Table Of ContentChapter
1
OverviewofCryptography
Contents inBrief
1.1 Introduction: : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1
1.2 Informationsecurityandcryptography : : : : : : : : : : : : : : 2
1.3 Backgroundonfunctions : : : : : : : : : : : : : : : : : : : : : : 6
1.4 Basicterminologyandconcepts: : : : : : : : : : : : : : : : : : : 11
1.5 Symmetric-keyencryption : : : : : : : : : : : : : : : : : : : : : 15
1.6 Digitalsignatures : : : : : : : : : : : : : : : : : : : : : : : : : : 22
1.7 Authenticationandidentification : : : : : : : : : : : : : : : : : : 24
1.8 Public-keycryptography : : : : : : : : : : : : : : : : : : : : : : 25
1.9 Hashfunctions : : : : : : : : : : : : : : : : : : : : : : : : : : : 33
1.10 Protocolsandmechanisms : : : : : : : : : : : : : : : : : : : : : 33
1.11 Keyestablishment,management,andcertification : : : : : : : : : 35
1.12 Pseudorandomnumbersandsequences : : : : : : : : : : : : : : 39
1.13 Classesofattacksandsecuritymodels : : : : : : : : : : : : : : : 41
1.14 Notesandfurtherreferences : : : : : : : : : : : : : : : : : : : : 45
1.1 Introduction
Cryptographyhasalongandfascinatinghistory.Themostcompletenon-technicalaccount
ofthesubjectisKahn’sTheCodebreakers. Thisbooktracescryptographyfromitsinitial
andlimiteduse bytheEgyptianssome4000yearsago,to thetwentiethcenturywhereit
playedacrucialroleintheoutcomeofbothworldwars. Completedin1963,Kahn’sbook
coversthoseaspectsofthehistorywhichweremostsignificant(uptothattime)tothedevel-
opmentofthesubject. Thepredominantpractitionersoftheartwerethoseassociatedwith
themilitary,thediplomaticserviceandgovernmentingeneral. Cryptographywasusedas
atooltoprotectnationalsecretsandstrategies.
Theproliferationofcomputersandcommunicationssystemsinthe1960sbroughtwith
itademandfromtheprivatesectorformeanstoprotectinformationindigitalformandto
providesecurityservices. BeginningwiththeworkofFeistelatIBMintheearly1970sand
culminatingin1977withtheadoptionasaU.S.FederalInformationProcessingStandard
for encryptingunclassified information,DES, the Data EncryptionStandard, is the most
well-knowncryptographicmechanisminhistory. Itremainsthestandardmeansforsecur-
ingelectroniccommerceformanyfinancialinstitutionsaroundtheworld.
Themoststrikingdevelopmentinthehistoryofcryptographycamein1976whenDiffie
andHellmanpublishedNewDirectionsinCryptography.Thispaperintroducedtherevolu-
tionaryconceptofpublic-keycryptographyandalsoprovidedanewandingeniousmethod
1
2 Ch.1OverviewofCryptography
forkeyexchange,thesecurityofwhichisbasedontheintractabilityofthediscreteloga-
rithmproblem. Althoughtheauthorshadnopracticalrealizationofapublic-keyencryp-
tionschemeatthetime,theideawasclearanditgeneratedextensiveinterestandactivity
inthecryptographiccommunity.In1978Rivest,Shamir,andAdlemandiscoveredthefirst
practicalpublic-keyencryptionandsignaturescheme,nowreferredtoasRSA.TheRSA
schemeisbasedonanotherhardmathematicalproblem,theintractabilityoffactoringlarge
integers. Thisapplicationofahardmathematicalproblemtocryptographyrevitalizedef-
fortstofindmoreefficientmethodstofactor. The1980ssawmajoradvancesinthisarea
butnonewhichrenderedtheRSAsysteminsecure. Anotherclassofpowerfulandpractical
public-keyschemeswasfoundbyElGamalin1985. Thesearealsobasedonthediscrete
logarithmproblem.
Oneofthemostsignificantcontributionsprovidedbypublic-keycryptographyisthe
digital signature. In 1991 the first internationalstandard for digital signatures (ISO/IEC
9796)wasadopted. ItisbasedontheRSApublic-keyscheme. In1994theU.S.Govern-
mentadoptedtheDigitalSignatureStandard,amechanismbasedontheElGamalpublic-
keyscheme.
Thesearchfornewpublic-keyschemes,improvementstoexistingcryptographicmec-
hanisms,andproofsofsecuritycontinuesatarapidpace. Variousstandardsandinfrastruc-
turesinvolvingcryptographyarebeingputinplace. Securityproductsarebeingdeveloped
toaddressthesecurityneedsofaninformationintensivesociety.
Thepurposeofthisbookistogiveanup-to-datetreatiseoftheprinciples,techniques,
andalgorithmsof interestin cryptographicpractice. Emphasishas beenplaced onthose
aspectswhicharemostpracticalandapplied. Thereaderwillbemadeawareofthebasic
issuesandpointedtospecificrelatedresearchintheliteraturewheremoreindepthdiscus-
sionscanbefound. Duetothevolumeofmaterialwhichiscovered,mostresultswillbe
statedwithoutproofs.Thisalsoservesthepurposeofnotobscuringtheveryappliednature
ofthesubject. Thisbookisintendedforbothimplementersandresearchers. Itdescribes
algorithms,systems,andtheirinteractions.
Chapter1 is atutorialonthemanyandvariousaspectsofcryptography. Itdoesnot
attempttoconveyallofthedetailsandsubtletiesinherenttothesubject. Itspurposeisto
introducethebasicissuesandprinciplesandtopointthereadertoappropriatechaptersinthe
bookformorecomprehensivetreatments. Specifictechniquesareavoidedinthischapter.
1.2 Information security and cryptography
Theconceptofinformationwillbetakentobeanunderstoodquantity. Tointroducecryp-
tography,anunderstandingofissuesrelatedtoinformationsecurityingeneralisnecessary.
Informationsecuritymanifestsitselfinmanywaysaccordingtothesituationandrequire-
ment. Regardlessofwhoisinvolved,toonedegreeoranother,allpartiestoatransaction
musthaveconfidencethatcertainobjectivesassociatedwithinformationsecurityhavebeen
met. SomeoftheseobjectivesarelistedinTable1.1.
Overthecenturies,anelaboratesetofprotocolsandmechanismshasbeencreatedto
dealwithinformationsecurityissueswhentheinformationisconveyedbyphysicaldoc-
uments. Often the objectives of information security cannot solely be achieved through
mathematicalalgorithmsandprotocolsalone,butrequireproceduraltechniquesandabid-
anceoflawstoachievethedesiredresult. Forexample,privacyoflettersisprovidedby
sealedenvelopesdeliveredbyanacceptedmailservice. Thephysicalsecurityoftheen-
velopeis,forpracticalnecessity,limitedandsolawsareenactedwhichmakeitacriminal
(cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
x1.2Informationsecurityandcryptography 3
privacy keepinginformationsecretfromallbutthosewhoareautho-
orconfidentiality rizedtoseeit.
dataintegrity ensuringinformationhasnotbeenalteredbyunauthorizedor
unknownmeans.
entity authentication corroboration of the identity of an entity (e.g., a person, a
oridentification computerterminal,acreditcard,etc.).
message corroboratingthesourceofinformation;alsoknownasdata
authentication originauthentication.
signature ameanstobindinformationtoanentity.
authorization conveyance,toanotherentity,ofofficialsanctiontodoorbe
something.
validation ameanstoprovidetimelinessofauthorizationtouseorma-
nipulateinformationorresources.
accesscontrol restrictingaccesstoresourcestoprivilegedentities.
certification endorsementofinformationbyatrustedentity.
timestamping recordingthetimeofcreationorexistenceofinformation.
witnessing verifyingthecreationorexistenceofinformationbyanentity
otherthanthecreator.
receipt acknowledgementthatinformationhasbeenreceived.
confirmation acknowledgementthatserviceshavebeenprovided.
ownership a means to provide an entity with the legal right to use or
transferaresourcetoothers.
anonymity concealingtheidentityofanentityinvolvedinsomeprocess.
non-repudiation preventingthedenialofpreviouscommitmentsoractions.
revocation retractionofcertificationorauthorization.
Table1.1:Someinformationsecurityobjectives.
offensetoopenmailforwhichoneisnotauthorized. Itissometimesthecasethatsecurity
isachievednotthroughtheinformationitselfbutthroughthephysicaldocumentrecording
it. Forexample,papercurrencyrequiresspecialinksandmaterialtopreventcounterfeiting.
Conceptually,thewayinformationisrecordedhasnotchangeddramaticallyovertime.
Whereas information was typically stored and transmitted on paper, much of it now re-
sidesonmagneticmediaandis transmittedviatelecommunicationssystems, somewire-
less. Whathaschangeddramaticallyistheabilitytocopyandalterinformation. Onecan
makethousandsofidenticalcopiesofapieceofinformationstoredelectronicallyandeach
isindistinguishablefromtheoriginal. Withinformationonpaper,thisismuchmorediffi-
cult. Whatisneededthenforasocietywhereinformationismostlystoredandtransmitted
in electronicformis a meansto ensureinformationsecurity which is independentof the
physicalmediumrecordingorconveyingitandsuchthattheobjectivesofinformationse-
curityrelysolelyondigitalinformationitself.
Oneofthefundamentaltoolsusedininformationsecurityisthesignature.Itisabuild-
ingblockformanyotherservicessuchasnon-repudiation,dataoriginauthentication,iden-
tification,andwitnessing,tomentionafew. Havinglearnedthebasicsinwriting,anindi-
vidualistaughthowtoproduceahandwrittensignatureforthepurposeofidentification.
Atcontractagethesignatureevolvestotakeonaveryintegralpartoftheperson’sidentity.
Thissignatureisintendedtobeuniquetotheindividualandserveasameanstoidentify,
authorize,andvalidate. Withelectronicinformationtheconceptofasignatureneedstobe
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
4 Ch.1OverviewofCryptography
redressed;itcannotsimplybesomethinguniquetothesignerandindependentofthein-
formationsigned. Electronicreplicationofitissosimplethatappendingasignaturetoa
documentnotsignedbytheoriginatorofthesignatureisalmostatriviality.
Analoguesofthe“paperprotocols”currentlyinusearerequired. Hopefullythesenew
electronicbasedprotocolsareatleastasgoodasthosetheyreplace. Thereisauniqueop-
portunityforsocietytointroducenewandmoreefficientwaysofensuringinformationse-
curity.Muchcanbelearnedfromtheevolutionofthepaperbasedsystem,mimickingthose
aspectswhichhaveserveduswellandremovingtheinefficiencies.
Achievinginformationsecurityinanelectronicsocietyrequiresavastarrayoftechni-
calandlegalskills. Thereis,however,noguaranteethatalloftheinformationsecurityob-
jectivesdeemednecessarycanbeadequatelymet. Thetechnicalmeansisprovidedthrough
cryptography.
1.1 Definition Cryptographyisthestudyofmathematicaltechniquesrelatedtoaspectsofin-
formationsecuritysuchasconfidentiality,dataintegrity,entityauthentication,anddataori-
ginauthentication.
Cryptographyisnottheonlymeansofprovidinginformationsecurity,butratheronesetof
techniques.
Cryptographicgoals
Of all the information security objectives listed in Table 1.1, the following four form a
frameworkuponwhichtheotherswillbederived:(1)privacyorconfidentiality(x1.5,x1.8);
(2)dataintegrity(x1.9);(3)authentication(x1.7);and(4)non-repudiation(x1.6).
1. Confidentialityisaserviceusedtokeepthecontentofinformationfromallbutthose
authorizedtohaveit. Secrecyisatermsynonymouswithconfidentialityandprivacy.
Therearenumerousapproachestoprovidingconfidentiality,rangingfromphysical
protectiontomathematicalalgorithmswhichrenderdataunintelligible.
2. Data integrity is aservicewhichaddressestheunauthorizedalteration ofdata. To
assuredataintegrity,onemusthavetheabilitytodetectdatamanipulationbyunau-
thorizedparties. Datamanipulationincludessuchthingsasinsertion,deletion,and
substitution.
3. Authenticationisaservicerelatedtoidentification.Thisfunctionappliestobothenti-
tiesandinformationitself. Twopartiesenteringintoacommunicationshouldidentify
eachother. Informationdeliveredoverachannelshouldbeauthenticatedastoorigin,
dateoforigin,datacontent,timesent,etc. Forthesereasonsthisaspectofcryptog-
raphy is usually subdividedinto two majorclasses: entity authenticationand data
origin authentication. Data originauthenticationimplicitly providesdataintegrity
(forifamessageismodified,thesourcehaschanged).
4. Non-repudiationisaservicewhichpreventsanentityfromdenyingpreviouscommit-
mentsoractions. Whendisputesariseduetoanentitydenyingthatcertainactions
were taken, a meansto resolvethe situation is necessary. For example, oneentity
mayauthorizethepurchaseofpropertybyanotherentityandlaterdenysuchautho-
rizationwasgranted.Aprocedureinvolvingatrustedthirdpartyisneededtoresolve
thedispute.
Afundamentalgoalofcryptographyistoadequatelyaddressthesefourareasinboth
theoryand practice. Cryptographyis aboutthe preventionand detectionof cheatingand
othermaliciousactivities.
Thisbookdescribesanumberofbasiccryptographictools(primitives)usedtoprovide
informationsecurity. Examplesofprimitivesincludeencryptionschemes(x1.5andx1.8),
(cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
x1.2Informationsecurityandcryptography 5
hashfunctions(x1.9),anddigitalsignatureschemes(x1.6).Figure1.1providesaschematic
listingoftheprimitivesconsideredandhowtheyrelate. Manyofthesewillbebrieflyintro-
ducedinthischapter,withdetaileddiscussionlefttolaterchapters.Theseprimitivesshould
Arbitrarylength
hashfunctions
Unkeyed One-waypermutations
Primitives
Randomsequences
Block
ciphers
Symmetric-key
ciphers
Stream
Arbitrarylength ciphers
hashfunctions(MACs)
Security Symmetric-key
Primitives Primitives
Signatures
Pseudorandom
sequences
Identificationprimitives
Public-key
ciphers
Public-key Signatures
Primitives
Identificationprimitives
Figure1.1:Ataxonomyofcryptographicprimitives.
beevaluatedwithrespecttovariouscriteriasuchas:
1. levelofsecurity. Thisisusuallydifficulttoquantify.Oftenitisgivenintermsofthe
numberofoperationsrequired(usingthebestmethodscurrentlyknown)todefeatthe
intendedobjective. Typicallythelevelofsecurityisdefinedbyanupperboundon
theamountofworknecessarytodefeattheobjective. Thisissometimescalledthe
workfactor(seex1.13.4).
2. functionality. Primitiveswillneedtobe combinedtomeetvariousinformationse-
curityobjectives. Whichprimitivesaremosteffectiveforagivenobjectivewillbe
determinedbythebasicpropertiesoftheprimitives.
3. methodsofoperation.Primitives,whenappliedinvariouswaysandwithvariousin-
puts,willtypicallyexhibitdifferentcharacteristics;thus,oneprimitivecouldprovide
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
6 Ch.1OverviewofCryptography
verydifferentfunctionalitydependingonitsmodeofoperationorusage.
4. performance. Thisreferstotheefficiencyofaprimitiveinaparticularmodeofop-
eration. (Forexample,anencryptionalgorithmmayberatedbythenumberofbits
persecondwhichitcanencrypt.)
5. ease of implementation. This refers to the difficultyof realizingthe primitivein a
practicalinstantiation. Thismightincludethecomplexityofimplementingtheprim-
itiveineitherasoftwareorhardwareenvironment.
Therelativeimportanceofvariouscriteriaisverymuchdependentontheapplication
andresourcesavailable. Forexample,inanenvironmentwherecomputingpowerislimited
onemayhavetotradeoffaveryhighlevelofsecurityforbetterperformanceofthesystem
asawhole.
Cryptography,overtheages,hasbeenanartpractisedbymanywhohavedevisedad
hoc techniques to meet some of the information security requirements. The last twenty
yearshavebeenaperiodoftransitionasthedisciplinemovedfromanarttoascience. There
are now several internationalscientific conferencesdevoted exclusively to cryptography
andalsoaninternationalscientificorganization,theInternationalAssociationforCrypto-
logicResearch(IACR),aimedatfosteringresearchinthearea.
Thisbookisaboutcryptography:thetheory,thepractice,andthestandards.
1.3 Background on functions
Whilethisbookisnotatreatiseonabstractmathematics,a familiaritywithbasicmathe-
maticalconceptswillprovetobeuseful. Oneconceptwhichisabsolutelyfundamentalto
cryptographyisthatofafunctioninthemathematicalsense. Afunctionisalternatelyre-
ferredtoasamappingoratransformation.
1.3.1 Functions (1-1, one-way, trapdoor one-way)
Asetconsistsofdistinctobjectswhicharecalledelementsoftheset. Forexample,asetX
mightconsistoftheelementsa,b,c,andthisisdenotedX =fa;b;cg.
1.2 Definition AfunctionisdefinedbytwosetsX andY andarulef whichassignstoeach
elementinX preciselyoneelementinY. ThesetX iscalledthedomainofthefunction
andY thecodomain.IfxisanelementofX (usuallywrittenx2X)theimageofxisthe
elementinY whichtherulef associateswithx;theimageyofxisdenotedbyy =f(x).
Standardnotationforafunctionf fromsetX tosetY isf: X −! Y. Ify 2 Y,thena
preimageofyisanelementx2Xforwhichf(x)=y. ThesetofallelementsinY which
haveatleastonepreimageiscalledtheimageoff,denotedIm(f).
1.3 Example (function)Consider the sets X = fa;b;cg, Y = f1;2;3;4g,and the rule f
fromX toY definedasf(a) = 2,f(b) = 4,f(c) = 1. Figure1.2showsaschematicof
thesetsX,Y andthefunctionf. Thepreimageoftheelement2isa. Theimageoff is
f1;2;4g. (cid:3)
Thinkingofafunctionintermsoftheschematic(sometimescalledafunctionaldia-
gram)giveninFigure1.2,eachelementinthedomainX haspreciselyonearrowedline
originatingfromit. EachelementinthecodomainY canhaveanynumberofarrowedlines
incidenttoit(includingzerolines).
(cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
x1.3Backgroundonfunctions 7
f
1
a
2
X b Y
3
c
4
Figure1.2:Afunctionf fromasetXofthreeelementstoasetY offourelements.
OftenonlythedomainX andtherulef aregivenandthecodomainisassumedtobe
theimageoff. Thispointisillustratedwithtwoexamples.
1.4 Example (function)TakeX =f1;2;3;:::;10gandletfbetherulethatforeachx2X,
f(x)=rx,whererx istheremainderwhenx2isdividedby11. Explicitlythen
f(1)=1 f(2)=4 f(3)=9 f(4)=5 f(5)=3
f(6)=3 f(7)=5 f(8)=9 f(9)=4 f(10)=1:
Theimageoff isthesetY =f1;3;4;5;9g. (cid:3)
1.5 Example (function)TakeX =f1;2;3;:::;1050gandletf betherulef(x)=rx,where
rx istheremainderwhenx2 isdividedby1050+1forallx 2 X. Hereitisnotfeasible
to writedownf explicitlyasin Example1.4, butnonethelessthefunctionis completely
specifiedbythedomainandthemathematicaldescriptionoftherulef. (cid:3)
(i) 1-1functions
1.6 Definition A function (or transformation)is 1 − 1 (one-to-one)if each element in the
codomainY istheimageofatmostoneelementinthedomainX.
1.7 Definition Afunction(ortransformation)isontoifeachelementinthecodomainY is
theimageofatleastoneelementinthedomain. Equivalently,afunctionf: X −! Y is
ontoifIm(f)=Y.
1.8 Definition Ifafunctionf: X −!Y is1−1andIm(f)=Y,thenf iscalledabijection.
1.9 Fact If f: X −! Y is 1 − 1 then f: X −! Im(f) is a bijection. In particular, if
f: X −!Y is1−1,andX andY arefinitesetsofthesamesize,thenf isabijection.
In terms of the schematic representation,if f is a bijection, then each elementin Y
hasexactlyonearrowedlineincidentwithit. ThefunctionsdescribedinExamples1.3and
1.4arenotbijections. InExample1.3theelement3isnottheimageofanyelementinthe
domain. InExample1.4eachelementinthecodomainhastwopreimages.
1.10 Definition Iff isabijectionfromXtoY thenitisasimplemattertodefineabijectiong
fromY toXasfollows:foreachy 2Y defineg(y)=xwherex2Xandf(x)=y. This
functiongobtainedfromf iscalledtheinversefunctionoff andisdenotedbyg =f−1.
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
8 Ch.1OverviewofCryptography
f g
a 1 1 a
b 2 2 b
X c 3 Y Y 3 c X
d 4 4 d
e 5 5 e
Figure1.3:Abijectionf anditsinverseg=f−1.
1.11 Example (inversefunction)LetX =fa;b;c;d;eg,andY =f1;2;3;4;5g,andconsider
therulef givenby thearrowededgesin Figure1.3. f is a bijectionandits inverseg is
formedsimplybyreversingthearrowsontheedges.ThedomainofgisY andthecodomain
isX. (cid:3)
Note that if f is a bijection, then so is f−1. In cryptographybijections are used as
thetoolforencryptingmessagesandtheinversetransformationsareusedtodecrypt. This
willbemadeclearerinx1.4whensomebasicterminologyisintroduced.Noticethatifthe
transformationswere not bijections then it would not be possible to always decryptto a
uniquemessage.
(ii) One-wayfunctions
Thereare certaintypes of functionswhichplay significantrolesin cryptography. At the
expenseofrigor,anintuitivedefinitionofaone-wayfunctionisgiven.
1.12 Definition Afunctionf fromasetX toasetY iscalleda one-wayfunctioniff(x)is
“easy”tocomputeforallx 2 X butfor“essentiallyall”elementsy 2 Im(f)itis“com-
putationallyinfeasible”tofindanyx2X suchthatf(x)=y.
1.13 Note (clarificationoftermsinDefinition1.12)
(i) Arigorousdefinitionoftheterms“easy”and“computationallyinfeasible”isneces-
sarybutwoulddetractfromthesimpleideathatisbeingconveyed.Forthepurpose
ofthischapter,theintuitivemeaningwillsuffice.
(ii) Thephrase“foressentiallyallelementsinY”referstothefactthatthereareafew
valuesy 2Y forwhichitiseasytofindanx2Xsuchthaty =f(x). Forexample,
onemaycomputey = f(x)forasmallnumberofxvaluesandthenforthese,the
inverseisknownbytablelook-up. Analternatewaytodescribethispropertyofa
one-wayfunctionis thefollowing: for a randomy 2 Im(f) it is computationally
infeasibletofindanyx2X suchthatf(x)=y.
Theconceptofaone-wayfunctionisillustratedthroughthefollowingexamples.
1.14 Example (one-wayfunction)TakeX = f1;2;3;:::;16ganddefinef(x) = rx forall
x2X whererx istheremainderwhen3xisdividedby17. Explicitly,
x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
f(x) 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1
Givenanumberbetween1and16,itisrelativelyeasytofindtheimageofitunderf. How-
ever,givenanumbersuchas7,withouthavingthetableinfrontofyou,itishardertofind
(cid:13)c1997byCRCPress,Inc.—Seeaccompanyingnoticeatfrontofchapter.
x1.3Backgroundonfunctions 9
xgiventhatf(x)=7. Ofcourse,ifthenumberyouaregivenis3thenitisclearthatx=1
iswhatyouneed;butformostoftheelementsinthecodomainitisnotthateasy. (cid:3)
One must keep in mind that this is an examplewhich uses very small numbers; the
importantpointhereis thatthere is adifferencein theamountof workto computef(x)
andtheamountofworktofindxgivenf(x). Evenforverylargenumbers,f(x)canbe
computedefficientlyusingtherepeatedsquare-and-multiplyalgorithm(Algorithm2.143),
whereastheprocessoffindingxfromf(x)ismuchharder.
1.15 Example (one-wayfunction)Aprimenumberisapositiveintegergreaterthan1whose
onlypositiveintegerdivisorsare1anditself. Selectprimesp = 48611,q = 53993,form
n = pq = 2624653723,and let X = f1;2;3;:::;n − 1g. Define a functionf on X
byf(x) = rx foreachx 2 X,whererx istheremainderwhenx3 isdividedbyn. For
instance,f(2489991)= 1981394214since24899913 = 5881949859(cid:1)n+1981394214.
Computingf(x)isarelativelysimplethingtodo,buttoreversetheprocedureismuchmore
difficult;thatis,givenaremaindertofindthevaluexwhichwasoriginallycubed(raised
tothethirdpower). Thisprocedureisreferredtoasthecomputationofamodularcuberoot
withmodulusn. Ifthefactorsofnareunknownandlarge,thisisadifficultproblem;how-
ever,ifthefactorspandqofnareknownthenthereisanefficientalgorithmforcomputing
modularcuberoots. (Seex8.2.2(i)fordetails.) (cid:3)
Example1.15leads oneto consideranothertypeof functionwhich will proveto be
fundamentalinlaterdevelopments.
(iii) Trapdoorone-wayfunctions
1.16 Definition A trapdoor one-wayfunction is a one-way function f: X −! Y with the
additionalpropertythatgivensomeextrainformation(calledthetrapdoorinformation)it
becomesfeasibletofindforanygiveny 2Im(f),anx2X suchthatf(x)=y.
Example1.15illustratestheconceptofatrapdoorone-wayfunction. With theaddi-
tionalinformationofthefactorsofn=2624653723(namely,p=48611andq =53993,
each of which is five decimaldigitslong) it becomesmuch easier to invertthefunction.
Thefactorsof2624653723arelargeenoughthatfindingthembyhandcomputationwould
bedifficult. Ofcourse,anyreasonablecomputerprogramcouldfindthefactorsrelatively
quickly. If,ontheotherhand,oneselectspandqtobeverylargedistinctprimenumbers
(eachhavingabout100decimaldigits)then,bytoday’sstandards,itisadifficultproblem,
evenwiththemostpowerfulcomputers,todeducepandqsimplyfromn. Thisisthewell-
known integer factorization problem (see x3.2) and a source of many trapdoor one-way
functions.
Itremainstoberigorouslyestablishedwhetherthereactuallyareany(true)one-way
functions. That is to say, no one has yet definitively proved the existence of such func-
tionsunderreasonable(andrigorous)definitionsof“easy”and“computationallyinfeasi-
ble”. Sincetheexistenceofone-wayfunctionsisstillunknown,theexistenceoftrapdoor
one-wayfunctionsisalsounknown. However,thereareanumberofgoodcandidatesfor
one-wayandtrapdoorone-wayfunctions. Manyofthesearediscussedinthisbook,with
emphasisgiventothosewhicharepractical.
One-way and trapdoor one-way functionsare the basis for public-key cryptography
(discussedinx1.8).Theimportanceoftheseconceptswillbecomeclearerwhentheirappli-
cationtocryptographictechniquesisconsidered.Itwillbeworthwhiletokeeptheabstract
conceptsofthissectioninmindasconcretemethodsarepresented.
HandbookofAppliedCryptographybyA.Menezes,P.vanOorschotandS.Vanstone.
Description:Cryptography, in particular public-key cryptography, has emerged in the last 20 years as an important discipline that is not only the subject of an enormous amount of research, but provides the foundation for information security in many applications. Standards are emerging to meet the demands for c
