1.2.1 Chapter 2: Background
In Chapter 2, we survey the background theory on which the subject matter of the rest of the public key cryptosystem is based. First, we review the basic of public key cryptosystem and some computational primitives such as inte-ger factorization, discrete logarithm, various Diffie-Hellman problems. We then study the important security notations for public key cryptosystems by using the pair GOAL={OW, IND, CPA} and ATK={CPA, CCA1, CCA2} [8]. We then study the random oracle model [12], which is somewhat
con-troversial but is an important ingredient of the practice-oriented probable security paradigm in which one can design efficient probably-secure cryp-tographic schemes [7]. A special security notationPAis introduced, which is proposed in the random oracle model.PAhas some properties, for example, a cryptosystem meetsPAandIND-CPAimplies it meetsIND-CCA2.
1.2.2 Chapter 3: Security Analysis of ElGamal-Like Cryp-tosystem
In Chapter 3, we first give a brief review of the famous ElGamal cryptosys-tem [28]. It has been proven to meetIND-CPAin the quadratic residue under the Diffie-Hellman assumption [83]. In order to state our results clearly and precisely in breaking the the ElGamal cryptosystem [44] in Section 3.3. We first show that the ElGamal cryptosystem is insecure in theIND-CPAsense if the operations are not in the quadratic residue in Section 3.2. In order to efficiently encrypt a large message in the ElGamal cryptosystem, Hwang, Chang, and Hwang [44] proposed an ElGamal-like cryptosytem and de-clare that their scheme is secure in chosen-plaintext attacks. However, In Section 3.4, we separately show that the ElGmal-like cryptosystem is inse-cure in theIND-CPAsense no matter in the quadratic residue and not in the quadratic residue.
1.2.3 Chapter 4: An ElGamal-Extension Cryptosystem
In Chapter 4, we propose a new ElGmal-extension cryptosystem and prove it is secure in theIND-CCA2 sense in the random oracle model, which has the following advantages:
• It is only necessary to generate two random numbers. The total num-ber of modular exponentiations is 4/2 in the encryption/decryption, which is not be increased by the number of plaintexts. Only some low computational complexity operations such as random function opera-tions and modular multiplicaopera-tions are needed.
• The size of ciphtertext is smaller when the plaintext is large enough.
• It is secure in the IND-CCA2 sense, which provides a higher secu-rity level than that of IND-CPAachieved by the ElGamal encryption scheme.
We then design a special security notation IND-CPAPAIR and show the pro-posed scheme can achieve it. Then, we compare the computational com-plexity and ciphertext size of our scheme with those of some cryptosystems, which achieve the same security levelIND-CCA2.
1.2.4 Chapter 5: Password Authenticated Key Exchange Pro-tocols
In Chapter 5, we survey the background theory on which the subject
mat-We study the important security model [10] proposed by Bellare, Pointcheval, and Rogaway for password authenticated key exchange protocols, which defines the adversary’s capabilities such as passive attacks, active attacks, known-key attacks, password guessing attacks, etc. and the goals such as mutual authentication, authenticated key exchange semantic security.
we show that Tseng [81], Ku and Wang [49], Tseng, Jan and Chien [82], Hwang and Yeh [43] password authenticated key exchange protocols are insecure.
1.2.5 Chapter 6: Simple Password Authenticated Key Ex-change and Protected Password Change Protocols
In Section 5.4, we shall present a simple password authenticated key ex-change protocol by modifying the Yeh-Sun scheme [85]. At the same time, we shall also present a new protected password change protocol which un-like the previously proposed schemes [47, 49, 53, 70, 81, 85] where the parties cannot arbitrarily change their own passwords, offers users the freedom of changing passwords at will.
1.2.6 Chapter 7: Conclusions
Finally, the concluding remarks of this thesis will be made in Chapter 6.
Chapter 2 Background
2.1 Introduction
Cryptosystems are classified as symmertic cryptosystems and asymmertic (public key) cryptosystems. In symmertic cryptosystems, , such as DES [76]
and Rijndael [23, 24, 25], use the common secret key to encrypt plaintext and to decrypt ciphertext. This brings two difficulties as follows.
• To privately distribute the secret keys.
• To management a large number of secret keys. For example, if there are n users who want exchange confident data, then n(n − 1)
2 secret keys are needed. This number increases rapidly as the number of user grows.
In public key (asymmertic) cryptosystems, each user creates a pair of keys, one of which is published in a public directory while the one is to be kept
but the secret key, referred to as private (secret) key, is used as decryption key.
As a result, there is no key distribution problem and key sharing problem as in symmertic key cryptosystem. However, it is time consuming when encrypting large messages with asymmertic cryptosystems.
In this chapter, we first give an overview of public key cryptosystems and its security notations in an informal way in and the following sections give the definitions will be revisited in a formal way.
2.1.1 Public Key Cryptosystems
Here, we see that how to run public key cryptosystems, which are often divided into three phases as follows.
- Key generation phase:
The receiver Bob creates his secret key skBand public key pkB. - Encryption phase:
Anyone who wants to encrypt a confident message (plaintext x) to Bob by using pkB.
- Decryption phase:
Upon receiving the corresponding ciphertext y, Bob uses her skB to recover the plaintext x.
Figure 2.1 illustrates a schematic outline of a public key cryptosystem.
To reveal Bob’s secret key skB from the public key pkB is difficult. This property is guaranteed by the trapdoor one-way function as follows [55]:
pkB skB
x y x
Figure 2.1: Encryption and decryption in a public key cryptosystem
Trapdoor one-way function ft(x) : X → Y: It is easy to compute ft(x) for all x ∈ X but difficult to invert for almost all values in Y. If the trapdoor information t is used, then for all values y ∈ Y are easy to compute x ∈ X such that y = ft(x).
Diffie and Hellman [27] constructed a trapdoor one-way function based on modulo exponentiation. This function made it possible for distribut-ing a common session key to be shared between two users to establish a secret communication over an channel. This protocol is the famous “Diffie-Hellman key agreement protocol”. However, the first practical realization of public cryptosystem was accomplished by Revist, Shamir, and Adleman, called RSA cryptosystem [69]. Later, ElGamal [28] constructed a new public key cryptosystem based on Diffie-Hellman trapdoor one-way function.
Two typical primitives of the trapdoor one-way function are RSA [69] and ElGamal [28] as described before. The difference between ElGamal function and RSA function is that probabilistic, rather than deterministic. In a proba-bilistic trapdoor one-way function, when encrypting a plaintext x twice, the probability that we regain the same ciphertext y must be negligibly small.
In Section 2.1.2 and Section 2.1.3, we review RSA cryptoystem and ElGamal cryptosystem, respectively.
2.1.2 RSA Cryptosystem
- Key generation phase:
The receiver Bob creates his secret key skB and public key pkB as fol-lows.
1. Choose two large distinct primes p and q, and compute N = p · q 2. Choose e that is prime to ϕ(N) and pkB = (N, e), where ϕ(N) =
(p − 1) · (q − 1).
3. Choose d with e· d = 1 mod ϕ(N) and skB = (N, d).
- Encryption phase:
Anyone who wants to encrypt a plaintext x < N to Bob by using pkB
as follow.
y = xe mod N.
- Decryption phase:
Upon receiving the corresponding ciphertext y, Bob uses his skB to recover the plaintext x as follows.
yd = (xe)dmod N
= x mod N.
The factorization of N can be reduced to an algorithm that computes d from (N, e). However, there is an open question as to whether an efficient algo-rithm for factoring can be derived from an efficient algoalgo-rithm with inputs (N, e) and y to invert RSA [26]. Note that d should be greater than n1/4; oth-erwise, a polynomial-time algorithms to compute d can be constructed [84].
For choosing large prime, the readers can refer to [39] for more details.
2.1.3 ElGamal Cryptosystm
- Key generation phase:
The receiver Bob creates his secret key skBand public key pkB.
1. Choose a large prime p and a primitive root g ∈ Z∗p.
2. Choose an integer s at random with range 1 ≤ s ≤ p − 2 and skB = (p, g, s).
3. Compute Y = gsmod p and pkB = (p, g, Y ).
- Encryption phase:
Anyone who wants to encrypt a plaintext x to Bob by using pkB.
y = (y1, y2) = (gr mod p, x · Yr mod p), where r is chosen at random with range 1 ≤ k ≤ p − 2.
- Decryption phase:
Upon receiving the corresponding ciphertext y, Bob uses his skB to recover the plaintext x.
y2· ((y1)s)−1 = (x · Yr) · ((gr)s)−1 mod p
= x mod p.
The ElGamal cryptosystem has been proposed several years ago and is one of the few probability encryption schemes. Until 1998, Tsiounis and Yung [83] proved the security of the ElGamal cryptosystem (operations in the quadratic residue) is actually equivalent to the decision Diffie-Hellman prob-lem. However, we will further analysis the security for ElGamal