asymetric cryptography

2021-12-01 11:17:11 +01:00 · 2021-12-01 11:17:11 +01:00 · 70e4807997
commit 70e4807997
parent 79af4e41d9
7 changed files with 544 additions and 10 deletions
--- a/Assets/NetworkSecurity-cipher-block-chaining-mode.png
+++ b/Assets/NetworkSecurity-cipher-block-chaining-mode.png
--- a/Assets/NetworkSecurity-ecc-1.png
+++ b/Assets/NetworkSecurity-ecc-1.png
--- a/Assets/NetworkSecurity-ecc-2.png
+++ b/Assets/NetworkSecurity-ecc-2.png
--- a/Assets/NetworkSecurity-ecc-3.png
+++ b/Assets/NetworkSecurity-ecc-3.png
--- a/Assets/NetworkSecurity-ecc-4.png
+++ b/Assets/NetworkSecurity-ecc-4.png
--- a/Assets/NetworkSecurity-ecc-5.png
+++ b/Assets/NetworkSecurity-ecc-5.png
--- a/Security.md
+++ b/Security.md
@ -34,9 +34,26 @@
  - [Der Stromchiffre-Algorithmus RC4](#der-stromchiffre-algorithmus-rc4)
  - [KASUMI](#kasumi)
    - [KASUMI - Sicherheitsdiskussion](#kasumi---sicherheitsdiskussion)
 - [Grundlagen der Kryptographie](#grundlagen-der-kryptographie-1)
 - [Symmetrische Kryptographie](#symmetrische-kryptographie-1)
 - [Asymmetrische Kryptographie](#asymmetrische-kryptographie)
  - [Some Mathematical Background](#some-mathematical-background)
  - [The RSA Public Key Algorithm](#the-rsa-public-key-algorithm)
  - [Some More Mathematical Background](#some-more-mathematical-background)
  - [Diffie-Hellman Key Exchange](#diffie-hellman-key-exchange)
  - [The ElGamal Algorithm](#the-elgamal-algorithm)
  - [Elliptic Curve Cryptography](#elliptic-curve-cryptography)
    - [Foundations of ECC - Group Elements](#foundations-of-ecc---group-elements)
    - [Foundations of ECC - Point Addition](#foundations-of-ecc---point-addition)
    - [Foundations of ECC - Algebraic Addition](#foundations-of-ecc---algebraic-addition)
    - [Foundations of ECC - Multiplication](#foundations-of-ecc---multiplication)
    - [Foundations of ECC - Curves over $\mathbb{Z}_p$](#foundations-of-ecc---curves-over-mathbbz_p)
    - [Foundations of ECC - Calculate the y-values in $\mathbb{Z}_p$](#foundations-of-ecc---calculate-the-y-values-in-mathbbz_p)
    - [Foundations of ECC - Addition and Multiplication in $\mathbb{Z}_p$](#foundations-of-ecc---addition-and-multiplication-in-mathbbz_p)
    - [Foundations of ECC - Size of generated groups](#foundations-of-ecc---size-of-generated-groups)
    - [Foundations of ECC - ECDH](#foundations-of-ecc---ecdh)
    - [Foundations of ECC - EC version of ElGamal Algorithm](#foundations-of-ecc---ec-version-of-elgamal-algorithm)
    - [Foundations of ECC - Security](#foundations-of-ecc---security)
    - [Foundations of ECC - Further remarks](#foundations-of-ecc---further-remarks)
  - [Conclusion](#conclusion)
 - [Modifikationsprüfwerte](#modifikationsprüfwerte)
 - [Zufallszahlengenerierung](#zufallszahlengenerierung)
 - [Kryptographische Protokolle](#kryptographische-protokolle)
@ -133,8 +150,6 @@ Diese Bedrohungen werden oft kombiniert, um einen Angriff durchzuführen!
 | Verfügbarkeit               | x         |         | x                        | x                                                          |                                  |                             | x                                 |  |
 | Kontrollierter Zugriff      | x         |         | x                        |                                                            |                                  | x                           |                                   |
 ## Analyse der Netzwerksicherheit
 - Um geeignete Gegenmaßnahmen gegen Bedrohungen ergreifen zu können, müssen diese für eine gegebene Netzkonfiguration angemessen bewertet werden.
 - Daher ist eine detaillierte Netzsicherheitsanalyse erforderlich, die
@ -216,7 +231,6 @@ Diese Bedrohungen werden oft kombiniert, um einen Angriff durchzuführen!
 - **Nicht-Abstreitbarkeit (Non Repudiation)**
    - Schützt davor, dass an einem Kommunikationsaustausch beteiligte Entitäten später fälschlicherweise abstreiten können, dass der Austausch stattgefunden hat
 ## Sicherheitsunterstützende Mechanismen
 - Allgemeine Mechanismen
    - Schlüsselverwaltung: Alle Aspekte des Lebenszyklus von kryptografischen Schlüsseln
@ -461,7 +475,6 @@ Output-Feedback-Modus (OFB)
      - Es ist für einen Angreifer möglich, bestimmte Bits des Klartextes zu manipulieren
 - ![](Assets/NetworkSecurity-output-feedback-mode.png)
 Algorithmus-Übersicht
 - Datenverschlüsselungsstandard (DES)
  - Alter amerikanischer Standard aus den 70er Jahren
@ -531,7 +544,6 @@ Geschichte
 - Nach der letzten Runde führt DES einen 32-Bit-Tausch und die inverse Anfangspermutation durch
  - InverseInitialPermutation($L_0||R_0$) = InverseInitialPermutation(InitialPermutation(Klartext)) = Klartext
 ### DES - Sicherheit
 - Schwächen der Schlüssel
    - Schwache Schlüssel: Vier Schlüssel sind schwach, da sie Unterschlüssel erzeugen, die entweder alle 0 oder alle 1 enthalten.
@ -703,9 +715,511 @@ Standardisierte AES-Konfigurationen
  - Stromchiffre basierend auf LFSR, kann in 7.500 ASIC-Gattern implementiert werden
  - Aber auch anfällig für verwandte Schlüsselangriffe [KY11].
 # Grundlagen der Kryptographie
 # Symmetrische Kryptographie
 # Asymmetrische Kryptographie
 ,,However, prior exposure to discrete mathematics will help the reader to appreciate the concepts presented here.'' E. Amoroso in another context [Amo94]
 - General idea:
  - Use two different keys $-K$ and $+K$ for encryption and decryption
  - Given a random ciphertext $c=E(+K, m)$ and $+K$ it should be infeasible to compute $m = D(-K, c) = D(-K, E(+K, m))$
    - This implies that it should be infeasible to compute $-K$ when given $+K$
  - The key $-K$ is only known to one entity A and is called A’s private key $-K_A$
  - The key $+K$ can be publicly announced and is called A’s public key $+K_A$
 - Applications:
  - Encryption:
    - If B encrypts a message with A’s public key $+K_A$, he can be sure that only A can decrypt it using $-K_A$
  - Signing:
    - If A encrypts a message with his own private key $-K_A$, everyone can verify this signature by decrypting it with A’s public key $+K_A$
  - Attention: It is crucial, that everyone can verify that he really knows A’s public key and not the key of an adversary!
 - Design of asymmetric cryptosystems:
  - Difficulty: Find an algorithm and a method to construct two keys $-K$, $+K$ such that it is not possible to decipher $E(+K, m)$ with the knowledge of $+K$
  - Constraints:
    - The key length should be ,,manageable''
    - Encrypted messages should not be arbitrarily longer than unencrypted messages (we would tolerate a small constant factor)
    - Encryption and decryption should not consume too much resources (time, memory)
  - Basic idea: Take a problem in the area of mathematics / computer science, that is hard to solve when knowing only $+K$, but easy to solve when knowing $-K$
    - Knapsack problems: basis of first working algorithms, which were unfortunately almost all proven to be insecure
    - Factorization problem: basis of the RSA algorithm
    - Discrete logarithm problem: basis of Diffie-Hellman and ElGamal
 ## Some Mathematical Background
 - Let $\mathbb{Z}$ be the number of integers, and $a,b,n\in\mathbb{Z}$
 - We say $a$ divides $b(,,a|b'')$ if there exists an integer $k\in\mathbb{Z}$ such that $a\times k=b$
 - We say $a$ is prime if it is positive and the only divisors of a are $1$ and $a$
 - We say $r$ is the remainder of a divided by $n$ if $r=a-\lfloor a / n \rfloor\times n$ where $\lfloor x\rfloor$ denotes the largest integer less than or equal to $x$
    - Example: 4 is the remainder of 11 divided by 7 as $4=11-\lfloor 11/7\rfloor\times 7$
    - We can write this in another way: $a=q\times n + r$ with $q=\lfloor a/n\rfloor$
 - For the remainder $r$ of the division of a by n we write $a\ MOD\ n$
 - We say b is congruent $a\ mod\ n$ if it has the same remainder like a when divided by n. So, n divides $(a-b)$, and we write $b\equiv a\ mod\ n$
  - Examples: $4\equiv 11\ mod\ 7$, $25\equiv 11\ mod\ 7$, $11\equiv 25\ mod\ 7$, $11\equiv 4\ mod\ 7$, $-10\equiv 4\ mod\ 7$
 - As the remainder r of division by n is always smaller than n , we sometimes represent the set $\{x\ MOD\ n | x\in\mathbb{Z}\}$ by elements of the set $\mathbb{Z}_n=\{0, 1, ..., n-1\}$
 | Property                                                                                                            | Expression                                                                             |
 | ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
 | Commutative Laws                                                                                                    | $(a + b)\ MOD\ n = (b + a)\ MOD\ n$                                                    |
 | $(a \times b)\ MOD\ n = (b \times a)\ MOD\ n$                                                                       |
 | Associative Laws                                                                                                    | $[(a + b) + c]\ MOD\ n = [a + (b + c)]\ MOD\ n$                                        |
 | $[(a \times b) \times c]\ MOD\ n = [a \times (b \times c)]\ MOD\ n$                                                 |
 | Distributive Law                                                                                                    | $[a \times (b + c)]\ MOD\ n = [(a \times b) + (a \times c)]\ MOD\ n$                   |
 | Identities                                                                                                          | $(0 + a)\ MOD\ n = a\ MOD\ n$                                                          |
 | $(1 \times a)\ MOD\ n = a\ MOD\ n$                                                                                  |
 | Inverses                                                                                                            | $\forall  a \in \mathbb{Z}n: \exists (-a) \in \mathbb{Z}n : a + (-a) \equiv 0\ mod\ n$ |
 | $p is prime \Rightarrow \forall  a \in \mathbb{Z}p: \exists (a-1) \in \mathbb{Z}p: a \times (a-1) \equiv 1\ mod\ p$ |
 Greatest common divisor
 - $c = gcd(a, b) :\Leftrightarrow  ( c | a) \wedge ( c | b) \wedge [\forall  d: ( d | a ) \wedge ( d | b) \Rightarrow ( d | c )]$ and $gcd(a, 0 ) : = | a |$
 - The gcd recursion theorem :
  - $\forall a, b \in \mathbb{Z}^+: gcd(a, b) = gcd(b, a\ MOD\ b)$
  - Proof:
    - As $gcd(a, b)$ divides both a and b it also divides any linear combination of them, especially $(a- \lfloor a / b \rfloor \times b) = a\ MOD\ b$, so $gcd(a, b) | gcd(b, a\ MOD\ b)$
    - As $gcd(b, a\ MOD\ b)$ divides both b and $a\ MOD\ b$ it also divides any linear combination of them, especially $\lfloor a / b \rfloor \times b + (a\ MOD\ b) = a$, so $gcd(b, a\ MOD\ b) | gcd(a, b)$
 - Euclidean Algorithm:
  - The algorithm Euclid given a, b computes $gcd(a, b)$
  ```cpp
  int Euclid(int a, b){
    if (b = 0) { return(a); }
    {return(Euclid(b, a\ MOD\ b);} 
  }
  ```
 - Extended Euclidean Algorithm:
  - The algorithm ExtendedEuclid given a, b computes d, m, n such that: $d = gcd(a, b) = m \times a + n \times b$
  ```cpp
  struct{int d, m, n} ExtendedEuclid(int a, b)
  { int d, d’, m, m’, n, n’;
    if (b = 0) {return(a, 1, 0); }
    (d’, m’, n’) = ExtendedEuclid(b, a MOD b);
    (d, m, n) = (d’, n’, m’ - \lfloor a / b \rfloor \times n’);
    return(d, m, n); }
  ```
  - Proof: (by induction)
    - Basic case $(a,0): gcd(a, 0) = a = 1 \times a + 0 \times 0$
    - Induction from $(b, a\ MOD\ b)$ to $(a, b)$:
      - ExtendedEuclid computes $d’, m’, n’$ correctly (induction hypothesis)
      - $d=d’=m’\times b+n’\times (a\ MOD\ b)=m’\times b+n’\times(a-\lfloor a/b\rfloor\times b)=n’\times a+(m’-\lfloor a/b\rfloor\times n’)\times b$
  - The run time of $Euclid(a, b)$ and $ExtendedEuclid(a, b)$ is of $O(log\ b)$
    - Proof: see [Cor90a], section 33.
  - Lemma 1: Let $a,b\in\mathbb{N}$ and $d=gcd(a,b)$. Then there exists $m,n\in\mathbb{N}$ such that: $d=m\times a+n \times b$
 - Theorem 1 (Euclid): If a prime divides the product of two integers, then it divides at least one of the integers: $p|(a\times b)\Rightarrow (p|a) \vee (p|b)$
    - Proof: Let $p|(a\times b)$
      - If $p|a$ then we are done.
      - If not then $gcd(p,a) = 1 \Rightarrow\exists m, n\in\mathbb{N}:1=m\times p+n\times a \Leftrightarrow b=m\times p \times b + n \times a \times b$
      - As $p|(a\times b)$, p divides both summands of the equation and so it divides also the sum which is b 
 - Theorem 2 (fundamental theorem of arithmetic): Factorization into primes is unique up to order.
    - Proof:
        - We will show that every integer with a non-unique factorization has a proper divisor with a non-unique factorization which leads to a clear contradiction when we finally have reduced to a prime number.
        - Let’s assume that n is an integer with a non-unique factorization: $n=p_1\times p_2\times ...\times p_r=q_1 \times q_2\times ... \times q_s$. The primes are not necessarily distinct, but the second factorization is not simply a reordering of the first one. As $p_1$ divides n it also divides the product $q_1\times q_2\times ... \times q_s$. By repeated application of Theorem 1 we show that there is at least one $q_i$ which is divisible by $p_1$. If necessary reorder the $q_i$’s so that it is $q_1$. As both $p_1$ and $q_1$ are prime they have to be equal. So we can divide by $p_1$ and we have that $n/p_1$ has a non-unique factorization.
  - We will use Theorem 2 to prove the following Corollary 1
    - If $gcd(c,m)=1$ and $(a\times c)\equiv(b\times c)mod\ m$, then $a\equiv b\ mod\ m$
    - Proof: As $(a\times c)\equiv(b\times c)mod\ m\Rightarrow\exists n\in\mathbb{N}:(a\times c)-(b\times c)=n\times m$
    - $\Leftrightarrow ( a - b ) \times c = n \times m$
    - $\Leftrightarrow p_1\times ...\times p_i\times q_1\times ...\times q_j=r_1\times ...\times r_k\times s_1\times ...\times s_l$
    - Please note that the $p$’s, $q$’s, $r$’s and $s$’s are prime and do not need to be distinct, but as $gcd(c,m)=1$, there are no indices g, h such that $q_g = s_h$.
    - So we can continuously divide the equation by all q’s without ever ,,eliminating'' one $s$ and will finally end up with something like $\Leftrightarrow p_1\times ...\times p_i=r_1\times ...\times r_o\times s_1\times ...\times s_l$ (note that there will be fewer r’s)
    - $\Leftrightarrow(a-b)=r_1\times ...\times r_o\times m\Rightarrow a \equiv b\ mod\ m$
  - Let $\phi(n)$ denote the number of positive integers less than n and relatively prime to n
    - Examples: $\phi(4) = 2$, \phi(6)=2$, $\phi(7)=6$, $\phi(15)=8$
    - If p is prime $\Rightarrow\phi(p)=p-1$
 - Theorem 3 (Euler): Let n and b be positive and relatively prime integers, i.e. $gcd(n, b) = 1 \Rightarrow b \phi(n) \equiv 1\ mod\ n$
  - Proof:
    - Let $t=\phi(n)$ and $a_1,...a_t$ be the positive integers less than $n$ which are relatively prime to $n$. Define $r_1,...,r_t$ to be the residues of $b\times a_1\ mod\ n , ..., b\times a_t\ mod\ n$ that is to say: $b\times a_i \equiv r_i\ mod\ n$.
    - Note that $i\not= j \Rightarrow r_i\not= r_j$. If this would not hold, we would have $b\times a_i\equiv b\times a_j\ mod\ n$ and as $gcd(b,n)=1$, Corollary 1 would imply $a_i\equiv a_j\ mod\ n$ which can not be as $a_i$ and $a_j$ are by definition distinct integers between 0 and n
    - We also know that each $r_i$ is relatively prime to n because any common divisor k of $r_i$ and $n$ , i.e. $n=k\times m$ and $r_i=p_i\times k$, would also have to divide $a_i$,
    - as $b\times a_i\equiv (p_i\times k)\ mod\ (k\times m)\Rightarrow\exists s\in\mathbb{N}:(b\times a_i)-(p_i\times k)=s\times k\times m \Leftrightarrow (b\times a_i)=s\times k\times m+(p_i\times k)$
    - Because k divides each of the summands on the right-hand side and k does not divide b by assumption (n and b are relatively prime), it would also have to divide $a_i$ which is supposed to be relatively prime to n
    - Thus $r_1, ...,r_t$ is a set of $\phi(n)$ distinct integers which are relatively prime to $n$. This means that they are exactly the same as $a_1,...a_t$, except that they are in a different order. In particular, we know that $r_1\times...\times r_t=a_1\times...\times a_t$
    - We now use the congruence $r_1\times...\times r_t\equiv b\times a_1\times...\times b\times a_t\ mod\ n$
        $\Leftrightarrow r_1\times...\times r_t\equiv b_t\times a_1\times...\times a_t\ mod\ n$
        $\Leftrightarrow r_1\times...\times r_t\equiv b_t\times r_1\times...\times r_t\ mod\ n$
    - As all $r_i$ are relatively prime to $n$ we can use Corollary 1 and divide by their product giving: $1\equiv b_t\ mod\ n \Leftrightarrow  1\equiv b\phi(n)\ mod n$ 
 - Theorem 4 (Chinese Remainder Theorem):
  - Let $m_1,...,m_r$ be positive integers that are pairwise relatively prime,
  - i.e. $\forall i\not= j:gcd(m_i, m_j) = 1$. Let $a_1,...,a_r$ be arbitrary integers.
  - Then there exists an integer a such that:
    - $a\equiv a_1\ mod\ m_1$
    - $a\equiv a_2\ mod\ m_2$
    - ...
    - $a\equiv a_r\ mod\ m_r$
  - Furthermore, a is unique modulo $M := m_1\times...\times m_r$
  - Proof:
    - For all $i\in\{1,...,r\}$ we define $M_i:=(M/m_i)\phi(m_i)$
    - As $M_i$ is by definition relatively prime to $m_i$ we can apply Theorem 3 and know that $M_i\equiv 1\ mod\ m_i$
    - Since $M_i$ is divisible by $m_j$ for every $j\not= i$, we have $\forall j\not= i:M_i\equiv 0\ mod\ m_j$
    - We can now construct the solution by defining: $a:= a_1\times M_1+a_2\times M_2+...+a_r\times M_r$
    - The two arguments given above concerning the congruences of the $M_i$ imply that a actually satisfies all of the congruences.
    - To see that a is unique modulo $M$, let b be any other integer satisfying the r congruences. As $a\equiv c\ mod\ n$ and $b\equiv c\ mod\ n \Rightarrow a \equiv b\ mod\ n$ we have $\forall i\in\{1,...,r\}:a\equiv b\ mod\ m_i\Rightarrow\forall i\in\{1,...,r\}:m_i|(a-b) \Rightarrow M|(a-b)$ as the $m_i$ are pairwise relatively prime $\Leftrightarrow a\equiv b\ mod\ M$
 - Lemma 2:
  - If $gcd(m,n)=1$, then $\phi(m\times n)=\phi(m)\times\phi(n)$
  - Proof:
    - Let a be a positive integer less than and relatively prime to $m\times n$. In other words, a is one of the integers counted by $\phi(m\times n)$.
    - Consider the correspondence $a\rightarrow(a\ MOD\ m, a\ MOD\ n)$. The integer a is relatively prime to m and relatively prime to n (if not it would divide $m \times n$). So, $(a\ MOD\ m)$ is relatively prime to m and $(a\ MOD\ n)$ is relatively prime to n as: $a=\lfloor a/m\rfloor\times m + (a\ MOD\ m)$, so if there would be a common divisor of $m$ and $(a\ MOD\ m)$, this divisor would also divide a. Thus every number a counted by $\phi(m\times n )$ corresponds to a pair of two integers $(a\ MOD\ m,a\ MOD\ n)$, the first one counted by $\phi(m)$ and the second one counted by $\phi(n)$.
    - Because of the second part of Theorem 4, the uniqueness of the solution $a\ mod\ (m\times n)$ to the simultaneous congruences:
        $a \equiv(a\ MOD\ m)\ mod\ m$
        $a \equiv(a\ MOD\ n)\ mod\ n$
      we can deduce, that distinct integers counted by $\phi(m\times n)$ correspond to distinct pairs:
      - Too see this, suppose that $a\not=b$ counted by $\phi(m\times n)$ does correspond to the same pair $(a\ MOD\ m, a\ MOD\ n)$. This leads to a contradiction as b would also fulfill the congruences:
        $b\equiv (a\ MOD\ m)\ mod\ m$
        $b\equiv (a\ MOD\ n)\ mod\ n$
        but the solution to these congruences is unique modulo $(m \times n)$ 
      - Therefore, $\phi(m\times n)$ is at most the number of such pairs: $\phi(m\times n)\leq \phi(m)\times\phi(n)$
    - Consider now a pair of integers $(b,c)$, one counted by $\phi(m)$ and the other one counted by $\phi(n)$: Using the first part of Theorem 4 we can construct a unique positive integer a less than and relatively prime to $m\times n$: $a\equiv b\ mod\ m$ and $a\equiv c\ mod\ n$. So, the number of such pairs is at most $\phi(m\times n):\phi(m \times n)\leq\phi(m)\times\phi(n)$
 ## The RSA Public Key Algorithm
 - The RSA algorithm was invented in 1977 by R. Rivest, A. Shamir and L. Adleman [RSA78] and is based on Theorem 3.
 - Let $p, q$ be distinct large primes and $n=p\times q$. Assume, we have also two integers e and d such that: $d\times e \equiv 1\ mod\ \phi(n)$
 - Let M be an integer that represents the message to be encrypted, with M positive, smaller than and relatively prime to n.
  - Example: Encode with <blank> = 99, A = 10, B = 11, ..., Z = 35. So ,,HELLO'' would be encoded as 1714212124. If necessary, break M into blocks of smaller messages: 17142 12124
 - To encrypt, compute: $E = M^e\ MOD\ n$
    - This can be done efficiently using the square-and-multiply algorithm
 - To decrypt, compute: $M’=E^d\ MOD\ n$
    - As $d\times e\equiv 1\ mod\ \phi(n)\Rightarrow\exists k\in\mathbb{Z}:(d\times e)-1=k\times\phi(n)\Leftrightarrow(d\times e)=k\times\phi(n)+1$
    - we have: $M’\equiv E^d\equiv M^{e\times d}\equiv M^{k\times\phi(n)+1}\equiv 1^k\times M\equiv M\ mod\ n$ 
 - As $(d\times e)=(e\times d)$ the operation also works in the opposite direction, that means you can encrypt with d and decrypt with e
  - This property allows to use the same keys d and e for:
  - Receiving messages that have been encrypted with one’s public key
  - Sending messages that have been signed with one’s private key
 - To set up a key pair for RSA:
  - Randomly choose two primes $p$ and $q$ (of 100 to 200 digits each)
  - Compute $n=p\times q,\phi(n)=(p-1)\times (q-1)$ (Lemma 2)
  - Randomly choose $e$, so that $gcd(e,\phi(n))=1$
  - With the extended euclidean algorithm compute d and c, such that: $e\times d+\phi(n)\times c = 1$, note that this implies, that $e\times d\equiv 1\ mod\ \phi(n)$
  - The public key is the pair $(e, n)$
  - The private key is the pair $(d, n)$
 - The security of the scheme lies in the difficulty of factoring $n=p\times q$ as it is easy to compute $\phi(n)$ and then $d$, when $p$ and $q$ are known
 - This class will not teach why it is difficult to factor large n’s, as this would require to dive deep into mathematics
  - If p and q fulfill certain properties, the best known algorithms are exponential in the number of digits of n
  - Please be aware that if you choose p and q in an ,,unfortunate'' way, there might be algorithms that can factor more efficiently and your RSA encryption is not at all secure:
    - Therefore, p and q should be about the same bitlength and sufficiently large
    - $(p-q)$ should not be too small
    - If you want to choose a small encryption exponent, e.g. 3, there might be additional constraints, e.g. $gcd(p-1, 3) = 1$ and $gcd(q-1,3)=1$
  - The security of RSA also depends on the primes generated being truly random (like every key creation method for any algorithm)
  - Moral: If you are to implement RSA by yourself, ask a mathematician or better a cryptographer to check your design
 ## Some More Mathematical Background
 - Definition: finite groups
  - A group ( S , \oplus) is a set S together with a binary operation \oplus for which the
  following properties hold:
      - Closure: For all a, b \in S , we have a \oplus b \in S
      - Identity: There is an element e \in S , such that e \oplus a = a \oplus e = a for all
  a \in S
      - Associativity: For all a, b, c \in S , we have ( a \oplus b ) \oplus c = a \oplus ( b \oplus c )
      - Inverses: For each a \in S , there exists a unique element b \in S , such
  that a \oplus b = b \oplus a = e
  - If a group ( S , \oplus) satisfies the commutative law \forall  a, b \in S : a \oplus b = b \oplus a
  then it is called an Abelian group
  - If a group ( S , \oplus) has only a finite set of elements, i.e. |S| < \infty, then it is
  called a finite group
 - Examples:
  - $(\mathbb{Z}_n , +_n)$
    - with $\mathbb{Z}_n:=\{[0]_n,[1]_n,...,[n-1]_n\}$
    - where $[a]_n:=\{b \in \mathbb{Z} | b \equiv a mod n\}$ and
    - $+_n$ is defined such that $[a]_n+_n[b]_n=[a+b]_n$
    - is a finite abelian group. For the proof see the table showing the properties of modular arithmetic
  - $(\mathbb{Z}^*_n , \times_n)$
    - with $\mathbb{Z}^*_n :=\{[a]_n\in \mathbb{Z}_n | gcd(a,n)=1\}$, and
    - $\times_n$ is defined such that $[a]_n\times_n [b]_n=[a\times b]_n$
    - is a finite Abelian group. Please note that $\mathbb{Z}^*_n$ just contains those elements of $\mathbb{Z}_n$ that have a multiplicative inverse modulo n. For the proof see the properties of modular arithmetic
    - Example: $\mathbb{Z}^*_{15}=\{[1]_{15},[2]_{15},[4]_{15},[7]_{15},[8]_{15},[11]_{15},[13]_{15},[14]_{15}\}$, as $1\times 1\equiv 1 mod 15$, $2 \times 8 \equiv 1 mod 15$, $4 \times 4 \equiv 1 mod 15$, $7 \times 13 \equiv 1 mod 15$, $11 \times 11 \equiv 1 mod 15$, $14 \times 14 \equiv 1 mod 15$
 - If it is clear that we are talking about $(\mathbb{Z}_n, +_n)$ or $(\mathbb{Z}^*_n, \times_n)$ we often represent equivalence classes $[a]_n$ by their representative elements a and denote $+_n$ and $\times_n$ by $+$ and $\times$, respectively.
  - Definition: finite fields
    - A field $(S,\oplus, \otimes)$ is a set S together with two operations $\oplus$, $\otimes$ such that
      - $(S,\oplus)$ and $(S\backslash\{e_{\oplus}\},\otimes)$ are commutative groups, i.e. only the identity element concerning the operation $\oplus$ does not need to have an inverse regarding the operation $\otimes$
      - For all $a,b,c\in S$, we have a $\otimes(b\oplus c)=(a\otimes b)\oplus(a\otimes c)$
  - If $|S|<\infty$ then $(S,\oplus,\otimes)$ is called a finite field
 - Example: $(\mathbb{Z}_p, +_p, \times_p)$ is a finite field for each prime p
 - Definition: primitive root, generator
  - Let $(S,\circ)$ be a group, $g\in S$ and $g^a:=g\circ g\circ...\circ g$ (a times with $a\in\mathbb{Z}^+$)
  - Then g is called a primitive root or generator of $(S,\circ):\Leftrightarrow\{g^a|1\leq a\leq |S|\}=S$
  - Examples:
    - 1 is a primitive root of $(\mathbb{Z}_n, +_n)$
    - 3 is a primitive root of $(\mathbb{Z}^*_7, \times_7)$
  - Not all groups do have primitive roots and those who have are called cyclic groups
 - Theorem 5:
  - $(\mathbb{Z}^*_n, \times_n)$ does have a primitive root $\Leftrightarrow n\in\{2,4,p,2\times p^e\}$ where p is an odd prime and $e\in\mathbb{Z}^+$
 - Theorem 6:
  - If $(S,\circ)$ is a group and $b\in S$ then $(S’,\circ)$ with $S’=\{b^a|a\in\mathbb{Z}^+\}$ is also a group.
  - As $S’\subseteq S,(S’,\circ)$ is called a subgroup of $(S,\circ)$
  - If b is a primitive root of $(S,\circ)$ then $S’=S$
 - Definition: order of a group and of an element
  - Let $(S,\circ)$ be a group, $e\in S$ its identity element and $b\in S$ any element of $S$:
    - Then $|S|$ is called the order of $(S,\circ)$
    - Let $c\in\mathbb{Z}^+$ be the smallest element so that $b^c=e$ (if such a c exists, if not set $c=\infty$). Then c is called the order of b.
 - Theorem 7 (Lagrange):
  - If G is a finite group and H is a subgroup of G , then $|H|$ divides $|G|$.
  - Hence, if $b\in G$ then the order of b divides $|G|$.
 - Theorem 8:
  - If G is a cyclic finite group of order n and d divides n then G has exactly $\phi(d)$ elements of order $d$. In particular, G has $\phi(n)$ elements of order n.
 - Theorems 5, 7, and 8 are the basis of the following algorithm that finds a cyclic group $\mathbb{Z}^*_p$ and a primitive root g of it:
  - Choose a large prime q such that $p=2q+1$ is prime.
    - As $p$ is prime, Theorem 5 states that $\mathbb{Z}^*_p$ is cyclic.
    - The order of $\mathbb{Z}^*_p$ is $2\times q$ and $\phi(2\times q)=\phi(2)\times\phi(q)=q-1$ as $q$ is prime.
    - So, the odds of randomly choosing a primitive root are $(q-1)/2q \approx 1/2$
    - In order to efficiently test, if a randomly chosen g is a primitive root, we just have to test if $g^2\equiv 1 mod p$ or $g^q\equiv 1 mod p$. If not, then its order has to be $|\mathbb{Z}^*_p|$, as Theorem 7 states that the order of g has to divide $|\mathbb{Z}^*_p|$
 - Definition: discrete logarithm
  - Let p be prime, g be a primitive root of $(\mathbb{Z}^*_p,\times_p)$ and c be any element of $\mathbb{Z}^*_p$. Then there exists z such that: $g^z\equiv c mod p$
  - z is called the discrete logarithm of c modulo p to the base g
  - Example 6 is the discrete logarithm of 1 modulo 7 to the base 3 as $3^6\equiv 1 mod 7$
  - The calculation of the discrete logarithm z when given g, c, and p is a computationally difficult problem and the asymptotical runtime of the best known algorithms for this problem is exponential in the bitlength of p
 ## Diffie-Hellman Key Exchange
 - The Diffie-Hellman key exchange was first published in the landmark paper [DH76], which also introduced the fundamental idea of asymmetric cryptography
 - The DH exchange in its basic form enables two parties A and B to agree upon a shared secret using a public channel:
  - Public channel means, that a potential attacker E (E stands for eavesdropper) can read all messages exchanged between A and B
  - It is important, that A and B can be sure, that the attacker is not able to alter messages, as in this case he might launch a man-in-the-middle attack
  - The mathematical basis for the DH exchange is the problem of finding discrete logarithms in finite fields
  - The DH exchange is not an asymmetric encryption algorithm, but is nevertheless introduced here as it goes well with the mathematical flavor of this lecture...
 - If Alice (A) and Bob (B) want to agree on a shared secret s and their only means of communication is a public channel, they can proceed as follows:
  - A chooses a prime p, a primitive root g of $\mathbb{Z}^*_p$, and a random number q:
    - A and B can agree upon the values p and g prior to any communication, or A can choose p and g and send them with his first message
    - A computes $v=g^q\ MOD\ p$ and sends to $B:\{p,g,v\}$
  - B chooses a random number r:
    - B computes $w=g^r\ MOD\ p$ and sends to $A:\{p,g,w\}$ (or just $\{w\}$)
  - Both sides compute the common secret:
    - A computes $s=w^q\ MOD\ p$
    - B computes $s’=v^r\ MOD\ p$
    - As $g^{q\times r}\ MOD\ p = g^{r \times q}\ MOD\ p$ it holds: $s=s’$
  - An attacker Eve who is listening to the public channel can only compute the secret s, if she is able to compute either q or r which are the discrete logarithms of v, w modulo p to the base g
 - If the attacker Eve is able to alter messages on the public channel, she can launch a man-in-the-middle attack:
  - Eve generates to random numbers $q’$ and $r’$: Eve computes $v’=g^{q’}\ MOD\ p$ and $w’=g^{r’}\ MOD\ p$
  - When A sends $\{p,g,v\}$ she intercepts the message and sends to $B:\{p,g,v’\}$
  - When B sends $\{p,g,w\}$ she intercepts the message and sends to $A:\{p,g,w’\}$
  - When the supposed ,,shared secret'' is computed we get:
    - A computes $s_1=w’^q\ MOD\ p = v^{r’}\ MOD\ p$ the latter computed by E
    - B computes $s_2=v’^r\ MOD\ p = w^{q’}\ MOD\ p$ the latter computed by E
    - So, in fact A and E have agreed upon a shared secret $s_1$ as well as E and B have agreed upon a shared secret $s_2$
  - If the ,,shared secret'' is now used by A and B to encrypt messages to be exchanged over the public channel, E can intercept all the messages and decrypt/re-encrypt them before forwarding them between A and B.
 - Two countermeasures against the man-in-the-middle attack:
  - The shared secret is ,,authenticated'' after it has been agreed upon
    - We will treat this in the section on key management
  - A and B use a so-called interlock protocol after agreeing on a shared secret:
    - For this they have to exchange messages that E has to relay before she can decrypt / re-encrypt them
    - The content of these messages has to be checkable by A and B
    - This forces E to invent messages and she can be detected
    - One technique to prevent E from decrypting the messages is to split them into two parts and to send the second part before the first one.
      - If the encryption algorithm used inhibits certain characteristics E can not encrypt the second part before she receives the first one.
      - As A will only send the first part after he received an answer (the second part of it) from B, E is forced to invent two messages, before she can get the first parts.
 - Remark: In practice the number g does not necessarily need to be a primitive root of p, it is sufficient if it generates a large subgroup of $\mathbb{Z}^*_p$
 ## The ElGamal Algorithm
 - The ElGamal algorithm can be used for both, encryption and digital signatures (see also [ElG85a] )
 - Like the DH exchange it is based on the difficulty of computing discrete logarithms in finite fields
 - In order to set up a key pair:
  - Choose a large prime p, a generator g of the multiplicative group $\mathbb{Z}^*_p$ and a random number v such that $1\leq v\leq p - 2$. Calculate: $y=g^v mod p$
  - The public key is $( y, g, p )$
  - The private key is v
 - To sign a message m :
  - Choose a random number k such that k is relatively prime to $p-1$.
  - Compute $r=g^k mod p$
  - With the Extended Euclidean Algorithm compute $k^{-1}$, the inverse of $k mod (p - 1)$
  - Compute $s=k^{-1} \times ( m - v \times r) mod ( p - 1)$
  - The signature over the message is $( r, s )$
 - To verify a signature $( r , s )$ over a message m:
  - Confirm that $y^r \times r^s\ MOD\ p = g^m\ MOD\ p$
  - Proof: We need the following
    - Lemma 3: Let p be prime and g be a generator of $\mathbb{Z}^*_p$. Then $i \equiv j mod ( p -1) \Rightarrow g i \equiv g j mod p$
    - Proof: $i\equiv j mod (p-1) \Rightarrow$ there exists $k\in \mathbb{Z}^+$ such that $(i-j)=(p-1)\times k$
    - So, $g^{(i-j)}=g^{(p-1)\times k} \equiv 1^k\equiv 1 mod p$, because of Theorem 3 (Euler) $\Rightarrow g^i \equiv g^j mod p$
  - So as  $s\equiv k^{-1}\times(m-v\times r) mod (p-1)$
    - $\Leftrightarrow k \times s\equiv m-v\times r mod (p-1)$
    - $\Leftrightarrow m \equiv v\times r+k\times s mod (p-1)$
    - $\Rightarrow g^m \equiv g^{(v\times r+ k\times s)} mod p$ with Lemma 3
    - $\Leftrightarrow g^m \equiv g^{(v\times r)}\times g^{(k\times s)} mod p$
    - $\Leftrightarrow g^m \equiv y^r\times r^s mod p$
 - Security of ElGamal signatures:
  - As the private key v is needed to be able to compute s, an attacker would have to compute the discrete logarithm of y modulo p to the basis g in order to forge signatures
  - It is crucial to the security, that a new random number k is chosen for every message, because an attacker can compute the secret v if he gets two messages together with their signatures based on the same k (see [Men97a], Note 11.66.ii)
  - In order to prevent an attacker to be able to create a message M with a matching signature, it is necessary not to sign directly the message M as explained before, but to sign a cryptographic hash value $m=h(M)$ of it (these will be treated soon, see also [Men97a], Note 11.66.iii)
 - To encrypt a message m using the public key $(y,g,p)$:
  - Choose a random $k\in\mathbb{Z}^+$ with $k<p-1$
  - Compute $r=g^k\ MOD\ p$
  - Compute $s=m\times y^k\ MOD\ p$
  - The ciphertext is $(r,s)$, which is twice as long as m
 - To decrypt the message $(r,s)$ using v:
  - Use the private key v to compute $r^{(p-1-v)}\ MOD\ p=r^{(-v)}\ MOD\ p$
  - Recover m by computing $m=r^{(-v)}\times s\ MOD\ p$
  - Proof: $r^{(-v)}\times s\equiv r^{(-v)} \times m \times y^k\equiv g^{(-vk)}\times m \times y^k\equiv g^{(-v \times k)} \times m\times g^{(v \times k)} \equiv m mod p$
 - Security:
  - The only known means for an attacker to recover m is to compute the discrete logarithm v of y modulo p to the basis g
  - For every message a new random k is needed ([Men97a], Note 8.23.ii)
 ## Elliptic Curve Cryptography
 - The algorithms presented so far have been invented for the multiplicative group $(\mathbb{Z}^*_p,\times p)$ and the field $(\mathbb{Z}_p, +_p, \times_p)$, respectively
 - It has been found during the 1980’s that they can be generalized and be used with other groups and fields as well
 - The main motivation for this generalization is:
  - A lot of mathematical research in the area of primality testing, factorization and computation of discrete logarithms has led to techniques that allow to solve these problems in a more efficient way, if certain properties are met:
    - When the RSA-129 challenge was given in 1977 it was expected that it will take some 40 quadrillion years to factor the 129-digit number ($\approx 428$ bit)
    - In 1994 it took 8 months to factor it by a group of computers networked over the Internet, calculating for about 5000 MIPS-years
    - Advances in factoring algorithms allowed 2009 to factor a 232-digit number (768 bit) in about 1500 AMD64-years [KAFL10]
    - $\Rightarrow$ the key length has to be increased (currently about 2048 bit)
  - Some of the more efficient techniques do rely on specific properties of the algebraic structures $(\mathbb{Z}^*_p,\times p)$ and $(\mathbb{Z}_p, +_p, \times_p)$
  - Different algebraic structures may therefore provide the same security with shorter key lengths
 - A very promising structure for cryptography can be obtained from the group of points on an elliptic curve over a finite field
  - The mathematical operations in these groups can be efficiently implemented both in hardware and software
  - The discrete logarithm problem is believed to be hard in the general class obtained from the group of points on an elliptic curve over a finite field
 ### Foundations of ECC - Group Elements
 - Algebraic group consisting of
  - Points on Weierstrass’ Equation: $y^2 = x^3 + ax + b$
  - Additional point O in ,,infinity''
 - May be calculated over $\mathbb{R}$, but in cryptography $\mathbb{Z}_p$ and $GF(2^n)$ are used
  - Already in $\mathbb{R}$ arguments influence form significantly:
    - $y^2 = x^3-3x+5$ ![](Assets/NetworkSecurity-ecc-1.png)
    - $y^2 = x^3-40x+5$ ![](Assets/NetworkSecurity-ecc-2.png)
 ### Foundations of ECC - Point Addition
 - Addition of elements = Addition of points on the curve
 - Geometric interpretation:
  - Each point $P:(x,y)$ has an inverse $-P:(x,-y)$
  - A line through two points P and Q usually intersects with a third point R
  - Generally, sum of two points P and Q equals $-R$
  - ![](Assets/NetworkSecurity-ecc-3.png)
 - Addition (Special cases)
  - The additional point O is the neutral element, i.e., $P+O=P$
  - $P + (-P)$:
    - If the inverse point is added to P, the line and curve intersect in ,,infinity''
    - By definition: $P+(-P) = O$
  - $P+P$: The sum of two identical points P is the inverse of the intersecting point with the tangent through P:
    - ![](Assets/NetworkSecurity-ecc-4.png)
 ### Foundations of ECC - Algebraic Addition
 - If one of the summands is O, the sum is the other summand
 - If the summands are inverse to each other the sum is O
 - For the more general cases the slope of the line is: $\alpha=\begin{cases} \frac{y_Q-y_P}{x_Q-x_P} \quad\text{ for } P\not=-Q \wedge P\not=Q \\ \frac{3x^2_P +a}{2y_P} \quad\text{ for } P=Q \end{cases}$
 - Result of point addition, where $(x_r,y_r)$ is already the reflected point $(-R)$
 ### Foundations of ECC - Multiplication
 - Multiplication of natural number n and point P performed by multiple repeated additions
 - Numbers are grouped into powers of 2 to achieve logarithmic runtime, e.g. $25P = P + 8P + 16P$
 - This is possible if and only if the n is known!
 - If n is unknown for $nP = Q$, a logarithm has to be solved, which is possible if the coordinate values are chosen from $\mathbb{R}$
 - For $\mathbb{Z}_p$ and $GF(2^n)$ the discrete logarithm problem for elliptic curves has to be solved, which cannot be done efficiently!
 - Note: it is not defined how two points are multiplied, but only a natural number n and point P
 ### Foundations of ECC - Curves over $\mathbb{Z}_p$
 - Over $\mathbb{Z}_p$ the curve degrades to a set of points
 - For: $y^2=x^3-3x+5\ mod\ 19$
  - ![](Assets/NetworkSecurity-ecc-5.png)
  - Note: For some x values, there is no y value!
 ### Foundations of ECC - Calculate the y-values in $\mathbb{Z}_p$
 - In general a little bit more problematic: determine the y-values for a given x (as its square value is calculated) by $y^2\equiv f(x)\ mod\ p$
 - Hence p is often chosen s.t. $p\equiv 3\ mod\ 4$
 - Then y is calculated by $y_1\equiv f(x)^{\frac{p+1}{4}}$ and $y_2\equiv -f(x)^{\frac{p+1}{4}}$ if and only if a solution exists at all
 - Short proof:
  - From the Euler Theorem 3 we know that $f(x)^{p-1}\equiv 1\ mod\ p$
  - Thus the square root must be 1 or -1 $f(x)^{\frac{p-1}{2}}\equiv\pm 1\ mod\ p$
 - Case 1: $f(x)^{\frac{p-1}{2}}\equiv1\ mod\ p$
    - Multiply both sides by f(x): $f(x)^{\frac{p-1}{2}}\equiv f(x)\equiv y^2\ mod\ p$
    - As $p + 1$ is divisible by 4 we can take the square root so that $f(x)^{\frac{p-1}{2}}\equiv y\ mod\ p$
 - Case 2: In this case no solution exists for the given x value (as shown by Euler)
 ### Foundations of ECC - Addition and Multiplication in $\mathbb{Z}_p$
 - Due to the discrete structure point mathematical operations do not have a geometric interpretation any more, but
 - Algebraic addition similar to addition over $\mathbb{R}$
 - If the inverse point is added to P, the line and ,,curve'' still intersect in ,,infinity''
 - All x- and y-values are calculated mod p
 - Division is replaced by multiplication with the inverse element of the denominator
  - Use the Extended Euclidean Algorithm with w and p to derive the inverse $-w$
 - Algebraic multiplication of a natural number n and a point P is also performed by repeated addition of summands of the power of 2
 - The discrete logarithm problem is to determine a natural number n in $nP=Q$ for two known points P and Q
 ### Foundations of ECC - Size of generated groups
 - Please note that the order of a group generated by a point on a curve over $\mathbb{Z}_p$ is not $p-1$!
 - Determining the exact order is not easy, but can be done in logarithmic time by Schoofs algorithm [Sch85] (requires much more mathematical background than desired here)
 - But Hasse’s theorem on elliptic curves states that the group size n must lay between: $p+1 - 2\sqrt{p}\leq n\leq p+1+2\sqrt{p}$
 - As mentioned before: Generating rather large groups is sufficient
 ### Foundations of ECC - ECDH
 - The Diffie-Hellman-Algorithm can easily be adapted to elliptic curves
 - If Alice (A) and Bob (B) want to agree on a shared secret s:
  - A and B agree on a cryptographically secure elliptic curve and a point P on that curve
  - A chooses a random number q:
    - A computes $Q=qP$ and transmits Q to Bob
  - B chooses a random number r:
    - B computes $R=rP$ and transmits P to Alice
  - Both sides compute the common secret:
    - A computes $S=qR$
    - B computes $S’=rQ$
    - As $qrP=rqP$ the secret point $S=S’$
 - Attackers listening to the public channel can only compute S, if able to compute either q or r which are the discrete logarithms of Q and R for the point P
 ### Foundations of ECC - EC version of ElGamal Algorithm
 - Adapting ElGamal for elliptic curves is rather straight forward for the encryption routine
 - To set up a key pair:
  - Choose an elliptic curve over a finite field, a point G that generates a large group, and a random number v such that $1 < v < n$, where n denotes to the size of the induced group, Calculate: $Y = vG$
  - The public key is $(Y,G,curve)$
  - The private key is v
 - To encrypt a message:
  - Choose a random $k\in\mathbb{Z}^+$ with $k<n-1$, compute $R=kG$
  - Compute $S=M+kY$, where M is a point derived by the message
    - Problem: Interpreting the message m as a x coordinate of M is not sufficient, as the y value does not have to exist
    - Solution from [Ko87]: Choose a constant c (e.g. 100) check if $cm$ is the x coordinate of a valid point, if not try $cm+1$, then $cm+2$ and so on
    - To decode m: take the x value of M and do an integer division by c (receiver has to know c too)
  - The ciphertext are the points $(R,S)$
  - Twice as long as m, if stored in so-called compressed form , i.e. only x coordinates are stored and a single bit, indicating whether the larger or smaller corresponding y-coordinate shall be used
 - To decrypt a message:
  - Derive M by calculating $S-vR$
  - Proof: $S-vR=M+kY-vR =M+kvG-vkG= M+O= M$
 - To sign a message:
  - Choose a random $k\in\mathbb{Z}^+$ with $k<n-1$, compute $R = kG$
  - Compute $s=k^{-1}(m+rv) mod\ n$, where $r$ is the x-value of R
  - The signature are $(r,s)$, again about as twice as long as n
 - To verify a signed message:
  - Check if the point $P=ms^{-1}G+rs^{-1}Y$ has the x-coordinate r
  - Note: $s^{-1}$ is calculated by the Extended Euclidian Algorithm with the input s and n (the order of the group)
  - Proof: $ms^{-1}G+rs^{-1}Y = ms^{-1}G+rs^{-1}vG = (m+rv)(s^{-1})G = (ks)(s^{-1})G = kG = R$
 - Security discussion:
  - As in the original version of ElGamal it is crucial to not use k twice
  - Messages should not be signed directly
  - Further checks may be required, i.e., G must not be O, a valid point on the curve etc. (see [NIST09] for further details)
 ### Foundations of ECC - Security
 - The security heavily depends on the chosen curve and point:
 - The discriminant of the curve must not be zero, i.e., $4a^3+27b^2\not\equiv 0\ mod\ p$ otherwise the curve is degraded (a so called ,,singular curve'' )
 - Menezes et. al. have found a sub-exponential algorithm for so-called ,,supersingular elliptic curves'' but this does not work in the general case [Men93a]
 - The constructed algebraic groups should have as many elements a possible
 - This class will not go into more details of elliptic curve cryptography as this requires way more mathematics than desired for this course...
 - For non-cryptographers it is best to depend on predefined curves, e.g., [LM10] or [NIST99] and standards such as ECDSA
 - Many publications choose parameters a and b such that they are provably chosen by a random process (e.g. publish x for $h(x)=a$ and $y$ for $h(y) = b$); Shall ensure that the curves do not contain a cryptographic weakness that only the authors knows about
 - The security depends on the length of p
  - Key lengths with comparable strengths according to [NIST12]:
    | Symmetric Algorithms | RSA   | ECC     |
    | -------------------- | ----- | ------- |
    | 112                  | 2048  | 224-255 |
    | 128                  | 3072  | 256-383 |
    | 192                  | 7680  | 384-511 |
    | 256                  | 15360 | > 512   |
 - The security also heavily depends on the implementation!
  - The different cases (e.g. with O) in ECC calculation may be observable, i.e., power consumption and timing differences
  - Attackers might deduct side-channel attacks, as in OpenSSL 0.9.8o [BT11]
    - Attacker may deduce the bit length of a value k in $kP$ by measuring the time required for the square and multiply algorithm
    - Algorithm was aborted early in OpenSSL when no further bits where set to ,,1''
  - Attackers might try to generate invalid points to derive facts about the used key as in OpenSSL 0.9.8g, leading to a recovery of a full 256-bit ECC key after only 633 queries [BBP12]
 - Lesson learned: Do not do it on your own, unless you have to and know what you are doing!
 ### Foundations of ECC - Further remarks
 - As mentioned earlier it is possible to construct cryptographic elliptic curves over $G(2^n)$, which may be faster in hardware implementations
  - We refrained from details as this would not have brought many different insights!
 - Elliptic curves and similar algebraic groups are an active field of research and allow other advanced applications e.g.:
  - So-called Edwards Curves are currently discussed, as they seem more robust against side-channel attacks (e.g. [BLR08])
  - Bilinear pairings allow
    - Programs to verify that they belong to the same group, without revealing their identity (Secret handshakes, e.g. [SM09])
    - Public keys to be structured, e.g. use ,,Alice'' as public key for Alice (Identity based encryption, foundations in [BF03])
 - Before deploying elliptic curve cryptography in a product, make sure to not violate patents, as there are still many valid ones in this field!
 ## Conclusion
 - Asymmetric cryptography allows to use two different keys for:
  - Encryption / Decryption
  - Signing / Verifying
 - The most practical algorithms that are still considered to be secure are:
  - RSA, based on the difficulty of factoring and solving discrete logarithms
  - Diffie-Hellman (not an asymmetric algorithm, but a key agreement protocol)
  - ElGamal, like DH based on the difficulty of computing discrete logarithms
 - As their security is entirely based on the difficulty of certain mathematical problems, algorithmic advances constitute their biggest threat
 - Practical considerations:
  - Asymmetric cryptographic operations are about magnitudes slower than symmetric ones
  - Therefore, they are often not used for encrypting / signing bulk data
  - Symmetric techniques are used to encrypt / compute a cryptographic hash value and asymmetric cryptography is just used to encrypt a key / hash value
 # Modifikationsprüfwerte
 # Zufallszahlengenerierung
 # Kryptographische Protokolle
@ -745,3 +1259,23 @@ Standardisierte AES-Konfigurationen
 - [Sch96] B. Schneier - Applied Cryptography Second Edition: Protocols, Algorithms and Source Code in C
 - [Sta13] W. Stallings - Cryptography and Network Security: Principles and Practice
 - [Sti05] D. R. Stinson - Cryptography: Theory and Practice (Discrete Mathematics and Its Applications)
 - [Bre88a] D. M. Bressoud. - Factorization and Primality Testing
 - [Cor90a] T. H. Cormen, C. E. Leiserson, R. L. Rivest. _Introduction to Algorithms.
 - [DH76] W. Diffie, M. E. Hellman - New Directions in Cryptography
 - [ElG85a] T. ElGamal - A Public Key Cryptosystem and a Signature Scheme based on Discrete Logarithms.
 - [Kob87a] N. Koblitz - A Course in Number Theory and Cryptography
 - [Men93a] A. J. Menezes - Elliptic Curve Public Key Cryptosystems.
 - [Niv80a] I. Niven, H. Zuckerman - An Introduction to the Theory of Numbers
 - [RSA78] R. Rivest, A. Shamir und L. Adleman - A Method for Obtaining Digital Signatures and Public Key Cryptosystems
 - [KAFL10] T. Kleinjung, K. Aoki, J. Franke, A. Lenstra, E. Thomé, J. Bos, P. Gaudry, A. Kruppa, P. Montgomery, D. Osvik, H. Te Riele, A.Timofeev, P. Zimmermann - Factorization of a 768-bit RSA modulus
 - [LM10] M. Lochter, J. Merkle - Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation_ 
 - [NIST99] NIST - Recommended Elliptic Curves for Federal Government Use
 - [NIST12] NIST - Recommendation for Key Management: Part 1: General (Revision 3)
 - [Ko87] N. Koblitz - Elliptic Curve Cryptosystems
 - [BBP12] B.B. Brumley, M. Barbosa, D. Page, F. Vercauteren - Practical realisation and elimination of an ECC-related software bug attack
 - [BT11] B.B. Brumley, N. Tuveri - Remote timing attacks are still practical
 - [BLR08] D. Bernstein, T. Lange, R. Rezaeian Farashahi - Binary Edwards Curves
 - [NIST09] NIST - Digital Signature Standard (DSS)
 - [SM09] A. Sorniotti, R. Molva - A provably secure secret handshake with dynamic controlled matching
 - [BF03] D. Boneh, M. Franklin - Identity-Based Encryption from the Weil Pairing
 - [Sch85] R. Schoof - Elliptic Curves over Finite Fields and the Computation of Square Roots mod p