Cryptography Lecture 7 Stefan Dziembowski

Plan 1.Introduction to public-key cryptography 2.Diffie-Hellman key exchange 3.Trapdoor one-way permutations

How to distribute the cryptographic keys? If the users can meet in person beforehand – it’s simple. But what to do if they cannot meet? (a typical example: on-line shopping)

A naive solution: P5P5 P1P1 P3P3 P2P2 P4P4 K 13 K 12 K 14 K 15 give to every user P i a separate key K ij to communicate with every P j

P5P5 P1P1 P3P3 P2P2 P4P4 In general: a quadratic number of keys is needed

Problems: Someone (a Key Distribution Center, KDC) needs to “give the keys” –feasible if the users are e.g. working in one company –infeasible on the internet –relies on the honesty of KDC –KDC needs to be permanently available –... The users need to store large numbers of keys in a secure way

The solution: Public-Key Cryptography Whitfield Diffie and Martin Hellman (1976)Ralph Merkle (1974)

A little bit of history Diffie and Hellman were the first to publish a paper containing the idea of the public-key cryptography: W.Diffie and M.E.Hellman, New directions in cryptography IEEE Trans. Inform. Theory, IT-22, 6, 1976, pp A similar idea was described by Ralph Merkle: –in 1974 he described it in a project proposal for a Computer Security course at UC Berkeley (it was rejected) –in 1975 he submitted it to the CACM journal (it was rejected) (see ) It 1997 the GCHQ (the British equivalent of the NSA) revealed that they new it already in 1973.

The idea Instead of using one key K, use 2 keys (e,d), where –e is used for encryption, –d is used for decryption, or –d is used for computing a tag, –e is used for verifying correctness of the tag. Moreover: e can be public, and only d has to be kept secret! That’s why it’s called: public-key cryptography this will be called “signatures” Sign – the signing algorithm

Anyone can send encrypted messages to anyone else P5P5 P1P1 P3P3 P2P2 P4P4 e1e1 e2e2 e3e3 e4e4 e5e5 2. reads e 3 1. P 1 wants to send m to P 3 3. sends E(e 3,m) public register: d3d3 4. P 3 computes D(d 3,m)

Anyone can verify the signatures P5P5 P1P1 P3P3 P2P2 P4P4 e1e1 e2e2 e3e3 e4e4 e5e5 1. Sign(d 3,m) public register: Sign(d 3,m) 2. reads e 3 d3d3 3. computes Vrfy(e 3,m)

Things that need to be discussed Who maintains “the register”? How to contact it securely? How to revoke the key (if it is lost)?... We will discuss this things later (when we will be talking about the Public-Key Infrastructure)

anyone can lock it But is it possible? In “physical world”: yes! Examples: 1.“normal” signatures 2.padlocks: the key is needed to unlock

Diffie and Hellman (1976) Diffie and Hellman proposed the public key cryptography in They just proposed the concept, not the implementation. But they have shown a protocol for key- exchange.

listens Key exchange AliceBob initially they share no secret key k Eve should have no information about k We will formalize it later. Let’s first show the protocol.

The Diffie-Hellman Key exchange G – a group, where discrete log is hard q = |G| g – a generator of G Alice Bob x ← Z q h 1 = g x y ← Z q h 2 = g y output: k A =(h 2 ) x output: k B =(h 1 ) y equal to: g yx equal to: g xy equal!

Security of the Diffie-Hellman exchange Eve h 1 = g x h 2 = g y G,g knows Eve should have no information about g yx g yx ?

Is it secure? If the discrete log in G is easy then the DH key exchange is not secure. (because the adversary can compute x and y from g x and g y ) If the discrete log in G is hard, then... it may also not be completely secure

Example: G = Z p * Alice Bob x ← Z q h 1 = g x y ← Z q h 2 = g y x is even iff h 1 is a QR y is even iff h 2 is a QR Therefore: g yx is a QR iff (h 1 is a QR) or (h 2 is a QR) So, Eve can compute some information about g yx (namely: if it is a QR, or not). g yx ?

Is it a problem, or not? We need to 1.formalize what we mean by secure key exchange, 2.identify the assumptions needed to prove the security.

AliceBob key k “transcript” T: the sequence of exchanged messages: interactive randomized Turing machine A interactive randomized Turing machine B A protocol is a pair (A,B) of randomized Turing machines. Informal definition: (A,B) is secure if no “efficient adversary” can distinguish k from random, given T, with a “non-negligible advantage”. key k T random string of the same length ?

How to formalize it? A B key k є {0,1} n security parameter 1 n key k є {0,1} n T We say (A,B) is secure a secure key-exchange protocol if the output of A and B is always the same, and A polynomial-time M that outputs 0 or 1 | Prob [M(1 n,T,k) = 1] - Prob [M(1 n,T,r) = 1] | is negligible in n r is random and |r| = n

How does the protocol look now? It needs to be defined for any parameter 1 n. Therefore we need an algorithm H that on input 1 n outputs: –a description of G of order q, such that |q| = n, –a generator g of G.

How does the protocol look now? Alice Bob x ← Z q y ← Z q h 2 = g y security parameter 1 n (G,g),q, h 1 = g x (G,g) ← H(1 n ) output: k A =(h 2 ) x output: k B =(h 1 ) y (Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.) If such a key exchange protocol is secure, we say that: the Decisional Diffie-Hellman (DDH) problem is hard with respect to H)

An example of H where DDH is believed to be hard QR(p ) H(1 n ): 1.generate a random strong prime p of length n+1. 2.set q := (p-1)/2. 3.choose any x є Z p * such that x ≠ ±1 (mod p). 4.set g := x 2 mod p. 5.output (p,g). Other groups are also used (e.g. groups based on the elliptic curves).

Practical considerations 1.It is common to chose any Z p * (for prime p), instead of QR(p). 2.In some standards p is fixed, for example the RFC3526 document specifies the primes of following lengths: 1536, 2048, 3072, 4096, 6144, This is the 1536-bit prime: FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F BB 9ED D 670C354E 4ABC9804 F1746C08 CA FFFFFFFF FFFFFFFF. the generator is: 2.

A problem The protocols that we discussed are secure only against a passive adversary (that only eavesdrop). What if the adversary is active? She can launch a man-in-the-middle attack.

Man in the middle attack AliceBob key kkey k’key kkey k’ I am Bob I am Alice A very realistic attack! So, is this thing totally useless? No! (it is useful as a building block)

Two questions remain How to construct the public-key encryption? How to construct the signature schemes? turns out: these questions are related

The observation of Diffie and Hellman: plaintexts ciphertexts (e,d) – the key pair E(e,x) D(d,y) easy only if one knows d tags (“signatures”) messages Vrfy(e,x) Tag(d,y) easy only if one knows d public-key encryption: signature schemes: Looks similar...

Trapdoor permutations XX easy easy: one can compute E e -1 if one knows a trapdoor d hard (otherwise) EeEe this is denoted D d A family of permutations indexed by pairs (e,d): { E : X → X } (e,d) є keys such that:

How to encrypt a message m messagesplaintexts m := D d (c) c := E e (m) one can compute it only if one knows d encryption decryption: Warning: in general it’s not that simple. We will explain it later.

How to sign a message m signaturesmessages D d (m) E e (m) one can compute it only if one knows d signing: verifying: Warning: in general it’s not that simple. We will explain it later.

Do such functions exist? Ron Rivest, Adi Shamir, and Leonard Adleman (1977) yes! RSA function is a trapdoor permutation!

The RSA function N = pq, such that p and q are large primes e is such that gcd(e,d) = 1 d is such that ed = 1 (mod φ(N)) E e : Z N * → Z N * is defined as: E(m) = m e mod N. D d : Z N * → Z N * is defined as: D(c) = c d mod N. Does it work? D(E(m)) = m d mod N. we get D d (E e (m)) = ( m e ) d = m ed = m 1 mod φ(N) φ(N)) = (p-1)(q-1). public key: (N,e) private key: (N,d)

Is it a trapdoor permutation? If one can factor large integers → no! (because one can compute φ(N)) Is there an implication in the opposite direction? nobody knows...

What can be shown 1.Computing φ(N) is as hard as factoring (we have shown it a week ago). 2.Computing d from (e,N) is as hard as factoring.