Fuw-Yi Yang1 Public Key Cryptography 公開金鑰密碼 Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker: Fuw-Yi Yang 楊伏夷 伏夷非征番, 道德經 察政章 (Chapter 58) 伏 者潛藏也 道紀章 (Chapter 14) 道無形象, 視之不可見者曰 夷

Fuw-Yi Yang2 問題 兩個素不相識、未曾謀面的個體, 如何經由公 開管道秘密通信 ?

Fuw-Yi Yang3 RSA Public Key Cryptosystem 1/3 RSA 公開金鑰密碼系統 ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43) 任何人寄資料 ( 資料 m = 5) 給ㄚ蜜 : 密文 c = m e mod 77 = 5 7 mod 77 = 5  5  5  5  5  5  5 mod 77 = 125  5  125 mod 77 = 48  5  48 mod 77 = 9  48 mod 77 = 47 將密文 c = 47 經由公開網路傳遞給ㄚ蜜

Fuw-Yi Yang4 RSA Public Key Cryptosystem 2/3 RSA 公開金鑰密碼系統 ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43) 當ㄚ蜜收到密文 c 時, 解密 : 密文 c = 47 資料 m = c d mod 77 = mod 77 = 47  47  …  47 mod 77 = 23  53  47 mod 77 = 5 Note: 23 = mod 77, 53 =47 32 mod 77

Fuw-Yi Yang5 RSA Public Key Cryptosystem 3/3 RSA 公開金鑰密碼系統 破密者知道ㄚ蜜的公開金鑰 : n = 77, e = 7 卻無法解出 其私藏秘密金鑰 d = 43, 因為分解因素是待解的數學難題 之一. 例如 : n 是兩個大質數的乘積且 n 的值約為 ( 約為 ) 若使用 10 G Hz CPU, 分解因素耗時 秒 或 * 天

Fuw-Yi Yang6 RSA Public Key Cryptosystem 1/2 RSA 公開金鑰密碼系統 — 簽章 ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43) ㄚ蜜簽署資料 ( 資料 m = 5): 簽體 s = m d mod 77 = 5 43 mod 77 = 5 ...  5 mod 77 = 23  48 mod 77 = 26 mod 77 (5 3 = 48 mod 77, 5 40 = 23 mod 77)

Fuw-Yi Yang7 RSA Public Key Cryptosystem 2/2 RSA 公開金鑰密碼系統 — 簽章 ㄚ蜜的 公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43) 任何人收到 (s = 26 與 m = 5 ) 皆可驗證之 : 計算 v = s e mod 77 = 26 7 mod 77 = 26  26  26  26  26  26  26 mod 77 = 20  20  26 mod 77 = 5 mod 77 (26 3 = 20 mod 77) 驗證 m 與 v 是否相等

William Stallings, Fuw-Yi Yang8 The Finite Field – Groups 1/2 Groups: A group G, denoted by {G,  }, is a set of elements with a binary operation  such that: (A1) Closure: a, b  G implies that a  b  G (A2) Associative: a, b, c  G implies that a  (b  c) = (a  b)  c (A3) Identity: For all a in G, there is an element e in G s.t. a = a  e = e  a (A4) Inverse: For all a in G, there exists an element b (a -1 ) in G, s.t. e = a  b Abelian group: (A5 Commutative law: a  b = b  a for all a, b in G

William Stallings, Fuw-Yi Yang9 The Finite Field – Groups -2/2 Example: {,  } G = {1, 2, 3, 4,5, 6},  is modular multiplication (mod 7) 5  3 mod 7 = 1, (5 -1 = 3, 3 -1 = 5) 2  6 mod 7 = 5, 6  2 mod 7 = 5, (Abelian group)

William Stallings, Fuw-Yi Yang10 The Finite Field – Rings 1/5 Rings: A ring G, denoted by {R, +,  }, is a set of elements with two binary operations, addition + and multiplication  such that: (A1)~(A5): R is an abelian group with respect to addition (M1) Closure under  : a,b  R implies that a  b  R (M2) Associative: a,b,c  R implies that a  (b  c) = (a  b)  c (M3) Distributive: a  (b + c) = a  b + a  c (a + b)  c = a  c + b  c f or all a,b,c in R, (M4) Commutative law: a  b = b  a for all a, b in R

William Stallings, Fuw-Yi Yang11 The Finite Field – Rings (integral domain) 2/5 Integral Domain: (M5) Multiplicative identity: there is an element 1 in R s.t. a = a  1 = 1  a (M6) No zero divisors: If a, b in R and a  b = 0, then either a = 0 or b = 0

William Stallings, Fuw-Yi Yang12 The Finite Field – Fields 3/5 Fields: A field F, denoted by {F, +,  }, is a set of elements with two binary operations, addition + and multiplication  such that: (A1)~(M6): F is an integral domain (M7): Multiplicative inverse: For each a in F, except 0, there is an element a -1 in F s.t. a  a -1 = a -1  a = 1 Example: Finite field of order p n : Galois field GF(p n )

William Stallings, Fuw-Yi Yang13 The Finite Field – GF(7)-addition 4/5 modulo

William Stallings, Fuw-Yi Yang14 The Finite Field – GF(7)-multiplication 5/5 modulo 7 

William Stallings, Fuw-Yi Yang15 The Finite Field – GF(7)-multiplication 5/5 modulo 7 

Fuw-Yi Yang16 Anonymous User Identification 1/15 1. T. S. Wu and C. L. Hsu, “ Efficient user identification scheme with key distribution preserving anonymity for distributed computer networks, ” Computers & Security, Vol. 23(2), pp , K. Mangipudi and R. Katti, “ A secure identification and key agreement protocol with user anonymity (SIKA), ” Computers & Security, Vol. 25, pp , W. B. Lee and C. C. Chang, “ User identification and key distribution maintaining anonymity for distributed computer network, ” Computer Systems Science and Engineering, Vol. 15, No. 4, July 2000, pp Y. Yang, S. Wang, F. Bao, J. Wang and R. H. Deng, “ New efficient user identification and key distribution scheme providing enhanced security, ” Computers & Security, Vol. 23, pp , //5. C. C. yang, Y. L. Tang, R. C. wang and H. L. Yang, “ A secure and efficient authentication protocol for anonymous channel in wireless communications, ” Applied mathematics and computation, Vol. ??, pp. ??, 2005.

Fuw-Yi Yang17 Anonymous User Identification 2/15 W. B. Lee and C. C. Chang 1. Key generation: Smart Card Producing Center SCPC chooses large primes p and q, computes N = p  q, g  Z N *, hash function f, and e, d such that e  d = 1 mod  (N). Public key: N, e, g, f; Secret key: p, q, d  (N) denotes the Euler totient function, i.e. the cardinality of Z N * = {a| a  Z N and gcd(a, N) = 1}. ex. Z 15 * = {1, 2, 4, 7, 8, 11, 13, 14}. H is a collision-resistant hash function, H: {0, 1}*  {0, 1} l. ex. Given the pre-image, it is easy to find the image of H; given the image it is difficult to find the its image.

Fuw-Yi Yang18 Anonymous User Identification 3/15 W. B. Lee and C. C. Chang 1. Key generation: SCPC In a secure way, SCPC sends each user U i or provider P j (with identity ID i or ID j ) a secret token S i = (ID i ) d mod N. 2. Anonymous user identification:

Fuw-Yi Yang19 Anonymous User Identification 4/15 W. B. Lee and C. C. Chang UiUi PjPj  request zz z = g k mod N x = S i z t 1 g f(T)  t 2 mod N y 1 = g e  t 1 mod N y 2 = g e  t 2 mod N  x, y 1, y 2, T Check T, and whether an existing user’s ID satisfies ID i = x e /(y 1 k y 2 f(T) ) mod N

Fuw-Yi Yang20 Anonymous User Identification 5/15 W. B. Lee and C. C. Chang UiUi PjPj z = g k mod N x = S i z t 1 g f(T)  t 2 mod N = (ID i ) d g k  t 1 g f(T)  t 2 mod N y 1 = g e  t 1 mod N y 2 = g e  t 2 mod N K ij = z e  t 1 = g e  k  t 1 mod N ID i = x e /y 1 k y 2 f(T) =(ID i ) d  e g e  k  t 1 g e  f(T)  t 2 /g e  k  t 1 g e  f(T)  t 2 = (ID i ) d  e = ID i mod N K ij = y 1 k = g e  k  t 1 mod N

Fuw-Yi Yang21 Anonymous User Identification 6/15 Weakness of W. B. Lee and C. C. Chang [1] UiUi PjPj 1. No authentication of P j 2. Assume that compromise of K ij x = S i z t 1 g f(T)  t 2 mod N y 1 = g e  t 1 mod N y 2 = g e  t 2 mod N K ij = z e  t 1 = g e  k  t 1 mod N ID i = x e /y 1 k y 2 f(T) mod N K ij = y 1 k = g e  k  t 1 mod N Known K ij = y 1 k, ID i is computed.

Fuw-Yi Yang22 Anonymous User Identification 7/15 T. S. Wu and C. L. Hsu 1. Key generation: SCPC In a secure way, SCPC sends each user U i or provider P j (with identity ID i or ID j ) a secret token S i = (ID i ) d mod N. 2. Anonymous user identification:

Fuw-Yi Yang23 Anonymous User Identification 8/15 T. S. Wu and C. L. Hsu UiUi PjPj  request zz z = S j g k mod N a = z e /ID j = g e  k mod N x = S i f(a t || T) mod N y = g e  t mod N  x, y, T Check T, and whether an existing user’s ID satisfies ID i = (x/f(y k || T) e mod N

Fuw-Yi Yang24 Anonymous User Identification 9/15 T. S. Wu and C. L. Hsu UiUi PjPj z = S j g k mod N a = z e /ID j = g e  k mod N x = S i f(a t || T) mod N y = g e  t mod N K ij =a t  x = g e  k  t  x mod N Check T, ID i = (x/f(y k || T) e = [(ID i ) d f(a t ||T)/f(y k ||T)] e = [(ID i ) d f(g e  k  t ||T)/f(g e  k  t ||T)] e = (ID i ) d  e = ID i mod N K ij =y k  x = g e  k  t  x mod N

Fuw-Yi Yang25 Anonymous User Identification 10/15 Weakness of T. S. Wu and C. L. Hsu [4] UiUi PjPj Disclosure of user’s token S i a = z e /ID j = g e  k mod N x = S i f(a t || T) mod N y = g e  t mod N K ij =a t  x = g e  k  t  x mod N Check T, ID i = (x/f(y k || T) e = [(ID i ) d f(a t ||T)/f(y k ||T)] e = [(ID i ) d f(g e  k  t ||T)/f(g e  k  t ||T)] e = ID i mod N S i = (x/f(y k || T) = [(ID i ) d f(a t ||T)/f(y k ||T)] mod N

Fuw-Yi Yang26 Anonymous User Identification 11/15 Y. Yang et al. 1. Key generation: SCPC In a secure way, SCPC sends each user U i or provider P j (with identity ID i or ID j ) a secret token S i = (ID i ) d mod N. 2. Anonymous user identification:

Fuw-Yi Yang27 Anonymous User Identification 12/15 Y. Yang et al. UiUi PjPj  request zz z = g k / S j mod N a = z e  ID j = g e  k mod N K ij =a t = g e  k  t mod N x = g e  t mod N s = g t  (S i ) h(x, T) mod N y = E K ij (ID i )  s, x, y, T K ij =x k = g e  k  t mod N ID i = D K ij (y) Check ID i  user list and x  (ID i ) h(x, T) = s e mod N

Fuw-Yi Yang28 Anonymous User Identification 13/15 Weakness of Y. Yang et al. [2] UiUi Middle man PjPj My comments: compromise of session key K ij will disclose user’s identity. [2]’s comments: DOS attack Shown below Other attacks: homomorphic attack on secret token.  z' z = g k / S j mod N a' = (z') e  ID j mod N K' ij =(a') t mod N x = g e  t mod N s = g t  (S i ) h(x, T) mod N y' = E K' ij (ID i ) U i believes that a valid session key is derived.  s, x, y', T K ij =x k = g e  k  t mod N ID i = D K ij (y) Check ID i  user list and x  (ID i ) h(x, T) = s e mod N It is easy to see, P j abort. Yangfy: (ID i ) h(x, T) = s e / x mod N test whether ID i ‘s participation

Fuw-Yi Yang29 Anonymous User Identification 14/15 K. Mangipudi and R. Katti 1. Key generation: SCPC In a secure way, SCPC sends each user U i or provider P j (with identity ID i or ID j ) a secret token S i = (ID i ) d mod N. Server ’ s public key: N s = p s  q s, e s, g s  Z N s Secret key: d s 2. Anonymous user identification:

Fuw-Yi Yang30 Anonymous User Identification 15/15 Y. Yang et al. UiUi PjPj  req  z, T, w z = g k / S j mod N w = (g s ) H(z, T, IDs)  d s mod N s Ck w e s = (g s ) H(z, T, IDs) mod N s a = z e  ID j = g e  k mod N K ij =a t = g e  k  t mod N x = g e  t mod N s = g t  (S i ) H(x, T) mod N y = E K ij (ID i )  s, x, y, T K ij =x k = g e  k  t mod N ID i = D K ij (y) Check ID i  user list and x  (ID i ) h(x, T) = s e mod N

Fuw-Yi Yang31 Anonymous User Identification Weakness of K. Mangipudi and R. Katti By yangfy UiUi PjPj My comments: compromise of session key K ij will disclose user’s identity. Server’s public key is not required.  req Other attacks: homomorphic attack on secret token. Check ID i  user list is not required.  z, T, w z = g k / S j mod N w = (g s ) H(z, T, IDs)  d s mod N s a = z e  ID j = g e  k mod N K ij =a t = g e  k  t mod N x = g e  t mod N s = g t  (S i ) H(x, T) mod N y = E K ij (ID i )  s, x, y, T K ij =x k = g e  k  t mod N ID i = D K ij (y) Check ID i  user list and x  (ID i ) h(x, T) = s e mod N

Fuw-Yi Yang32 Deniable Authentication protocol 1/15 1. L. Fan, C. X. Xu and J. H. Li, “ Deniable authentication protocol based on Diffie-Hellman algorithm, ” Electronics Letters, Vol. 38(4), pp , C. Dwork, M. Naor and A. Sahai, “ Concurrent zero-knowledge, ” Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing STOC ’ 98, pp , Y. Aumann and M. Rabin, “ Efficient deniable authentication of long messages, ” Int. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum ’ s 60th birthday, ( 4. Y. Aumann and M. Rabin, “ Authentication enhanced security and error correcting codes, ” Advances in Cryptology- CRYPTO ’ 98, LNCS 1462, pp , X. Deng, C. H. Lee and H. Zhu, “ Deniable authentication protocols, ” IEE Proceedings Computers and Digital Techniques, Vol. 148(2), pp , 2001.

Fuw-Yi Yang33 Deniable Authentication protocol 2/15 Aumann and Rabin 1/2 Features: 1. receiver is able to authenticate the source of a message received. 2. the receiver cannot prove the source of the message to a third party. PD: public known directory, containing a set of public data and encoding rules. N = p  q (no one knows the value of p and q) R: Receiver S: Sender X: x 1 x 2 … x n message sent to R by S C(X): y 1 y 2 … y m encoding of message X. C is a public encoding rule. I: i 1 i 2 … i k k different indices between 1 and m. S select a set of random number: g 1 (0), g 1 (1), …,g m (0), g m (1) S computes square of them: G j (e) = (g j (e) ) 2 … mod N, j = 1, …,m, e = 0, 1 S publishes at G j (e), j = 1, …,m, e = 0, 1 at PD.

Fuw-Yi Yang34 Deniable Authentication protocol 2/15 Aumann and Rabin 2/2 S To deniably authenticate one bit of encoded R message C(X). A = a 2 mod N A A  ii i  R I (the ith bit)  i = a  g i (e) mod N e = y i i i  Check that (  i ) 2 = A  G i (e) mod N R simulate S as follows: 1. Choose i 2. Known y i 3.  i  R Z N * 4. A = (  i ) 2 /G i (e) mod N

Fuw-Yi Yang35 Deniable Authentication protocol 2/15 Deng et al. 1/2 Like the scheme of Aumann and Rabin, except that C(.) is replaced by a collision resistant hash function. PD: public known directory, containing a set of public data and encoding rules. N = p  q (no one knows the value of p and q) R: Receiver S: Sender X: x 1 x 2 … x n message sent to R by S H(X): z 1 z 2 … z m encoding of message X, | z i | = s (block size ). H is a public hash function. S select a set of random number: g 1, g 2, …,g m S computes square of them: G j = (g j ) 2 … mod N, j = 1, …,m S publishes at G j, j = 1, …,m, at PD. E PKR () denote the public key encryption algorithm, which is secure against CCA.

Fuw-Yi Yang36 Deniable Authentication protocol 2/15 Deng et al. 2/2 S To deniably authenticate one block of encoded R message H(X). A = a 2 mod N A A  ii i  R {1,…,m} (the ith block)  i = a g i mod N i = H(  i ) z i (Apply hash function z i times with input  i ) E PKR (  i ), i  Decrypt the ciphertext to obtain the clear message  i, and Check that i = H(  i ) z i and (  i ) 2 = A  G i mod N

Fuw-Yi Yang37 Deniable Authentication protocol 2/15 Deng et al. 1/2 Lemma 1: The protocol described in Section 3.1is deniable. Proof: Simulation can be performed by R as follows: 1. Choose i  R {1,…,m} 2.  i  R Z N * 3. E PKR (  i ) 4. A = (  i ) 2 /G i mod N 5. i = H(  i ) z i Thus, (A, i, E PKR (  i ), i ) is a simulation of the message block z i. Note that the simulation is indistinguishable from the actual message authenticator (E PKR (  i ), i ) computed by S.

Fuw-Yi Yang38 Deniable Authentication protocol 2/15 Deng et al. 1/2 Lemma 2: The protocol described in Section 3.1authenticates the source of the message. Proof: 1. If a simulator is not the receiver R, then the simulation described in Lemma 1 does not work. 2. If someone sends the square root of A  G i mod N to R, then they either know both square roots of A and G i or two factors of N.

Fuw-Yi Yang39 Deniable Authentication protocol 2/15 Deng et al. Based on DLP 1/2 PD: public known directory, containing a set of public data and encoding rules. p = 2  q + 1, g  Z p * is of order q. R: Receiver S: Sender X: x 1 x 2 … x n message sent to R by S H(X): z 1 z 2 … z m encoding of message X, | z i | = s (block size ). H is a public hash function. S select a set of random number: r 1, r 2, …,r m  Z q *. S computes : G j = (g) r j … mod N, j = 1, …,m S publishes at G j, j = 1, …,m at PD. E PKR () denote the public key encryption algorithm, which is secure against CCA.

Fuw-Yi Yang40 Deniable Authentication protocol 2/15 Deng et al. Based on DLP 2/2 S To deniably authenticate one block of encoded R message H(X). A = g a mod p A A  ii i  R {1,…,m} (the ith block)  i = a + r i mod q i = H(  i ) z i (Apply hash function z i times with input  i ) E PKR (  i ), i  Decrypt the ciphertext to obtain the clear message  i, and Check that i = H(  i ) z i and g u i = A  G i mod p.

Fuw-Yi Yang41 Deniable Authentication protocol 2/15 Fan et al.