1

Introduction to cryptography

Basic concepts

Classical techniqes

Modern conventional techniques

Cryptography – Basic concepts

Cryptography - the art or science encompassing the

principles and methods of transforming an intelligible

message into one that is unintelligible, and then

retransforming that message back to its original form

Plaintext - the original intelligible message

Ciphertext - the transformed message

Cipher- an algorithm for transforming an intelligible

message into one that is unintelligible by transposition

and/or substitution methods

Key - some critical information used by the cipher,

known only to the sender & receiver

2

Cyptography – Basic concepts

Encipher (encode) - the process of converting

plaintext to ciphertext using a cipher and a key

Decipher (decode) - the process of converting

ciphertext back into plaintext using a cipher and

a key

Cryptanalysis - the study of principles and

methods of transforming an unintelligible

message back into an intelligible message

without knowledge of the key. Also called

codebreaking

Conventional encryption model

• Plaintext X=[X

1

,X

2

,...,X

M

],length M

– Melements are letters in a finite alphabet

• Secret key K=[K

1

,K

2

,...,K

j

],length J

• Ciphertext Y=[Y

1

,Y

2

,...,Y

n

],length N

• With message X and encryption key K the

encryption algorithm forms the ciphertext

– Y=E

K

(X)

• The receiver can invert the transformation

– X=D

K

(Y)

3

Conventional cryptosystem model

Conventional encryption model

• Security of conventional encryption depends on several

factors

– (entropy of) the algorithm: it must be impractical to decrypt a

message on the basis of the cyphertext and knowledge of the

encryption/decryption algorithm (Kerckhoffs principle)

– the key

• secrecy of the key

• length of the key (in fact entropy OF the key)

• Note: the algorithm is public

– feasible for widespead use

– manufactures can develope low-cost chip implementations of the

algorithm

• The principal security problem is maintaining the secrecy

of the key

4

Cryptographic systems - classification

Cryptographic systems are classified along three

dimensions

1.The type of operations used for transforming

plaintext to cyphertext

- substitution

- transposition

2.The number of keys used

- single key, symmetric, secret key, conventional

- two keys, asymmetric, public key

3.The way in which plaintext is processed

- block cipher

- stream cipher

Cryptanalysis

• Cryptanalysis = the process of trying to discover X or K or

both

• Brute force

– the entropy of a key is important, random number generation

– e.g. 10 letter english word has about 13 bits of entropy even thow the

”key” is 80 bits long

• Windows NT: 128-bit key based on users password

– Distributed internet key search 1999: 250 billion keys/sec

• analysis of the ciphertext

– statistical tests

– traces of structure and pattern of plaintext may survive the encryption

process and be discernible in the ciphertext

– generally not feasible with modern ciphers

• Differential and linear cryptanalysis

5

Exhaustive key search

Cryptanalytic attacks

• Ciphertext only

– only acces to some enciphered messages

– use statistical attacks only

• Known plaintext

– know some plaintext-ciphertext pairs

– use this knowledge in attackin the cipher

• Chosen plaintext

– can select plaintext and obtain corresponding ciphertext

– use knowledge of algorithm structure in the attack

• Chosen plaintext-ciphertext

– can select plaintext and obtain corresponding ciphertext,

or vice versa

– allows further knowledge on algorithm structure to be

used

6

Security models

• Ad-hoc secure

– intuitive feeling of security

• Computationally secure

– the cost of breaking the cipher exceeds the value of the

encrypted information

– the time required the the cipher exceeds the useful

lifetime of the information

• Provably secure

– the breaking is provably as difficult as some known

difficult problem, i.e. factorization

• Unconditionally secure

– the ciphertext does not contain enough information to

determine uniquely the corresponding plaintext, no

matter how much ciphertext is available

Vernam´s one-time-pad

• The only cipher that has been proved to be

unconditionally secure

• Invented by. G. Vernam in 1917

• Key is a random bit-stream of same length as the

message

• Encryption simple – just XOR the message with

the key

• A key must not be reused

• Not very practical

• Used on the ”Moscow-Washington” hot line

7

Conventional encryption -

algorithms

Principles

S-DES

Other block ciphers

Modern block ciphers

• Based on the principles of Feistel ciphers

• Block ciphers seem to be applicaple to a broader

range of applications than stream ciphers

• A block cipher can be used in a way to make it

operate as a stream cipher

• The message is broken into blocks of bits, each of

which is encrypted separately.

– Can be viewed as a substitution cipher with a very large

alphabet

• The structure of the algorihtms is generally very

complex

8

Feistel Cipher

• A foundation for many modern block ciphers

• The exact realization of a Feistel Cipher depends on the

following design features

– blokc size: larger block-size increases security but decreases

encryption/decryption speed

– key size: 128 is now considered safe

– number of rounds: a single round offers weak security, but repeating

rounds offer increasing security. Typically 16 rounds are used

– subkey generation algorithm: greater complexity should lead to greater

difficulty of cryptanalysis

– round function: greater complexity generally means greater resistance to

cryptanalysis

– implementation issues: speed and memory requirements in

software/hardware implementation

– ease of analysis: a simple algorithm can be e.g. analysed for

vulnerabilities. (DES is not easy to analyze)

9

Substitution-Permutation Ciphers

• Shannon introduced the idea of substitution-permutation

(S-P) networks, which now form the basis of modern block

ciphers

– An S-P network is the modern form of a substitution-transposition

product cipher (like Enigma)

– S-P networks are based on the two primitive cryptographic

operation, substitution and permutation

– mixing transformations

• Shannons mixing transformations are a special form of

product ciphers where

– S-Boxes provide confusion of input bits

– P-Boxes provide diffusion across S-box inputs

Substitution-Permutation Ciphers cont...

• Avalanche effect

– a small change in either the plaintext or the key produce

a significant change in the ciphertext

– In DES a one bit change in either the key or plaintext

produce on the average 35 changed bits in the

ciphertext

• Completeness effect

– each ciphertext bit is a complex function of all input

bits (in a block)

10

Simplified DES (S-DES)

• An educational rather than secure algorithm

• A block cipher which encrypts an 8-bit block of

plaintext using a 10-bit key and outputs an 8-bit block of

ciphertext

• Has a general structure of Shannons mixing transform

• Encryption involves five functions

– an initial permutation

– f

K

involving both substitution and permutation both depending

on the key

– simple permutation SW

– f

K

again

– an inverse of the initial permutation

• Additionally there is a key generation algorithm to

generate sub-keys

DES vs. S-DES

• DES adopted as NIST FIPS 46 in 1977

– the algorithm is DEA

• DES operates with 64-bit blocks

• 16 rounds:IP

-1

º f

K16

º SW º f

K15

º SW.... º SW º f

K1

º IP

• A 56-bit key is used to form 16 48-bit sub-keys

• F acts on 32-bits

• There are 8 rows corresponding to 8 S-boxes.

Each S-box has 4 rows and 16 columns. First and

last bit of a row picks the row of an S-box, the

four bits in the middle pick the column.

• Basically, DES is a scaled-up

version of S-DES

n

32

n

1

n

2

n

3

n

4

n

5

n

4

n

5

n

6

n

7

n

8

n

9

. ...... .

n

28

n

29

n

30

n

31

n

32

n

1

11

The strength of DES

• Concerns about the algorithm

– most cryptanalyzed algorithm security

– no known efficient cryptanalytic attack

– the design criteria for S-boxes not released, potential

threat

• The key length

– EFF ”DES Cracker”, built for $250000. Broke DES in

three days.

• DES is not safe any longer

– Recognizing the plaintext may take time making DES

secure

12

13

Overview of Block Ciphers

• An overview of the most important

symmetric ciphers in current use

• DES

• TDEA

• IDEA

• Blowfish

• Cast-128

Triple-DEA

TDEA

• FIPS 46-3 in 1999

• Based on using DES three

times in an encrypt-decrypt-

encrypt secuence with three

different keys

• Much stronger than DES

• Slow compared to some new

block ciphers, fixed 64bit

block size

• Also a two-key version exists

C = EK3[DK2[EK1[P]]]

• Used in eg. PGP and S/MIME

• TDEA and AES will coexist in

FIPS approved algorithms

14

Key distribution

• The problem – ”to estabslish a secret shared by the

two parties and protected from access by others”

– number of communicating pairs can be very large

– keys has to be changed frequently

• Ways of distributing the keys for two parties, A

and B

1. A selects the key and physically delivers it to B

2. A third party selects the key and physically delivers it

to A and B

3. If A and B have previously used a key, one party can

transmit the new key to the other encrypted using the

old key

4. If A and B both have an encrypted connection to a

trusted third party C, C can deliver the key to A and B

using the encrypted links

Key distribution

• Ways 1. and 2. require manual delivery

– ok for link encryption

– impossible for end-to-end encryption

• N hosts, [N(N-1)]/2 possible pairs of commmunication

• Way 3. can be used in both link and end-to-end

communcation

– if an attacer gets one key, also all subsequent keys are

exposed

• Some variatioon of way 4. is the most commonly

used for end-to-end encryption

– a key distribution center (KDC) is used

– a hierarchy of keys, at least two levels

15

Two hierachies of keys

• Session key:

– Data encrypted with a one-time session key.At

the conclusion of the session the key is

destroyed

• Permanent (master) key:

– Used between entities for the purpose of

distributing session keys

• a unique marster key for each host for

communicating wiht KDC

16

Public Key Cryptography

Principles

RSA Key Management

Diffie-Hellman

Introduction

• The idea of Public key cryptography proposed by

Diffie and Hellman 1976

– Cryptosystems: RSA, Merkle-Hellman, Rabin,

McEliece, El Gamal, Ellliptic curves

• Public key algorithms are based on mathematical

functions rather than subsitution and transtosition

• The Public key cryptgraphy is asymmetric

involving the use of two separate keys

– profound consequencies in the areas of confidentiality,

authentication and key distribution

17

Introduction cont...

• The main problems of conventional encryption

that can be solved with public key cryptography

1.Key distribution

- in a conventional scheme the communicating parties

have to either share a common secret key or use a key

distribution centre

- in a public key scheme it is possible to exchange a

session key securely

2.Authentication

- ”the need for a digital signature”

Misconceptions about public key

encryption

• Public key encryption is more secure than secret key

encryption

– the security of any encryption scheme depends on the length of the key

and the and the computational work in breaking the cipher.

– no principal difference between conventional/publik key encryption in this

respect

• Public key encryption is a general purpose technique and

has made conventional encrytpion obsolete

– the computational overhead of current public key shemes compared to

conventional encryption is high

– conventional encryption will be used to foreseeable future

• Key distribution is trivial when using public key

encryption

– the procedures and protocols ar no simpler nor more efficient than those

required for conventional encryption

18

Principles of public-key cryptosystems

• Public key algorithms use one key for encryption

and an other, related key for decryption

– a pair of keys: public key and private key (note: term

secret key refers to a conventional encrytpion key)

– it is not practical to deduce one key from the other

• Everybody has acces to the public key, whereas

the private key is kept secret

– Anybody can encrypt messages, but only the receiver

can decrypt messages

• In some public key cryptosystems (e.g. RSA) it is

possible to use either of the keys for encryption

and the other for decryption.

The basic principle

The message source is A and the destination B.

Confidentiality:

B generates the related keys: a public key KU

b

and a private key

KR

b

.

With the message X and KU

b

as input A can form the ciphertext

Y=E

KUb

(X). The receiver B having the private key KR

b

is able to

decrypt the ciphertext X=E

KRb

(Y).

Authentication:

Also A generates the related keys: a public key KU

a

and a

private key KR

a

. A prepares a message to B and encrypts it with

own private key Y=E

KRa

(X). B can decrypt the message using A’s

public key KU

a

Y=E

KUa

(X). If the message decrypts, only A could

have sent it, since it was encrypted with A’s private key. The

entire encrypted message serves as a digital signature in this

case. Furthermore this offers data integrity since it is impossible

to alter the message without KR

a

.

However this is not a practical authentication sotution, it merely

illustrates the principle.

19

The basic principles cont...

Confidentiality and Authentication at the same time:

The previous authentication scheme did not offer any secrecy,

i.e. the message is safe from alteration but not from

eavesdropping. However it is easy to provide both functions by a

double-use of public key scheme.

Z=E

KUb

[E

KRa

(X)]

X=E

KUa

[E

KRb

(Z)]

In other words the authentication function is hidden inside the

secrecy function. This is computationally a heavy solution, since

the public key algorithm must be executed four times.

1.One of the two keys must be kept secret

2.It must be impractical to decipher the

message a message if no other

information is available

3.Knowledge of the algorithm plus one of

the keys plus samples of the ciphertext

must be insufficient to determine the

other key

1.The key must be kept secret

2.It must be impractical to decipher the

message a message if no other

information is available

3.Knowledge of the algorithm plus

samples of the ciphertext must be

insufficient to determine the key

Needed for Security:

Needed for Security:

1.One algorithm is used for encrytpion

and decryption with a pair of keys, one

for encryption and one for decryption

2.The sender and the receiver must each

have one of the matched pair of keys

1.The same algorithm with the same

key is used for encrytpion and

decryption

2.The sender and the receiver must

share the algorithm and the key

Needed to work:

Needed to work:

Public-key encryption

Conventional Encryption

20

21

One-way function

A one-way function is is one-to-one (every value has a

unique inverse) with the condition that calculation Y=f(X) is

easy and its inverse X=F

-1

(Y) infeasible.

A trap-door one-way function is a one-way function which

is however easy to calculate also in the inverse direction with

some additional information.

A trap-door one-way function is a family of invertible

functions f

k

such that,

Y=f

k

(X) easy if k and X are known

X=f

k

-1

(X) easy if k and Y are known

X=f

k

-1

(X) unfeasible if Y is known but k unknown.

The developement of a practical public key cryptosistem

depends on discovery of a suitable trap-door one-way

function.

22

One-way functions cont...

• It is not known if one-way functions exist or not,

but many functions are believed to be one-way.

• In practice one-way functions are complex to

calculate in both directions. Public key

cryptography could not exist without computers.

– ”Easy to calculate” means in this context that the

problem can be solved in polynomial time as a function

of input length

– ”Infeasible” a fuzzier concept. The problem is said to

be infeasible if the effort needed to solve it grows faster

than polynomial time as a function of input length. An

example is a solving effort of 2

n

for input length n.

• Keyed one-way function produces a conventional

cryptosystem.

One-way functions cont...

Public key cryptosystems are based on the following

trap-door one-way functions:

• Finding the discrete logarihtm

– a

x

mod p = b; find x?

– easy for integers, but difficult with remainder classes

(modulus)

• Finding the prime factors of large numbers

– a = p * q; find p and q when a is known?

• Elliptic curves

• Knapsack problem (historical)

• Generally some NP-complete problem

23

The RSA algorithm

• Developed 1977 Riverst, Shamir, Adelman at

MIT.

• The first real public key cryptosystem capable of

encryption and digital signatures.

• The only widely accepted and implemented

general purpose PKC

• A block coder, blocks are interpreted as integers

• Based on factoring of large numbrers, which is not

known to be NP-complete

• Security is considered equivalent to factoring

• Not pathented since 2000

RSA ...

Encryption and decryption are of the following form for a plaintext

block M and ciphertext block C:

C = M

e

mod n

M = C

d

mod n = (M

e

)

d

mod n = M

ed

mod n

Both the sender and receiver know n and e, but only the receiver

know d. Thus the public key is KU={n,e} and the private key KR

KU={n,d}.

The requrements for this PKC:

1.It is possible to find a value e,d,n s.t. M

ed

= M mod n for all M < n

2. It is (relatively) easy to calculate M

e

and C

d

for all M < n

3. It is infeasible to determine d given e and n.

24

The RSA Algorithm

RSA example – key generation

1. Select two primes p=7 and q= 17.

2. Calculate n = pq = 119.

3. Calculate (n) = (p-1)(q-1) = 96.

4. Select e s.t. e is relatively prime to (n) =96 and less than (n); in this

case select e = 5.

5. Determine d s.t. de = 1 mod 96 and d <96. The correct value is d = 77,

because 77*5 = 385 = 4*96+1.

KU = {5,119} and KR = {77,119}

25

RSA example – encryption

and decryption

Encryption C = M

e

mod n

Decryption M = C

d

mod n

RSA cryptanalysis

• Brute force: number of different keys has to be large,

just like in conventional cryptography

– however large keys slow down the encryption rapidly

making its use impractical

• Mathematical attacs: attacks against the one-way

function

– RSA 129 was broken in 1994

• 1600 used over the internet. took 8 months

– 130 digit number is the longest that has been factorised

– Now recommended the use of 1024 bit keys (300 digits)

• Timing attacks

– an attack from a completely unexpected direction

– monitor the execution times of different parts of the

algorithm and thus gain knowledge of the key

– ciphertext only attack

26

Key management

• One of the major applications of PKCs

• There are two aspects to the use of a PKC in this

regard:

– the distribution of public keys

1.Public announcement

2.Publicly available directory

3.Public-key authority

4.Public key certificates

– the use of public-key encryption to distribute secret

keys.

1.Simple secret key distribution

2.Secret key distribution with confidentiality and authentication

Distribution of public keys –

Public announcement

• Simply publice the public keys of some widely accepted

standard like RSA

– anybody can send his public key to any participant or broadcast it to the

community at large

– eg. many PGP users have adopted a practice of appending their public key to

messages that they send to public forums

This approach is very

convenient, but it has a

major weakness:

anybody can easily

forge the public

announcement

thus the forger is able to

read the all encrypted

messages intended for the

original receiver

the forger is also able to

use the forged keys for

authentication

27

Distribution of public keys –

Publicly available directory

• Maintain a publicly available dynamic directory of public

keys

– maintenance and distribution of the public keys in the responsibility of a

trusted entity (TTP)

• The needed elements for this kind of scheme

1.Participants register a

public key using some form

of secure authenticated

communication

2.A participant can raplace

an existing key at any time

3.Periodically the authority

publishes the whole

directory of keys

There are still

vulnerabilities

the opponent could tamper

with the records kept by

the authority

Distribution of public keys –

Public key authority

A central authority maintains a dynamic directory of public keys

of all participants.

All participants reliably know the public key of the authority

1.The initiator A sends a timestamped message to the authority

requesting for the current public key of B.

2.The authority responds with a message encrypted with the

authoritys private key KR

auth.

The message contains

- KU

b

which A can use to encrypt messages to B

- the original request so that A can verify that it was not

altered by the opponent

- the original timestamp so that A can determine this is not an

old message containing a non valid public key for B (replay-

attack)

3.A sends its identifier ID

A

and a nonce N1 used for identifying the

transaction uniquely. The message is encrypted with KU

B

4.B retrieves the public key of A from the authority in a same

manner that A did.

28

Distribution of public keys –

Public key authority

New public keys have been securely delivered to A and B.

However two additional steps are needed for mutual

authentication

6.B sends a message to A encrypted with KU

A

and containin A’s

nonce N1 and a new nonce N2. Because only B could have

decrypted N1 B’s authenticity is verified.

7.A returns N2 encrypted with B’s public key to assure A’s identity.

Note that steps 1-5 need only be taken infrequently because A

and B both save the publick keys.

The authority could be somewhat a bottleneck in the system

The directory maintained by the authority is vulnerable to

tampering

29

Distribution of public keys –

Public key Certificates

Suggested by Kohnfelder in 1978

In this approach certificates are used to enable

participants to exchange keys without contacting the

authority in a way that is as reliable as if the keys were

obtained from the certificate authority (CA)

A certificate contains a public key and other information,

is created by the authority, and is given to the participant

with the matching private key.

A participant conveys its public key to another by

transmitting the certificate. Other participants can verify

that the certificate was created by the authority.

In a simple PKI architecture, that CA may be the systems

administrator who issues certificates to end users. ’

In a more complex environment, a CA may be a large

enterprise, a government agency, or a third-party

consortium that acts as a trust agent for a specific

industry.

Distribution of public keys –

Public key Certificates

The requirements for the scheme

Any participant must be able to decrypt certificates to

get the public key and other information

Any participant must be able to verify that the

cerificate has been created by the authority

Only the authority can create or update certificates

Any participant must be able to verify the currency of

the certificate

Trusting a CA assumes that the authority has taken

significant measures to verify the certificate holder's

identity.

The basic principle

The certificate of a participant A is

C

A

=E

KRauth

[T,ID

A

,KU

a

]

Any participant can read the certificate

D

KUauth

[C

A

] = D

KUauth

[ E

KRauth

[T,ID

A

,KU

a

]] = (T,ID

A

,KU

a

)

30

Distribution of public keys –

Public key Certificates

In practice, the certificate contains also other information

Version

validity time

used algorithms

issuer

extensions

X.509 standard has become universally accepted for

formatting public key certificates.

used in IPSec, SSL, SET, S/MIME

31

Public key distribution of Secret Keys –

Simple secret key distribution

It is assumed that A and B have already exchanged public keys

and now they want to exchange secret keys (i.e. conventional

session keys ) for the transmission of the messages

1.The initiator A generates a key pair {KU

a

,KR

a

} and transmits a

message to B consisting of KU

a

and A’s identifier ID

A

2.B generates the secret key K

s

and transmits it to A encrypted

with KU

a

3.A computes D

KRa

[ E

KUa

[K

s

]]. Now both A and B know the secret

key K

s

4.Public and private keys involved are discarded.

This is an attractive protocol. No keys exist before or after the

key exchange so there is no risk of compromising the keys. Also

the communication is safe from eavesdropping.

This protocol is however vulnerable to an active attac – so called

”man in the midde” attack.

Public key distribution of Secret Keys –

Man in the middle - attack

In the previous simple secret key distribution, suppose that an

opponent E has control of the communicating channel

1.The initiator A generates a key pair {KU

a

,KR

a

} and transmits a

message to B consisting of KU

a

and A’s identifier ID

A

2.E intercepts the message, creates its own key pair {KU

e

,KR

e

}

and transmits KU

e

|| ID

A

to B.

3.B generates the secret key K

s

and transmits it to A encrypted

with KU

e

believing that it was A’s public key

4.E intercepts the message and learns K

s

by decrypting the

message with KR

e

5.E transmits K

s

to A encrypted with KU

a

Neither A nor B noticed anything wrong in the key exchange. A

and B are unaware that E also knows the secret key.

E no longer actively interferes the communication, but simply

eavesdrops.

32

Secret key distribution with confidentiality and

authentication (countermeasure to man-in-the-middle)

A scheme profiding protection against passive and active attacks

1.A sends ID

A

and a nonce N1 to identify the transaction uniquely

encrypted with KU

b

2.B replays with N1 and a new nonce N2 encrypted with Ku

a

. The

presence of N1 in the message assures A that the correspondent

is B.

3.A returns N2 encrypted with B’s public key. This assures B that

the correspondent is A.

4.A generates the secret key K

s

and transmits M=E

KUb

[E

KRa

[K

s

]] to

B. Now only B can decrypt M and encryption with A’s private key

proves that A was the sender of M.

5.B computes E

KRb

[E

KUa

[M]] to recover the key.

33

Diffie-Hellman key exchange

The first published public key algorithm by Diffie and Hellman

1976.

Not pathented since 1997

Widely used in commercial products

The purpose is to enable two users to exchange a key securely

to be used in subsequent encryption of messages.

both communicating parties can independently get the secret

key without exchangin any secret information.

allows the construction of a common secret key over an

insecure communication channel

The algorithm is based on the difficulty of computing discrete

logarithms in remainder-class arithmetic

it is relatively easy to calculate exponentials modulo a prime,

but it is infeasible to calculate discrete logarithms

34

Diffie-Hellman - example

Global public elements are chosen as the prime q =97 and

primitive root of q as =5.

A and B selects the secret keys X

A

= 36 and X

B

= 58.

Each computes the public key:

Y

A

= 5

36

= 50 mod 97

Y

B

= 5

58

= 44 mod 97

A and B exchange the public keys (encryption is not needed)

Now each can compute the common secret key

K = (Y

B

)

X

A

mod 97 = 44

36

= 75 mod 97

K = (Y

A

)

X

B

mod 97 = 50

58

= 75 mod 97

An opponent who knows {q, , Y

A

,Y

B

} and cannot compute

K=75 without taking a discrete logarithm.

A simple protocol using Diffie-Hellman – key

exchange

35

Diffie-Hellman - attacks

The key exchange is vulnerable to ”man in the middle” attack

the opponent is able to control the communication line

use digital signatures as a countermeasure

Mathematical attacks: the algorithm is generally considered

secure

the security may be compromised by bad choises of the

modoulus and generator

Other public key applications -

blind signature (just an example)

The purpose is to be able to get a singnature without exposing

anything of the message being signed

The person who signs does not know what he signed, but he is

able to prove later that the signature is (or is not) his.

eCash is an example application, others time-stamp services and

anonymous acces services

A wants B to sign a message M without B knowing anything

about M. We use RSA to implement the blind signature.

B has a public key (n,e) and a private key (n,d). A generates a

random number r s.t. gcd(r,n) = 1.

A sends a message M’ = r

e

M mod n. (the message M’ is blinded

with a random number r)

B responds with S’ = (M’)

d

= (r

e

M)

d

mod n

Because S’ = rM

d

mod n A can get the signature S as

S = S’ r

-1

mod n = (rM

d

)/r mod n = M

d

mod n (A removes

the blinding)

Thus S has now a signature of B !

Note that only commutative algorithms (like RSA) can be used.

## Comments 0

Log in to post a comment