Electronic Payment Systems 20-763 Lecture 5: ePayment Security II ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Outline Public-key Cryptography One-way trapdoor functions RSA Protocol Failure Discrete Logarithms Diffie-Hellman El Gamal Elliptic Curve Cryptosystems ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Public Key Encryption Clear-text Input Cipher-text Clear-text Output “The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs” Encryption Decryption public private Different but mathematically linked keys Recipient’s public key Recipient’s private key SOURCE: ALBERTO PACE

One-Way Trapdoor Function A function that is easy to compute Computationally difficult to invert without knowing the secret (the “trapdoor”) Easy to invert with the secret Example: f x (y) = x • y Given f x (y), it is difficult to find either x or y Given f x (y) and x (the secret), it is easy to find y: y = x • y / x ANY one-way trapdoor function can be used in public-key cryptography. ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Trapdoor Functions for Cryptogrpahy Alice wants to send message m to Bob Bob’s public key e is a parameter to the trapdoor function fe(x) The inverse fe -1(y) is easy to compute knowing Bob’s private key d but difficult without d Alice computes fe(m), sends it to Bob Bob computes fe -1(fe(m)) = m (easy if d is known) Eavesdropper Eve can’t compute m = fe -1(fe(m)) without the trapdoor d to find the inverse fe -1 Symmetric encryption satisfies the trapdoor criteria except that e and d are the same, so neither can be made public ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Rivest-Shamir-Adelman (RSA) It is easy to multiply two numbers but apparently hard to factor a number into a product of two others. Given p, q, it is easy to compute n = p • q Example: p = 5453089; q = 3918067 Easy to find n = 21365568058963 Given n, hard to find two numbers p, q with p • q = n Now suppose n = 7859112349338149 What are p and q such that p • q = n ? Multiplication is a one-way function RSA exploits this fact in public-key encryption ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

RSA Encryption Select two large prime numbers p, q (e.g. 1024 bits) Let n = p • q Choose a small odd integer e that does not divide m = (p - 1)(q - 1). Then x(p-1)(q-1) = 1 (mod n) Compute d = e-1(mod m) That is, d • e gives remainder 1 when divided by m Then xe •d = x (mod n) (by Fermat’s “Little” Theorem) Public key is the pair (e, n) Private key is the pair (d, n) d cannot be calculated quickly from (e, n) Still need p and q, which involves factoring n ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

RSA Encryption Message M is a number To encrypt message M using key (e, n): Compute E(M) = M e (mod n) To decrypt message E(M) using key (d, n): Compute D(E(M)) = E(M) d (mod n) Note that D(E(M)) = E(D(M)) = (M e)d (mod n) = M e•d (mod n) = M because e • d = 1 (mod m) and m = (p-1)(q-1) DEMO ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Protocol Failure A “secure” cryptosystem is not secure if used carelessly Protocols must be followed carefully or a “protocol failure” occurs Example: “common modulus” failure Bob and Carol have the same public-key modulus n with encryption exponents eBOB and eCAROL having no common factor Alice sends the same plaintext M to both Bob and Carol Bob gets yBOB = MeBOB mod n Carol gets yCAROL = MeCAROL mod n If Eve intercepts both, she can read the message WARNING: NEVER SEND THE SAME MESSAGE TWICE! ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Protocol Failure Eve computes: c1 = eBOB-1 (mod eCAROL ) c2 = ((c1 eBOB) - 1 )/ eCAROL M = yBOBc1 ( yCAROLc2 )-1 (mod n) = (MeBOB)c1 ((MeCAROL)c2)-1 (mod n) = (MeBOB)c1 ((MeCAROL)(c1(eBOB)-1)/eCAROL)-1 (mod n) = (MeBOB)c1 (M(c1eBOB-1))-1 (mod n) = M (Mc1(eBOB)-1)) (M( c1(eBOB)-1))-1 (mod n) = M mod n So Eve recovers the original message! KNOWN QUANTITIES: n eBOB eCAROL yBOB yCAROL ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Discrete Logarithms If ab = c, we say that logac = b Example: 232 = 4294927296 so log2(4294927296) = 32 Computing ab and logac are both easy for real numbers In a finite field, it is easy to calculate c = ab mod p but given c, a and p it is very difficult to find b This is the “discrete logarithm” problem Analogy: Given x it is easy to find two real numbers y, z such that x = y•z Given an integer n it is hard to find two integers p, q such that n = p•q ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Diffie-Hellman Key Exchange Object: allow Alice and Bob to exchange a secret key Protocol has two public parameters: a prime p and a number g < p such that given 0 < n < p there is some k such that gk = n (g is called a generator) Alice and Bob generate random private values a, b between 1 and p-2 Alice’s public value is ga (mod p); Bob’s is gb (mod p) Alice and Bob share their public values Alice computes (gb)a (mod p) = gba (mod p) Bob computes (ga)b (mod p) = gab = gba (mod p) Let key = gab. Now both Alice and Bob have it. No one else can compute it -- they don’t know a or b ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

El Gamal Encryption Based on the discrete logarithm Bob’s public key is (p, q, r) Bob’s private key is s such that r = qs mod p Alice sends Bob the message m by picking a random secret number k and sending (a, b) = (qk mod p, mrk mod p) Bob computes b (as )-1 mod p = mrk (qks)-1 = mqks (qks)-1 = m (Bob knows s; nobody else can do this) ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Relative Time in Seconds Required for RSA Modular Exponentiation y = xe mod n RSA key size k [bits] Processing time t [s] 512 8 768 22 1024 48 1536 150 2048 335 RSA Benchmarks for the 20 MHz IPC@CHIP SOURCE: ANDREAS STEFFEN, ZHW

Elliptic Curves y2 = x3  4x y2 = x3 + ax + b 4a3 + 27b2  0 General form: y2 = x3 + ax + b Condition for distinct single roots: 4a3 + 27b2  0 Example: y2 = x3  4x = x(x 2)(x +2) ONLINE TUTORIAL SOURCE: ANDREAS STEFFEN, ZHW

The Group <G,> A set G and an operation  defined on pairs of elements of set G such that for all elements a, b and c in G we have: Closure: a  b is also an element of G Associativity: a  (b  c) = (a  b)  c Identity Element: For some e in G, for all a, a  e = e  a = a Inverse Element: Every a has an inverse a' : a  a' = a'  a = e Commutativity: a  b = b  a (Abelian Group) Examples: Addition: <R, +> e = 0 , a' = -a Multiplication: <R-{0}, · > e = 1 , a' = a-1 SOURCE: ANDREAS STEFFEN, ZHW

The Points P(x,y) on an Elliptic Curve form a Group Group set: All points P(x,y) lying on an elliptic curve R R' P Group operation: Point addition Q R = P  Q SOURCE: ANDREAS STEFFEN, ZHW

Identity and Inverse Elements P'(x,-y) = P(x,y) is mirrored on x-axis P' Point addition with inverse element: P  P' = O results in the identity element O(x,) at infinity P Identity element: P  O = P O SOURCE: ANDREAS STEFFEN, ZHW

Point Doubling – Adding a point to itself Form the tangent in Point P(x,y) R R' P R = P  P SOURCE: ANDREAS STEFFEN, ZHW

Point Iteration – Adding a point k-1 times to itself Pk = P  P  ...  P P3 P2 P SOURCE: ANDREAS STEFFEN, ZHW

Calculation of Point Addition Line g: y = s x+y0 with g P(xP , yP) R(xR, yR) Q (xQ , yQ) Intersection with curve: (s x+y0)2 = x3 +ax+b Coordinates of point R: R' (xR, -yR) SOURCE: ANDREAS STEFFEN, ZHW

Elliptic Curves Over Finite Fields Elliptic curves can be defined in a finite or Galois field GFp (mod p) y2 = x3 + ax + b mod p where the field size p is a prime number and {0,1, ..., p-1} is an abelian group under addition mod p and {1, ..., p-1} is an abelian group under multiplication mod p. SOURCE: ANDREAS STEFFEN, ZHW

Points on an Elliptic Curve Over a Finite Field Which points P(x,y) with x and y in GF11 satisfy the elliptic curve equation: y2 = x3 + x + 6 mod 11 In Mathematica, compute Position[Table[Mod[y^2 – (x^3 + x + 6), 11], {x, 1, 10}, {y, 1, 10}], 0] SOURCE: ANDREAS STEFFEN, ZHW

Solution: Points on the Elliptic Curve 6 - 8 - 5 4,7 (2,4) (2,7) 3 5,6 (3,5) (3,6) 4 2,9 (5,2) (5,9) 4 2,9 (7,2) (7,9) 9 3,8 (8,3) (8,8) 7 - 4 2,9 (10,2) (10,9) y2 y1,2 P(x,y) P'(x,y) 1 2 3 4 5 6 7 8 9 10 x There are 12 points lying on the elliptic curve. Together with the point O at infinity, the points on the elliptic curve form a group with n=13 elements. n is called the order of the elliptic curve group and depends on the choice of the curve parameters a and b. SOURCE: ANDREAS STEFFEN, ZHW

Elliptic Curve Discrete Logarithm Problem (ECDLP) ( 2,4) 3 9 ( 5,9) 9 8 ( 8,8) 8 10 (10,9) 2 0 ( 3,5) 1 2 ( 7,2) 4 7 ( 7,9) 1 2 ( 3,6) 2 0 (10,2) 8 10 ( 8,3) 9 8 ( 5,2) 3 9 ( 2,7)  - O  - Pk s y0 1 2 3 4 5 6 7 8 9 10 11 12 13 k Given an elliptic curve y2 = x3 + ax + b mod p and a basis point P, we can compute Q = Pk through k-1 iterative point additions. Fast algorithms for this task exist. The order of P is the smallest k for which Pk = O (the identity element) Question: Is it possible to compute k when points Q and P are known? Answer: This is a hard problem called the Elliptic Curve Discrete Logarithm Problem. SOURCE: ANDREAS STEFFEN, ZHW

Defining An Elliptic Curve Cryptosystem Must specify the following parameters: version is currently v1 fieldID the finite field over which curve is defined curve coefficients a and b of the elliptic curve base the base point P order the order of the base point, a LARGE prime number SOURCE: ANDREAS STEFFEN, ZHW

Secret Key Exchange: Diffie-Hellman v. ECC A = ga mod p Diffie-Hellman: Basis g and prime p B = gb mod p Secret: s = Ab = Ba = gab mod p QA = P a Elliptic Curve Cryptosystem: ECC, basis point P and prime p Secret: S = Q Ab = Q Ba = P ab QB = P b Cryptographic Applications • The following ECC algorithms have been defined: • ECDH (Elliptic Curve Diffie-Hellman) for secret key exchange • ECIES (Elliptic Curve Integrated Encryption Scheme) for public key encryption • ECDSA (Elliptic Curve Digital Signature Algorithm) for digital signatures • Elliptic curve certificates based on the X.509 standard can either be ordered from several trust centers (e.g. Certicom) or can be generated with the current OpenSSL snapshot. • A set of elliptic curves have been standardized by NIST. • Several ECC cipher suites based on the NIST curves have been defined for the SSL/TLS secure transport layer. SOURCE: ANDREAS STEFFEN, ZHW

Elliptic Curves for El Gamal Multiplication in the elliptic group corresponds to exponentiation of real numbers Solving y = k x (mod p) for k in the elliptic group is similar to solving c = ab (mod p) for b in El Gamal (discrete logarithm) Select a generator g (an elements whose successive powers generate all group elements) Bob’s private key is s; Bob’s public key is (g, s g) A plaintext message m is transformed to a point x in the group Alice encrypts x by picking a random value k and sending (k g, x + k s g) Bob decrypts by computing (x + k s g) - (k g) s = x Can’t find s from g and sg g and sg are public; Alice knows x and k Alice sent him these Bob knows s (his private key)

Table of Equivalent Cryptographic “Strength” Key Lengths Symmetric RSA n ECC p 56 512 112 80 1024 160 2048 224 128 3072 256 192 7680 384 15360 Key size ratio 5:1 6:1 9:1 12:1 20:1 30:1 Elliptic curve cryptography standards: PKCS#13 FIPS 186-2 ECC Cipher Suites for TLS ANSI X9.63, X9.63, Public Key Cryptography for the Financial Services Industry SOURCE: ANDREAS STEFFEN, ZHW

Security of ECC versus RSA ECC Advantages 1. The elliptic curve logarithm problem is harder than the discrete logarithm problem. 2. Key size in ECC is much smaller for a given security level. 3. ECC is complicated; fewer people understand it. 4. ECC is not patented. GRAPHIC: RICHARD SOUTHERN ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Major Ideas Any one-way trapdoor function can be used as the basis of a public-key cryptosystem Public-key encryption is slow because of the need to work with huge numbers (~2000 bits) Cryptosystems can be insecure if not used properly Elliptic curve cryptography allows high security with small key sizes ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 52

Q A & ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Calculation of Point Doubling Tangent g: y = s x+y0 g P(xP , yP) R (xR, yR) Intersection with curve: (s x+y0)2 = x3 +ax+b R' (xR, -yR) Coordinates of point R: SOURCE: ANDREAS STEFFEN, ZHW

Task 1 - Multiplication c = ab in GF11 Compile a multiplication table for c = a  b mod 11 Determine the solutions of the equation x2 = 5 mod 11 You have about 10 minutes for this task SOURCE: ANDREAS STEFFEN, ZHW

Solution 1 - Multiplication c = ab in GF11 0 0 0 0 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 10 0 2 4 6 8 10 1 3 5 7 9 0 3 6 9 1 4 7 10 2 5 8 0 4 8 1 5 9 2 6 10 4 7 0 5 10 4 9 3 8 2 7 1 6 0 6 1 7 2 8 3 9 4 10 5 0 7 3 10 6 2 9 5 1 8 4 0 8 5 2 10 7 4 1 9 6 3 0 9 7 5 3 1 10 8 6 4 2 0 10 9 8 7 6 5 4 3 2 1 1 2 3 4 5 6 7 8 9 10 a b c  x2 = 5 mod 11 ? x1 = 4, x2 = 7 SOURCE: ANDREAS STEFFEN, ZHW

Task 3 – Iterate a Point on the Elliptic Curve Iterate the point P(2,4) lying on y2 = x3 + x + 6 mod 11: Compute P2 = P  P by doubling the point P Compute P3 = P  P  P = P2  P by point addition All operations are computed in GF11 SOURCE: ANDREAS STEFFEN, ZHW

Solution 3 – Iterate a Point on the Elliptic Curve Compute P2 = P  P by doubling the point P(2,4) P2=(5,9) Compute P3 = P  P  P = P2  P by point addition P3=(8,8) SOURCE: ANDREAS STEFFEN, ZHW