack is generally not an issue to the Rabin cryptosystem, as the salting of messages prior to their encryption is mandatory (see also 2)). 69
4) Chosen ciphertext attack [Men96] To be able to mount such an attack, an opponent having access to the decryption machine (but not to the decryption key) encrypts a plaintext ciphertext assumption: The decryption machine returns all of the four possible plaintexts . The opponent searches for a plaintext having the property message , , , as and sends the
to the decryption machine. Two situations may arise, following the previous
The decryption machine returns only one (probably the smallest root) of the four possible plaintexts, namely the plaintext property determined as . If the received plaintext fulfills the can be
encrypting a chosen plaintext and sending it to the decryption machine to be decrypted is repeated, until can be factored.
To deter such attacks from being successful, it is enough for the decryption machine to request the existence of a redundancy in any plaintext , prior to its encryption. , the decryption of its
If the redundancy has indeed been added to the plaintext corresponding ciphertext
plaintext that he/she encrypted. If the redundancy has not been added by the adversary, the machine fails to distinguish the correct plaintext and disregards the ciphertext submitted as fraudulent or damaged.
5) Adaptive chosen ciphertext attack Let that be plaintext messages, whose correspondent ciphertexts are . . It is known
70
Assuming that an opponent who has access to the decryption equipment for a period of time desires to decrypt the cyphertext chosen ciphertext, other than random number , while being able to decrypt any
to the decryption machine. In return, the decryption machine gives the opponent the decryption of , that is plaintext message as , out of which the opponent computes the . For this type of attack to succeed, the use of
redundancy to distinguish between the four roots of the modular squaring equation is necessary.
To avoid such attacks, some structural constraints should be placed upon the plaintext messages. If a decrypted plaintext encryption violates any of the imposed constraints, its
choosing of the modulus , there are always some unconcealed messages ( and
insignificantly small, posing no real threat to the security of the Rabin cryptosystem.
factorization of large integers, the constraints regarding the size of the modulus are the same as in the case of RSA.
As in the case of RSA, some care must be taken when choosing the primes whose product is the modulus . should not be very small, otherwise and
and ,
71
. Random choosing of
and
Considering the significant amount of extra decryption computations (the Tonelli-Shanks algorithm - see 2.3.5.2) when using a modulus with a prime factor , the
random prime generation algorithm should eliminate primes having such a form.
and
factoring the
modulus , the random prime generation should be intractable. The best answer to this issue would be relying on a true random generator (such as a device to measure the atmospheric noise at a given time). Any message plaintext that is to be encrypted using the Rabin cryptosystem should have a redundancy of at least 64 bits in order to be able to easily discern between the four message plaintexts obtained at decryption, so that no more than one message has the expected redundancy. Although not a general issue to the RSA, salting any message (regardless of its initial length) is of the utmost importance to the security of the Rabin cryptosystem, since, more often than not, the same message using different moduli can be encrypted and sent to at least two destinations,
(see 3.2.5.2)). In this case the salt must not necessarily be . A good size for the mandatory salt of any Rabin-
random, but differ for each modulus encrypted message would be 64 bits. The size of the message
added) should be large enough, in order to make attempts to extract the integer square root of impossible, that is:
The size of the message required length. may be increased through extra salting, for it to reach the
72
Even if speed might be regarded as a second-rate concern to the Rabin cryptosystem (as public-key cryptography is much slower than symmetric-key cryptography, anyway), efficient polynomial-time algorithms ought to be used for all the operations involved in the process: key generation - the Miller-Rabin primality test (to check if a randomly generated number is prime) (see 2.4.2)
decryption - the algorithm for solving a modular squaring equation, depending on the decomposition of the modulus (see 2.3.5) into its proper factors
key distribution issue - Prior to being able to communicate securely over insecure channels (by using data encryption), the participants were forced to rely on the exchange of the encryption-decryption keys using secure channels, other than the ones used for the actual communication.
authentication problem - Symmetric-key cryptography did not provide any means of authenticating the parties involved in the communication, neither did it offer any insight as to the data integrity of the transmitted message. However, since the public-key cryptosystems are several orders of magnitude (hundreds of times, to be computationally precise) slower than symmetric-key cryptosystems, public-key cryptosystems cannot actually supersede the symmetric-key ones. As such, the role of public-key cryptography is restricted to providing auxiliary support to existing symmetric-key cryptosystems. Consequently, the real-life applications of public-key cryptography might be resumed as follows: 73
encryption of small amounts of data - The large disparity in terms of speed between the public-key cryptography and its symmetric-key counterpart becomes non-essential when small amounts of data are to be encrypted and decrypted. If such data is subjected to transmission over an unsecured connection, then public-key cryptography (like RSA or Rabin) becomes the only reasonable choice. Such situations mainly involve banking transactions over the Internet, when the user provides the transactions front-end (the website) with his/her confidential banking account (or credit card) credentials.
exchange of keys of symmetric-key cryptosystems - A central authority of a computer network, be it either a LAN (local area network) or a virtual network (built of computers connected over the Internet), might deem necessary to distribute a common symmetrickey cryptosystem key (like an AES key) to all of its subjects. Such a key would then be used for securing (by encrypting) any future communication between the parties in that network. Although in its later stages, such a scenarios success would only depend on the security of the symmetric-key cryptosystem involved, until the symmetric-key reaches each of its desired destinations, the scenarios security depends heavily on the public-key cryptosystem used. The steps required for such an undertaking are: The central authority generates a symmetric-key cryptography key for any secure data exchange between the parties of the network. Each protagonist (party) , in the network (other than the central to be used
authority itself) generates its own public-key cryptography key (containing a public-key and a private key), using a previously agreed-upon cryptosystem.
(the symmetric-key
cryptosystem key) using every available public key received from the parties, obtaining the distinct ciphertexts , .
74
The central authority then sends each ciphertext destination, again over the unsecured channel.
to its corresponding
Each participant
At this point all the parties involved are in possession of the symmetric-key cryptosystem key (whose security remains intact, due to the use of public-key cryptography for its transmission) and are able to rely on it to secure each future data exchange over the network.
digital signatures - Signatures are used for two purposes: the authentication beyond any doubt of the parties involved in the communication (also the non-repudiation of any messages sent) and the integrity check of the corresponding messages.
75
Due to the time constraints involved in message encryption and decryption as well as bandwidth limitations, the signing function is not applied to the whole message , that is . that is to be
Properties of the hash functions: [Cri06] the input message the output hash can be of any length is of fixed, predetermined length
is a one-way function, without any possible trapdoors (see 2.1) must be collision-free: weak collision-free - given a message , it is computationally infeasible to find a message , , such that
strong collision-free - it is computationally infeasible to find any two messages and , such that
Hash functions, of which the most used today are MD5 and SHA-1, are employed to ensure message integrity in areas such as cryptography, web downloads integrity and peer-to-peer networking.
76
authentication - ensuring that the received message came indeed from Alice and not from an intruder integrity - certifying that the message has neither been damaged, nor forged, during its transmission over the channel
had already been sent by Alice and received by Bob and whose
secure transmission was achieved using a cryptosystem of the protagonists choice (public -key or symmetric-key). The following template chronologically details the steps required for a successful digital signing and signature verification of the message involved in the aforementioned transmission:
1) Alice generates her public-key cryptosystem key to be used for the message signing. 2) Alice sends the public key part of the generated key to Bob. 3) Alice uses a hash function (like MD5), whose implementation is also available to Bob, of the message that she is willing to send
effectively obtaining the digital signature of the message 5) Alice sends the digital signature to Bob.
6) Bob decrypts the digital signature provided by Alice, using the public-key part of Alices message signing key, obtaining Alices hash of the message 7) Bob applies the same hash function . 8) Bob compares the hash (that he computed) with Alices hash (that he previously came . , obtaining his own hash
decrypted). If there is a match, than Bob becomes certain that the message
indeed from Alice and that it has not been damaged or forged. If not, then either the message did not come from Alice, but from an opponent, or the message came from Alice, but was damaged or forged during the transmission, or a mixture of these situations. Either way, if there has been no match, Bob clearly knows that the message he obtained is not reliable. 77
Key generation [Men96] Summary: Entity processes. 1) Generate two random and distinct prime numbers, 2) Compute: and , of roughly the same size. generates the keys required for the digital signing and signature verification
, function. 3) Select a random number 4) Determine , . 5) The keys are: the public key: the private key: ,
, where
Digital signing Summary: Entity 1) Compute message entity . 2) Compute the signature 3) Send the digital signature to . , . digitally signs the message , , using its own private key . is an integer representing the hash of the
, where
, obtained by applying a hash function (like MD5 or SHA-1) agreed upon with
Signature verification Summary: Entity verifies the digital signature received from , using the public key
1) Receive the digital signature from entity . 2) Obtain s hash 3) Compute its own hash function as entity . 4) Verify if message unreliable. , otherwise dismiss the signature as fraudulent and deem the , by decrypting the digital signature. of the message , using the same hash
Key generation [Men96] Summary: Entity processes. 1) Generate two random and distinct prime numbers, 2) Compute 3) The keys are: the public key: the private key: and , of roughly the same size. generates the keys required for the digital signing and signature verification
Digital signing Summary: Entity 1) Compute message entity . 2) Compute the signature 3) Send the digital signature to . , where , (see 2.3.5.4). digitally signs the message , , using its own private key .
, where
, obtained by applying a hash function (like MD5 or SHA-1) agreed upon with
79
Signature verification Summary: Entity verifies the digital signature received from , using the public key
received from entity . 1) Receive the digital signature from entity . 2) Obtain s hash as 3) Compute its own hash function as entity . 4) Verify if message unreliable. , otherwise dismiss the signature as fraudulent and deem the , by decrypting the digital signature. of the message , using the same hash
Note: 1) When trying to compute the signature , one might apparently reach a dead end, if not a quadratic residue modulo is
(see 2.3.5.1). Such an issue can easily be solved by , until becomes a quadratic
and, as such, its signature can be computed. , one might choose any of
2) After obtaining the four modular square roots of the hash these to become the signature .
80
Rabin cryptosystems, respectively. Both software products have been developed in the C# programming language and utilize the .NET Framework 2.0.
In terms of the graphical user interface, both applications are made out of four sections (GUI tabs), each section expressing a part of the fundamental functionality of a public-key cryptosystem. The sections (tabs) and their functionalities are: Primes Generation the random prime generation component, using a powerful true random generator implementation. Key Generation the public and private key generation component, using the primes obtained in the Primes Generation section. Encryption the content encryption section, which encrypts the data (any file) chosen by the user, according to a public key obtained in the Key Generation section, corresponding to a public-key cryptosystem (RSA or Rabin). Decryption the content decryption section, whose purpose is to decrypt the data (any file encrypted in the Encryption section), with respect to its corresponding private key, received from the Key Generation section and corresponding to one of the public-key cryptosystems (RSA or Rabin).
This software artifact has been overhauled (revisioned) up to the version cryptosystem) and
the software is (virtually) bug-free while, at the same time, favoring only the most efficient and fast algorithms of the day, in order to distinguish it from other public-key cryptography solutions.
These two programs (the implementation of the RSA and Rabin cryptosystems, respectively) present all the qualities expected in a software product, perhaps not quite up to the standards of 81
commercial software, but surely up to the demands of free and open-source solutions. Those features could be succinctly summarized as: General purpose software (security being a widespread concern) Simple and intuitive GUI (able to present a variable amount of information, depending on the users level of knowledge and interest in the matter, while, at the same time, hiding any obscure and insignificant details) Support for the serializing of data (primes and keys), to be able to successfully reuse it. True randomness for the generated primes, as well as state-of-the-art -bit encryption,
rendering the system as secure as possible (even for less-resourceful governmental agencies), an average PC of today being capable of breaking the security of the system through brute-force attacks in a matter of tens of years. Well chosen data structures (for representing large integers) and powerful polynomialtime algorithms (for large integer manipulation and underlying operations required by the cryptosystem involved), resulting in the best possible application execution speed.
Taking into account the disparity in terms of speed between public-key and private-key cryptography (see 3.3), the utility of the application can be expressed as follows: Encryption of small amounts of data (any file up to KB in size)
Exchange of keys employed in symmetric-key cryptosystems, that require to be securely transmitted to their destinations over unsecured communication channels
Both applications are identical in terms of architecture, design and graphical user interface, the differences residing in the specific key generation, encryption and decryption algorithms and their implementations, as defined by the cryptosystem each application is built upon. Documenting the analysis and design of the application is done in conformity with the UML 2.1 standard and extra emphasis is being put on the implementation choices made.
82
Select any file User Encrypt data <<include>> Select any public key <<include>>
83
3rd Layer
Random Prime Number Generation Key Generation Encryption and Decryption Business Layer
2nd Layer
1 Layer
Data Model & Technical Layer 84
st
Notes: This architecture uses a relaxed layer interaction model, allowing the upper layer (UI) to access the Data Model & Technical Layer for some of the operations. Method calls from one subsystem (layer) to another can only be made by higher order layers to lower order layers.
PrimesGeneratorImplementation <<import>>
<<import>>
<<import>> <<import>>
RSAEncryptionDecryptionImple mentation
<<technical>> BigIntegerImplementation
85
PrimesGeneratorImplementation <<import>>
<<import>>
<<import>> <<import>>
RabinEncryptionDecryptionImple mentation
<<technical>> BigIntegerImplementation
86
87
88
89
Package PrimesGeneratorImplementation:
90
Package RSAEncryptionDecryptionImplementation:
Package BigIntegerImplementation:
91
92
93
94
95
Package PrimesGeneratorImplementation: identical to the package having the same name from the RSA Cryptosystem Application
96
Package RabinEncryptionDecryptionImplementation:
97
Package BigIntegerImplementation: identical to the package having the same name from the RSA Cryptosystem Application
Response : a random BigInteger If the BigInteger is composite, increase it by 1 Test the BigInteger for primality
98
If the end-of-file has not been reached, continue Response: the encrypted file
If the end-of-file has not been reached, continue Response: the decrypted file
99
Every operation whose output is not obtained instantly is implemented as a thread, to prevent the graphical user interface from freezing while the operation is being performed. During the execution of a thread, most menus of the GUI are disabled, in order to preserve the processor power for the executing task. At its completion, every threaded operation displays the total amount of consumed time. The threaded tasks are: Primes Generation Encryption Decryption
For the generation of random primes, the GUI provides two methods: Random strings input, for which the user is required to type two random strings of his/her choice, each having a length of at least 50 characters. Real-time atmospheric noise, for which the application connects to the website http://www.random.org and retrieves the random content. Each random prime found can be saved as a binary file (*.RSAPrime or *.RabinPrime).
With respect to the key generation, the user must select two different primes (two *.RSAPrime or *.RabinPrime files) to compute the public and the private keys. The public and the private keys can then be saved as binary files, *.RSAPublicKey or *.RabinPublicKey for public keys and *.RSAPrivateKey or *.RabinPrivateKey for private keys. For the RSA cryptosystem, the public exponent is chosen to be , unless (see 3.1.1). , in which case is increased, until
For the encryption of data, the user should select a public key (*.RSAPublicKey or *.RabinPublicKey), the file to be encrypted (having any format and length of less than or equal to KB) and the target encrypted file (*.RSA or *.Rabin). 100
Regarding the decryption of data, the user can choose an encrypted file (*.RSA or *.Rabin) and the corresponding private key file (*.RSAPrivateKey or *.RabinPrivateKey). To avoid selecting the wrong private key file, the application allows the option to automatically determine the suitable private key file, as long as such a file exists in the default private key folder.
All of the large integers and their inherent mathematical operations are handled by the BigInteger class, from the package BigIntegerImplementation. As the class BigInteger may work with large numbers of virtually any size as well as any numeration bases , the following decisions have been made, regarding the representation of the BigIntegers:
digits assigned to a BigInteger becomes small, resulting in fast execution speed for the algorithms employing BigIntegers. This arrangement benefits the application in terms of effectiveness, since each digit of a BigInteger occupies half of a -bit
( byte) processor registry, the extra half being used for efficiently controlling some of the overflow resulting from mathematical operations (such as addition, subtraction, multiplication, division). For the visual representation of BigIntegers (GUI logs), they are converted to the numeration base .
Both of the cryptosystems utilize moduli of size rather ahead of todays standard of of the base -bit (
-bit (
-byte), which is
digits. As such, the maximum size of a digits and the maximum overflow digit, to
accommodate for squaring and for repeated squaring modular exponentiation (see 2.3.4) of a BigInteger. 101
Every possible inconsistency or error in the user input or accessed data is flagged as such, the user being presented with an appropriate warning or error message and the task execution being terminated.
Package PrimesGeneratorImplementation:
The two methods for generating a random prime, selectable at the GUI-level, are:
Random strings input, for which the random content taken into account of the input is: the characters of the strings the position of each character in the string the total amount of time needed by the user to type each string the current system time
By applying standard arithmetical operations (addition, multiplication, power) and controlled data type overflow (in fact, a modular operation) on the random content, the application computes: an array of random seeds, equal in length to the size of the prime to be generated, which determines the digits of the random number (corresponding to the 1st input string). an array of random seeds, equal in length to the size of the prime to be generated, which determines the rearranging (reordering) of the digits of the previously obtained random number (corresponding to the 2 nd input string).
Real-time atmospheric noise, which needs an active Internet connection, in order to be able to access the website http://www.random.org and get the random content. The application requests an array of random seeds from the
102
aforementioned website, of length equal to the size of the prime to be built, which determines the digits of the random number.
After a random number has been found, using any of the two methods, the process of primality testing commences. If the number is deemed to be prime, the algorithm terminates, otherwise the current number is increased by 1, and the primality test is repeated for the new numerical value. The primality test is two-phased, employing the following steps: Phase 1 Trial division by the primes less than 1000. Phase 2 If the candidate prime has passed the trial division test, it is subjected to the most efficient primality test of today, namely the probabilistic Miller-Rabin primality test.
In the case of the Rabin cryptosystem, prime numbers of the form should be disregarded, since they involve very slow decryption computations (see 2.3.5.2 the Tonelli-Shanks algorithm).
For both cryptosystems, the Encryption class reads blocks of fixed size from the file to be encrypted, converts the read data to BigInteger representation, encrypts the BigInteger to another BigInteger and serializes the obtained BigInteger along with some information regarding the binary block to a binary form in the output (encrypted) file. The encryption must take into account special cases, such as reading a full block of data containing only the (null) byte, as well as salting the read BigInteger to reach its desired length, if the
block of read data is of a smaller size than the standard (fixed) size. The latter special case may only occur when the last block of the file to be encrypted has been reached.
For both cryptosystems, the Decryption class reads each information regarding the blocks of data of the plain (non-encrypted) file and deserializes (reads) each of the 103
BigInteger numbers from the encrypted file. Each BigInteger is then decrypted to another BigInteger, whose binary form is then written to a file, taking into account the representation constraints provided by the information block in the encrypted file.
The Encryption class for the RSA cryptosystem encrypts blocks of size of (equivalent to a
bytes
The Encryption class for the Rabin cryptosystem encrypts blocks of size of also, but those correspond to an -digit BigInteger, whose last
bytes
after which the BigInteger is extended further with 5 digits of salt, to render small encryption exponent attacks useless (see 3.2.5.2)). Like in the case of RSA, the obtained BigInteger has 95 digits. The Decryption reverses the process by decrypting each BigInteger, removing the salt digits and then deleting the replication digits from the decrypted number.
Package BigIntegerImplementation:
The BigInteger class of the package is intended to store large integers and execute any usual mathematical operation on them. The BigInteger class represents the numbers digitby-digit, in a numeration basis of choice (+, , *, /, %, <, >, , . The traditional integer operators
uses the BigInteger class is offered the typical and natural way of manipulating the arithmetical operations on BigIntegers. The following specific arithmetic, abstract algebra and computational operations have also been loaded into the BigInteger class, in order to enhance its usefulness: The power operation (through fast binary exponentiation) The greatest common divisor (gcd), using the standard Euclidean algorithm and the extended Euclidean algorithm (see 2.2) The modular multiplicative inverse algorithm (see 2.3.1) 104
The modular exponentiation method, using the repeated squaring algorithm (see 2.3.4)
The serializing and deserializing of a BigInteger Adding and removing the salt digits of a BigInteger Adding, checking and removing of the replication digits of a BigInteger
Great care has been taken to define the best data structures for storing large integers as well as for every algorithm utilized in the BigInteger class to employ the best polynomialtime algorithms to date, without containing any inefficient exponential-time algorithms.
105
106
107
2) Key generation testing Note: For the key generation, we will be using the two primes obtained previously.
108
Key-generation log:
The public key modulus (as the product of the two primes) is 255235215826284313701798101197088601458103469857854153667313200621769019 034221179709130622772504141821993539384892128946799478964241416396175847 597984907761060421239911340101318473177772123618496745232599210571711148 220961035361794751559129467619043682206576507534384302934926283990822636 597719086248249285300093913414479817916338231367095648791450152194912786 908023115305787650130268343387129312098496936132254802175302234645565437 521635844989264520868278957369
3) Encryption testing: Note: For the encryption, we will be using the public key component of the key obtained at the key generation testing and the file boot.ini as the file to be encrypted.
110
Encryption log:
Writing the public-key to the encrypted file ... 255235215826284313701798101197088601458103469857854153667313200621769019 034221179709130622772504141821993539384892128946799478964241416396175847 597984907761060421239911340101318473177772123618496745232599210571711148 220961035361794751559129467619043682206576507534384302934926283990822636 597719086248249285300093913414479817916338231367095648791450152194912786 908023115305787650130268343387129312098496936132254802175302234645565437 521635844989264520868278957369
111
112
4) Decryption testing: Note: For the decryption, we will be using the private key component of the key obtained at the key generation testing and the file boot.ini.RSA as the file to be decrypted.
113
Decryption log:
114
266186656065097843768323718238581992271124361945688692453199415189641856 551491941320568383709359340351
115
The RSA Cryptosystem Application testing allowed us to reach the following conclusions:
Each of the underlying parts of the application (Primes generation, Key generation, Encryption and Decryption) is functioning properly and effectively both as an independent subsystem and in connection with the rest of the subsystems.
The whole process, starting from the prime generation, continuing with the key generation, the encryption of data and, finally, the data decryption, is reliable, since the file boot.ini was encrypted and then successfully decrypted to an identical file.
116
117
118
2) Key generation testing Note: For the key generation, we will be using the two primes obtained previously.
119
Key-generation log:
The public key (as the product of the two primes) is 774522816202603207489921705782695273011824308637579455787026382868675985 154076051705313295129157808231221923149474761000152155458765965224465751 939017457122548563609461604583102777798864920357800000875409449379457305 806420348776983068804504056655446684356212065698613025888446116727759064 440511085412497542800501359951746408257525594753216529931877167167462151 240677474059101882970150940699658244851625451764164907965824005656271969 86227970751434913303163509659
3) Encryption testing: Note: For the encryption, we will be using the public key component of the key obtained at the key generation testing and the file encode.exe as the file to be encrypted.
120
121
Encryption log:
Writing the public-key to the encrypted file ... 774522816202603207489921705782695273011824308637579455787026382868675985 154076051705313295129157808231221923149474761000152155458765965224465751 939017457122548563609461604583102777798864920357800000875409449379457305 806420348776983068804504056655446684356212065698613025888446116727759064 440511085412497542800501359951746408257525594753216529931877167167462151 240677474059101882970150940699658244851625451764164907965824005656271969 86227970751434913303163509659
122
123
125
4) Decryption testing: Note: For the decryption, we will be using the private key component of the key obtained at the key generation testing and the file encode.exe.Rabin as the file to be decrypted.
126
Decryption log:
128
381647288854748933130880402595010254432273065406032320507922143156865023 5132982777853313830253155438209705500906768650253
129
130
The Rabin Cryptosystem Application testing allowed us to reach the following conclusions:
Each of the underlying parts of the application (Primes generation, Key generation, Encryption and Decryption) is functioning properly and effectively both as an independent subsystem and in connection with the rest of the subsystems.
The whole process, starting from the prime generation, continuing with the key generation, the encryption of data and, finally, the data decryption, is reliable, since the file encode.exe was encrypted and then successfully decrypted to an identical file.
131
The diverse needs in quantifying computer behavior have led to the appearance of many types of benchmarks, each measuring a particular quality or set of qualities of a system.
Based on the generality of the properties they quantify, benchmarks are split into [Hen07]: component-level benchmarks, which measure the quality of certain hardware or software components taken in particular, such as: hardware components: central processing unit (PIFast, QuickPI), single processor core (SuperPI), arithmetic integer unit (Dhrystone), arithmetic floating-point unit (Whetstone), graphics processing unit (Futuremark 3DMark), sound card, network adapter, display, hard disc, notebook battery life (BAPCo MobileMark)
132
software components: operating system, database management system (TPCC), compiler, virtual machine
system-level benchmarks (BAPCo SYSmark, Microsoft WinSAT), whose purpose is to assess the overall behavior (performance, usually) of computer systems running real applications. Such benchmarks may also specify the contribution of each subsystem to the global result.
Regarding their composition, benchmarks are divided in [Hen07]: synthetic benchmarks (Whetstone, Dhrystone, POV-Ray), which are created by combining lower-level functions targeting computer hardware components, in a proportion that is believed to be appropriate for efficiently evaluating the capabilities of the desired subsystem. By this, the developers try to match an average execution profile of the component. application benchmarks (BAPCo SYSmark), which employ a set of popular applications that are deemed typical for a certain industry segment or class of products. These applications are executed either as a batch or simultaneously, in an attempt to simulate the way users would run applications on their systems. Such benchmarks often are system-level benchmarks.
5.2.1 Justification
While not a goal all by itself, the development of a benchmark based on the computational profile of public-key cryptography can be envisioned as a collateral benefit to implementing an asymmetric-key cryptosystem.
Such a benchmark would be a processor core integer benchmark, belonging to the class of hardware component-level synthetic benchmarks due to the following reasons:
133
Public-key cryptography involves very computationally-intensive calculations in all of its underlying operations (primes generation, key generation, encryption, decryption). Some of these operations (primes generation, encryption, decryption) require a significant amount of time to complete (up to seconds). This means that a benchmark using one (or more) of these operations is able to provide a computational challenge even to the most modern and capable of processors.
Three out of the four operations (key generation, encryption and decryption) are fully deterministic, therefore they require the same amount of computations for a given test data, regardless of any external factors.
-bit
integer processor registers, ignores the eight double floating point registers and has a very small (under 1 MB) memory footprint (not counting the GUI and the managed environment). As the data required can be loaded from the disc prior to the tests inception, the benchmark has no interference with the hard disc, nor with any devices whose access to is controlled by the OS kernel. As such, the benchmark isolates the desired processor core for a reliable testing experience.
Being by far the most demanding in terms of resource usage of the cryptographic operations, while also belonging to the class of fully deterministic algorithms, the decryption protocol is the operation of choice to be used by the benchmark, since, due to its lengthy execution, it emphasizes the potential differences between processor cores speed, while, at the same time, nullifying the possible inconsistencies caused by application overhead.
the benchmark, as most of the contemporary PCs are having a Microsoft Windows OS installed and are capable of executing the .NET Framework 2.0.
Although the .NET Framework has been unofficially ported to some extent to other platforms (the Mono Project on Linux), these conversions are not 100% compatible with the original version, mostly because they are running on completely different operating system kernels. Therefore, such platforms are not targeted by the application, since, in order to ensure a consistent testing experience, a benchmark cannot hope to test a processor core speed in itself, but, more likely, a processor core speed when running on a certain operating system architecture.
Benchmarking applications have traditionally been considered heavy-duty applications that need to run as closely to the machine-level as possible. According to the aforementioned ideology, it would seem rather strange to choose an intermediate language programming paradigm (.NET) over native code-generating languages in a domain as demanding and needing extreme accuracy as benchmarking. However, as it will be pointed out in the subsequent section, the .NET Framework is not only a good choice, but the best choice for this purpose on the MS Windows platform.
Aiming at the CPU ensures the best optimization (machine code generated specifically) for the architecture the processor is based on, while addressing the Windows version ensures a smooth, consistent experience of the application when running on different versions of the OS. This is something that a native-code compiled application cannot hope to achieve.
135
As an example to illustrating the previously-stated theoretical point, the case of the GNU family of native-code compilers (GCC, G++, GCJ, etc.) is exposed below, which is one of the most remarkable portable compilers to date.
athlon, athlon-tbird - AMD Athlon CPU with MMX, 3dNOW!, enhanced 3dNOW! and SSE prefetch instructions support. athlon-4, athlon-xp, athlon-mp - Improved AMD Athlon CPU with MMX, 3dNOW!, enhanced 3dNOW! and full SSE instruction set support. k8, opteron, athlon64, athlon-fx - AMD K8 core based CPUs with x86-64 instruction set support. (This supersets MMX, SSE, SSE2, 3dNOW!, enhanced 3dNOW! and 64-bit instruction set extensions.)
Observing these optimizations options, one can easily notice the broad range of processor families supported. One the other hand, the developer of the applications targeting the GCC compiler cannot know in advance which type of processor the user would possess. It has, thusly, three choices in distributing his application, none of which are fully satisfactory, at least compared to the .NET solution of on-the-spot fully-optimized compilation of intermediate code:
1) use the least common denominator of the optimizations (that is use the i686 processor with the -march flag) and optimize for no CPU in particular. This way no processor gets an advantage over the other, but, on the other hand, no processor executes at its full potential. This solution seems equitable to all CPU architectures, but, in fact, it is limiting to all.
2) use the i686 platform, but perform tuning settings for a particular processor family (such as mtune=pentium4) that is expected to be prevalent among the users. This would allow the Intel Pentium 4 architecture to obtain an unfair advantage over other CPUs, since, not only would these run unoptimized, but would also have to overcome an improper optimization.
3) supply the application in source code format and let the user compile it for its specific configuration. While this is an acceptable solution for the Linux world, it is inadequate to be used with the Microsoft Windows OS, where users expect binaries and may not even have a compiler installed.
137
That is not to say that public-key cryptography (more specifically, the decryption protocol) cannot be put to good use in testing multi-core processor systems by employing a certain degree of concurrency (many threads running simultaneously), but reliably testing a single processor core is a lengthy process (taking up to tens of seconds) and, obviously, accurate parallelization testing would visibly increase this duration. Since modern operating system kernels (including the Microsoft Windows NT-based OSs, the officially supported hosts for the .NET Framework) are running tens of processes containing hundreds of threads overall, it becomes clear that true parallel execution is all but impossible on most of the systems in use nowadays. Thus, systems must employ at least a certain degree of concurrency, regardless of the amount of processors (or processor cores) existing in their underlying architectures. The solution that most OSs have chosen to implement is the priority-based and Round-Robin preemptive scheduling, which utilizes both external and internal means of establishing and adjusting process and thread priorities. The granularity of this operation is at thread level, rather than at process level, but process priority does contribute at defining the priority of its contained threads.
As the benchmark is created for the Microsoft Windows platform it behooves us to expose the process and thread scheduling mechanisms of MS Windows, although many concepts are implemented similarly in the other contemporary operating systems of today, such as Linux, Sun Solaris and Apple MacOS.
138
In the MS Windows OS, each process is given a priority at creation-time, that will influence the priorities of its threads. These priorities, as made available through the Win32 API, are: [MSDN] idle referring to processes whose threads run only when the system is in idle state. The threads of these processes are preempted by any thread of a process having a higher priority. An example of such a process would be the screen saver. normal for processes with no special requirements in terms of scheduling. high designed for processes that perform time-critical tasks and must be executed without delay. The threads of these processes preempt the threads of other processes belonging to a normal or idle priority class. Extra attention must be paid when assigning a process high priority, because a high-priority class application can use almost all of the available CPU time, leading to the starvation of other processes. A user desiring to run a process with the high priority must possess administrative rights. A typical high-priority process is the Windows Task Manager, which must allow for a quick response time, irrespective of the overall load of the system. real-time designated for processes that need the highest possible priority. The threads of these processes preempt the threads of all other processes, including also system services. Real-time processes must be used only as a last resort solution, because, when run for more than a few milliseconds, they cause the whole system to become unresponsive. A user wanting to run a process with the real-time priority must have administrative rights.
139
We need our benchmark application to run at the highest possible priority to ensure very reliable results, without interfering with system services and other essential processes. As such, the priority of the choice for the benchmark is the high process priority. A small drawback to this decision is that the user of the application must be granted administrative privileges on the system.
MS Windows lets the user define a priority value for any thread, through the Win32 API. This value, together with the priority class of the thread's process, determines the thread's base priority level. The operating system scheduler (dispatcher) may alter the thread priority within a certain range of the base priority level. The priority values for threads are listed below: [Sol00] idle - No CPU time slices will be assigned to this thread, unless all the other threads of the process are in an idle state (waiting or blocked). lowest significantly diminished priority below normal reduced priority normal Unless specific priority values are specified, any thread is given this priority value at creation-time. above normal slightly elevated priority highest Such a thread receives the highest priority allowed, considering the priority class of its containing process. time-critical A thread belonging to this category monopolizes the processor time-slices assigned to its parent process. This priority value is not made available through the .NET Framework.
Considering that we require our benchmarking thread to run virtually uninterrupted (without being subject to the Windows dispatcher), we must assign it the highest priority value. In conjunction with the high process priority class, this should amount for minimal thread preemption and, therefore, a reliable and consistent testing experience. However, since the .NET Framework involves a managed execution environment, one must not make any assumptions as to the bijective binding of managed threads to operating system threads. This correspondence must be enforced explicitly.
140
Benchmark System
Start the benchmark User <<include>> Web application
Submit the result of the benchmark View all the benchmark results
3rd Layer
2nd Layer
1 Layer
Data Model & Technical Layer 142
st
Notes: This architecture uses a relaxed layer interaction model, allowing the upper layer (UI) to access the Data Model & Technical Layer for some of the operations. Method calls from one subsystem (layer) to another can only be made by higher order layers to lower order layers.
This is the package diagram for the processor benchmark desktop application.
ResultsHandler
<<import>>
<<import>>
<<technical>> BigIntegerImplementation
SystemInformation
143
144
Package ResultsHandler:
Package SystemInformation:
145
Package BigIntegerImplementation: identical to the package having the same name from the RSA (Rabin) Cryptosystem Application
Decrypt data
146
Submit GET request to the web server Response : the web page containing all the benchmark results
147
1) Desktop application
start the processor core benchmark, which will test the performance of the first CPU core, submit the result (using a POST request) to the web application and also display the benchmark result inside the desktop applications GUI
view the overall benchmark results provided by the web application, while also highlighting the current test result inside the web page (using a GET request), if such a test has been performed during the applications execution
148
2) Web application
149
simply accessing the web page displays the results of all the benchmarks to date
sending a GET request to the web application, containing a particular test result information, will signal the web application to render all the benchmarks results, while highlighting the supplied result
sending a POST request to the web application, containing a new test result, will trigger the web application to add it to its external benchmark results file
150
Conclusions
CONCLUSIONS
In the past 10 years, computer data security has become an ever-increasing concern to governments, as well as companies and even end-users, since almost any information nowadays is processed and stored in its electronic form, rather than using classical (traditional) means such as pen & paper, dossiers, file cabinets, typewriters, etc. Even if sometimes information is presented on traditional support (paper), it is still developed and maintained using electronic devices.
In this context, it is the duty of cryptography not only to secure data for (indefinite) safekeeping, but also to safely transmit important (sensitive) digital content over unsecured communication channels. In an era of computer networks (physical or virtual) and the Internet, symmetric-key cryptography cannot cope all-by-itself with the demands of secure digital systems. Therefore, in modern-day data security systems, symmetric-key cryptosystems are coupled with public-key cryptosystems, in an effort to solve the issues of safe symmetric-key exchange and for devising of authentication (and non-repudiation) protocols.
The two computer applications (RSA Cryptosystem Application and Rabin Cryptosystem Application) present a successful approach to securing limited amounts of data, as well as providing a safe container for symmetric-key cryptosystem keys, that are about to be distributed over unsecured communication channels. The power of the application resides in the strength of its algorithms, the efficiency of its implementation and its large key size of 1536 bits, while its accessibility is enhanced by the use of intuitive graphical user interface, suitable for users having different levels of knowledge (or even no knowledge) of cryptography and its inherent protocols.
The processor core benchmark, which provides both the desktop benchmarking application actually fulfilling the performance evaluation and the web application storing and revealing the cumulated results of individual tests, has proven to be very reliable, allowing only minimal fluctuations between the results of successive tests involving the same computer processor, as well as establishing a processor core speed hierarchy that is in concordance with that of prestigious computer hardware magazines. 151
152
References
REFERENCES
[Agr04] M. Agrawal, N. Kayal, N. Saxena, PRIMES is in P, Annals of Mathematics 160, 781793, 2004 [Bis03] D. Bishop, Cryptography with Java Applets, Jones and Bartlett Publishers Inc., 2003 [Cri06] S. Crivei, Computational Algebra: Lecture Notes, unpublished, 2006 [Elk07] R. El-Khalil, A. D. Keromytis, Hydan: Hiding Information in Program Binaries, The 9th International Conference on Information and Communications Security (ICICS 2007), Zhengzhou, China, 2007 [Han94] P. B. Hansen, Multiple-length Division Revisited: a Tour of the Minefield, Software Practice and Experience, vol. 24(6), 579601, 1994 [Hen07] J. L. Hennesy, D. A. Patterson, Computer Architecture: A Quantitative Approach, Morgan Kaufmann Publishers, 2007 [Kob94] N. Koblitz, A Course in Number Theory and Cryptography Second Edition, SpringerVerlag, 1994 [Men96] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996 [Pan99] J. Pan, Software Testing, 18-849b Dependable Embedded Systems, Spring 1999 [Sch96] B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C, John Wiley & Sons, Inc., 1996 [Sol00] D. A. Solomon, M. E. Russinovich, Inside Microsoft Windows 2000, Microsoft Press, 2000 [Sta05] W. Stallings, Cryptography and Network Security Principles and Practices, Fourth Edition, Prentice Hall, 2005 [Sti95] D. Stinson, Cryptography: Theory and Practice, CRC Press, 1995
[wiki] Wikipedia, The Free Encyclopedia, http://en.wikipedia.org/wiki/Main_Page [GCC] The GNU C Compiler Info Page, GNU C Compiler 4.2.2, Knoppix 5.3.1 Distribution [MSDN] Microsoft Developer Network, http://msdn.microsoft.com/en-us/default.aspx
153
References
[net01] The Story of Alice and Bob, http://www.conceptlabs.co.uk/alicebob.html [net02] The Primes Page, http://primes.utm.edu [net03] RANDOM.ORG True Random Number Service, http://www.random.org
154