Assignment done as part of Introduction to Information Security Course (CS4062D). All programs are written in C++ using NTL library. For installing NTL library refer NTL documentation.
- Choose two primes p and q of no of bits l. Let n = p * q
- Let the public key, e ∈ Z be positive such that gcd(e, Φ(n)) = 1.
- Then the private key, d ∈ Z such that de ≡ 1 (mod(Φ(n))).
- For every message m < n, we can encrypt the message m using, c = me(mod n).
- c can be decrypted by using the private key, m = cd(mod n).
Output for 512 bits
Output for 1024 bits
INPUT : Security parameter l and t
OUTPUT : DL domain parameters (p, q, g)
- Select a t bit prime p and l bit prime q such that q divides p-1.
- Select an arbitrary h ∈ [1, p-1] and calculate generator g = h(p-1)/q
- if g = 1, then go to step 2
INPUT : DL domain parameters (p, q, g)
OUTPUT : public key y and private key x
- Select x ∈ [1, q-1].
- calculate y = gx (mod p).
- return (y, x)
INPUT : DL domain parameters (p, q, g), public key y, plain text m ∈ [0, p-1].
OUTPUT : CipherText (c1, c2)
- Choose k randomly from [1, q-1].
- c1 = gk (mod p).
- c2 = m * yk (mod p)
- return (c1, c2)
INPUT : DL domain parameters (p, q, g), private key x, cipher text (c1, c2).
OUTPUT : plaintext m
- compute m = c2 * c1-x (mod p)
- return m
Output for 512 bits
Output for 1024 bits
- Feild, p = 2192 −264 −1
- a = −3 (where a is in y2 = x3 + ax + b)
- b = 0x 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1 (where b is in y2 = x3 + ax + b)
- n = 0x FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831 (order of E(a, b)(Fp))
- x = 0x 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF1012 (x cordinate of base point)
- y = 0x 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811 (y cordinate of base point)
INPUT: Elliptic curve domain parameters (p, E, P,n).
OUTPUT: Public key Q and private key d
- Select d ∈R [1,n −1].
- Compute Q = d.P.
- Return(Q,d).
INPUT: Elliptic curve domain parameters (p, E, P,n), public key Q, plaintext m.
OUTPUT: Ciphertext (C1,C2).
- Represent the message m as a point M in E(Fp).
- Select k ∈R [1,n −1].
- Compute C1 = k.P.
- Compute C2 = M +k.Q.
- Return(C1,C2).
INPUT: Domain parameters (p, E, P,n), private key d, ciphertext (C1,C2).
OUTPUT: Plaintext m.
- Compute M = C2 −d.C1, and extract m from M.
- Return(m).
Output
INPUT: (message (msg), private key (d), n)
OUTPUT: Signature (s)
Signing a message msg with the private key exponent d:
- Calculate the message hash: h = hash(msg)
- Encrypt h to calculate the signature : s = hd(modn)
The hash h should be in the range [0...n). The obtained signature s is an integer in the range [0...n).
INPUT: (Signature (s), message (msg), public key (e), n)
OUTPUT: prints valid sign or not
Verifying a signature s for the message msg with the public key e:
- Calculate the message hash: h = hash(msg)
- Decrypt the signature: h′ = se(modn)
- if h == h′, then signature is valid else signature is invalid.
Output
INPUT: (message (m), private key (x), p)
OUTPUT: (r, s)
- Choose an integer k randomly from {2,....,p-2} with k relatively prime to p-1.
- Compute r = gk (mod p).
- Compute s = (H(m) - x.r).k-1 (mod p-1).
- if s == 0, then go to step 1.
INPUT: (r, s, message (m), public key (y), p)
OUTPUT: prints valid sign or not
- Verify that 0<r<p and 0<s<p-1.
- The signature is valid if and only if gH(m) = yr.rs (mod p).
Output
INPUT: Domain parameters D = (q,FR,S,a,b,P,n,h), private key(d), message(m).
OUTPUT: Signature(r,s).
- Select k ∈R [1,n −1].
- Compute k.P = (x1, y1) and convert x1 to an integer x1.
- Compute r = x1 mod n. If r = 0 then go to step 1.
- Compute e = H(m).
- Compute s = k−1(e +d.r) (mod n). If s = 0 then go to step 1.
- Return(r,s).
INPUT: Domain parameters D = (q,FR,S,a,b,P,n,h), public key(Q), message(m), signature (r,s).
OUTPUT: Acceptance or rejection of the signature.
- Verify that r and s are integers in the interval [1,n −1]. If any verification fails then return(“Reject the signature”).
- Compute e = H(m).
- Compute w = s−1 mod n.
- Compute u1 = e.w (mod n) and u2 = r.w (mod n).
- Compute X = u1.P +u2.Q.
- If X = ∞, then return(“Reject the signature”);
- Convert the x-coordinate x1 of X to an integer x1; compute v = x1 mod n.
- If v == r, then return(“Accept the signature”); Else return(“Reject the signature”).
Output