Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3: Public Key Cryptography

Similar presentations


Presentation on theme: "Lecture 3: Public Key Cryptography"— Presentation transcript:

1 Lecture 3: Public Key Cryptography
CS 392/6813: Computer Security Fall 2008 Nitesh Saxena *Adopted from Previous Lectures by Nasir Memon

2 Lecture 3: Pubic Key Cryptography
Course Admin Good/Bad News HW#1 will not be graded! Not a trick – just for the benefit of this course HW#2 due coming Monday (09/22) HW#3 will be posted soon after 9/22/2018 Lecture 3: Pubic Key Cryptography

3 Outline of Today’s Lecture
Public Key Crypto Overview Number Theory Background Public Key Encryption RSA ElGamal Public Key Signatures (digital signatures) DSS 9/22/2018 Lecture 3: Pubic Key Cryptography

4 Recall: Private Key/Public Key Cryptography
Private Key: Sender and receiver share a common (private) key Encryption and Decryption is done using the private key Also called conventional/shared-key/single-key/ symmetric-key cryptography Public Key: Every user has a private key and a public key Encryption is done using the public key and Decryption using private key Also called two-key/asymmetric-key cryptography 9/22/2018 Lecture 3: Pubic Key Cryptography

5 Private key cryptography revisited.
Good: Quite efficient (as you’ll see from the HW#2 exercise on AES) Bad: Key distribution and management is a serious problem – for N users O(N2) keys are needed 9/22/2018 Lecture 3: Pubic Key Cryptography

6 Public key cryptography model
Good: Key management problem potentially simpler Bad: Much slower than private key crypto (we’ll see later!) 9/22/2018 Lecture 3: Pubic Key Cryptography

7 Lecture 3: Pubic Key Cryptography
Public Key Encryption Two keys: public encryption key e private decryption key d Encryption easy when e is known Decryption easy when d is known Decryption hard when d is not known We’ll study such public key encryption schemes; first we need some number theory. Security notions/attacks very similar to what we studied for private key encryption 9/22/2018 Lecture 3: Pubic Key Cryptography

8 Lecture 3: Pubic Key Cryptography
Group: Definition (G,.) (where G is a set and . : GxGG) is said to be a group if following properties are satisfied: Closure : for any a, b G, a.b G Associativity : for any a, b, c G, a.(b.c)=(a.b).c Identity : there is an identity element such that a.e = e.a = a, for any a G Inverse : there exists an element a-1 for every a in G, such that a.a-1 = a-1.a = e Abelian Group: Group which also satisfies commutativity , i.e., a.b=b.a Examples: (Z,+) ; (Z,*)?; (Zm, “modular addition”) 9/22/2018 Lecture 3: Pubic Key Cryptography

9 Definitions related to a group
An element g in G is said to be a generator of a group if a = gi for every a in G, for a certain integer i A group which has a generator is called a cyclic group The number of elements in a group is called the order of the group Order of an element a is the lowest i such that ai = e A subgroup is a subset of a group that itself is a group 9/22/2018 Lecture 3: Pubic Key Cryptography

10 Lecture 3: Pubic Key Cryptography
Divisors x divides y (written x | y) if the remainder is 0 when y is divided by x 1|8, 2|8, 4|8, 8|8 The divisors of y are the numbers that divide y divisors of 8: {1,2,4,8} For every number y 1|y y|y 9/22/2018 Lecture 3: Pubic Key Cryptography

11 Lecture 3: Pubic Key Cryptography
Prime numbers A number is prime if its only divisors are 1 and itself: 2,3,5,7,11,13,17,19, … Fundamental theorem of arithmetic: For every number x, there is a unique set of primes {p1, … ,pn} and a unique set of positive exponents {e1, … ,en} such that 9/22/2018 Lecture 3: Pubic Key Cryptography

12 Lecture 3: Pubic Key Cryptography
Common divisors The common divisors of two numbers x,y are the numbers z such that z|x and z|y common divisors of 8 and 12: intersection of {1,2,4,8} and {1,2,3,4,6,12} = {1,2,4} greatest common divisor: gcd(x,y) is the number z such that z is a common divisor of x and y no common divisor of x and y is larger than z gcd(8,12) = 4 9/22/2018 Lecture 3: Pubic Key Cryptography

13 Euclidean Algorithm: gcd(r0,r1)
Main idea: If y = ax + b then gcd(x,y) = gcd(x,b) 9/22/2018 Lecture 3: Pubic Key Cryptography

14 Lecture 3: Pubic Key Cryptography
Example – gcd(15,37) 37 = 2 * 15 = 2 * 7 + 1 7 = 7 * 1 + 0 gcd(15,37) = 1 9/22/2018 Lecture 3: Pubic Key Cryptography

15 Lecture 3: Pubic Key Cryptography
Relative primes x and y are relatively prime if they have no common divisors, other than 1 Equivalently, x and y are relatively prime if gcd(x,y) = 1 9 and 14 are relatively prime 9 and 15 are not relatively prime 9/22/2018 Lecture 3: Pubic Key Cryptography

16 Lecture 3: Pubic Key Cryptography
Modular Arithmetic Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: We work in Zm = {0, 1, 2, …, m-1}, the group of integers modulo m Example: Z9 ={0,1,2,3,4,5,6,7,8} We abuse notation and often write = instead of 9/22/2018 Lecture 3: Pubic Key Cryptography

17 Lecture 3: Pubic Key Cryptography
Addition in Zm : Addition is well-defined: 3 + 4 = 7 mod 9. 3 + 8 = 2 mod 9. 9/22/2018 Lecture 3: Pubic Key Cryptography

18 Additive inverses in Zm
0 is the additive identity in Zm Additive inverse of a is -a mod m = (m-a) Every element has unique additive inverse. 4 + 5= 0 mod 9. 4 is additive inverse of 5. 9/22/2018 Lecture 3: Pubic Key Cryptography

19 Lecture 3: Pubic Key Cryptography
Multiplication in Zm : Multiplication is well-defined: 3 * 4 = 3 mod 9. 3 * 8 = 6 mod 9. 3 * 3 = 0 mod 9. 9/22/2018 Lecture 3: Pubic Key Cryptography

20 Multiplicative inverses in Zm
1 is the multiplicative identity in Zm Multiplicative inverse (x*x-1=1 mod m) SOME, but not ALL elements have unique multiplicative inverse. In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9) On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1=7, (mod 9) 9/22/2018 Lecture 3: Pubic Key Cryptography

21 Which numbers have inverses?
In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 E.g., 4 in Z9 9/22/2018 Lecture 3: Pubic Key Cryptography

22 Extended Euclidian: a-1 mod n
Main Idea: Looking for inverse of a mod n means looking for x such that x*a – y*n = 1. To compute inverse of a mod n, do the following: Compute gcd(a, n) using Euclidean algorithm. Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1. So you can obtain linear combination of rm and rm-1 that yields 1. Work backwards getting linear combination of ri and ri-1 that yields 1. When you get to linear combination of r0 and r1 you are done as r0=n and r1= a. 9/22/2018 Lecture 3: Pubic Key Cryptography

23 Lecture 3: Pubic Key Cryptography
Example – 15-1 mod 37 37 = 2 * 15 = 2 * 7 + 1 7 = 7 * 1 + 0 Now, 15 – 2 * 7 = 1 15 – 2 (37 – 2 * 15) = 1 5 * 15 – 2 * 37 = 1 So, 15-1 mod 37 is 5. 9/22/2018 Lecture 3: Pubic Key Cryptography

24 Modular Exponentiation: Square and Multiply method
Usual approach to computing xc mod n is inefficient when c is large. Instead, represent c as bit string bk-1 … b0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z2 mod n if bi = 1 then z = z* x mod n Show an example: x^64 will require 6 squarings (or 6 multiplications). 9/22/2018 Lecture 3: Pubic Key Cryptography

25 Lecture 3: Pubic Key Cryptography
Example: 3037 mod 77 z = z2 mod n if bi = 1 then z = z* x mod n i b z 5 1 =1*1*30 mod 77 4 =30*30 mod 77 3 =53*53 mod 77 2 =37*37*30 mod 77 =29*29 mod 77 =71*71*30 mod 77 9/22/2018 Lecture 3: Pubic Key Cryptography

26 Lecture 3: Pubic Key Cryptography
Lagrange’s Theorem Order of an element in a group divides the order of the group 9/22/2018 Lecture 3: Pubic Key Cryptography

27 Euler’s totient function
Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n Fact: If p is prime then {1,2,3,…,p-1} are relatively prime to p. 9/22/2018 Lecture 3: Pubic Key Cryptography

28 Euler’s totient function
Fact: If p and q are prime and n=pq then Each number that is not divisible by p or by q is relatively prime to pq. E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} pq-p-(q-1) = (p-1)(q-1) 9/22/2018 Lecture 3: Pubic Key Cryptography

29 Euler’s Theorem and Fermat’s Theorem
If a is relatively prime to n then If a is relatively prime to n then ap-1 = 1 mod p Proof : follows from Lagrange’s Theorem 9/22/2018 Lecture 3: Pubic Key Cryptography

30 Lecture 3: Pubic Key Cryptography
RSA Cryptosystem 9/22/2018 Lecture 3: Pubic Key Cryptography

31 “Textbook” RSA: KeyGen
Alice wants people to be able to send her encrypted messages. She chooses two (large) prime numbers, p and q and computes n=pq and [“large” =512 bits +] She chooses a number e such that e is relatively prime to and computes d, the inverse of e in (i.e., ed =1 mod \phi(n)) She publicizes the pair (e,n) as her public key.(e is called RSA exponent, n is called RSA modulus)She keeps d secret and destroys p, q, and Plaintext and ciphertext messages are elements of Zn and e is the encryption key. Mention why textbook RSA is not secure. For example, if it is used to establish a key (160-bit long), as in SSL. C = K^d mod N One can set K = K1*K2  C/(K1^e) = K2^e (this can be done with 2^80 exponentiations, if K1 and K2 are each 80-bit long) 9/22/2018 Lecture 3: Pubic Key Cryptography

32 Lecture 3: Pubic Key Cryptography
RSA: Encryption Bob wants to send a message x (an element of Zn*) to Alice. He looks up her encryption key, (e,n), in a directory. The encrypted message is Bob sends y to Alice. 9/22/2018 Lecture 3: Pubic Key Cryptography

33 Lecture 3: Pubic Key Cryptography
RSA: Decryption To decrypt the message she’s received from Bob, Alice computes Claim: D(y) = x 9/22/2018 Lecture 3: Pubic Key Cryptography

34 RSA: why does it all work
Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent. 9/22/2018 Lecture 3: Pubic Key Cryptography

35 E and D are inverses: Case 1: gcd(x,n)=1
Because From Euler’s Theorem 9/22/2018 Lecture 3: Pubic Key Cryptography

36 Alternative Proof that E and D are inverses
9/22/2018 Lecture 3: Pubic Key Cryptography

37 Lecture 3: Pubic Key Cryptography
By analogous argument So 9/22/2018 Lecture 3: Pubic Key Cryptography

38 Lecture 3: Pubic Key Cryptography
Tiny RSA example. Let p = 7, q = 11. Then n = 77 and Choose e = 13. Then d = 13-1 mod 60 = 37. Let message = 2. E(2) = 213 mod 77 = 30. D(30) = 3037 mod 77=2 9/22/2018 Lecture 3: Pubic Key Cryptography

39 Slightly Larger RSA example.
Let p = 47, q = 71. Then n = 3337 and Choose e = 79. Then d = 79-1 mod 3220 = 1019. Let message = … Break it into 3 digit blocks to encrypt. E(688) = mod 3337 = 1570. E(232) = mod 3337 = 2756 D(1570) = mod 3337 = 688. D(2756) = mod 3337 = 232. 9/22/2018 Lecture 3: Pubic Key Cryptography

40 Security of RSA: RSA assumption
Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) If Oscar can compute d = e-1 mod then he can use to recover the plaintext x. If Oscar can compute , he can compute d (the same way Alice did). 9/22/2018 Lecture 3: Pubic Key Cryptography

41 Security of RSA: factoring
Oscar knows that n is the product of two primes If he can factor n, he can compute But factoring large numbers is very difficult: Grade school method takes divisions. Prohibitive for large n, such as 160 bits Better factorization algorithms exist, but they are still too slow for large n Lower bound for factorization is an open problem 9/22/2018 Lecture 3: Pubic Key Cryptography

42 Lecture 3: Pubic Key Cryptography
How big should n be? Today we need n to be at least 1024-bits This is equivalent to security provided by 80-bit long keys in private-key crypto No other attack on RSA known Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem! Say something about the brute force attack on RSA. Why exactly should N be 1024 bits? 9/22/2018 Lecture 3: Pubic Key Cryptography

43 Lecture 3: Pubic Key Cryptography
Key selection To select keys we need efficient algorithms to Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. Compute multiplicative inverses Extended Euclidean algorithm 9/22/2018 Lecture 3: Pubic Key Cryptography

44 Lecture 3: Pubic Key Cryptography
RSA Key Generation To select keys we need efficient algorithms to Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. See references Compute multiplicative inverses Extended Euclidean algorithm 9/22/2018 Lecture 3: Pubic Key Cryptography

45 Lecture 3: Pubic Key Cryptography
RSA in Practice Textbook RSA is insecure Why? In practice, we use a “randomized” version of RSA, called RSA-OAEP Interested in details: refer to (section 3.1 of) 9/22/2018 Lecture 3: Pubic Key Cryptography

46 Discrete Logarithm Assumption
p, q primes such that q|p-1 g is an element of order q and generates a group of order q x in Zq, y = gx mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key Explain the math involved, in choosing the parameters. 9/22/2018 Lecture 3: Pubic Key Cryptography

47 Lecture 3: Pubic Key Cryptography
ElGamal Encryption Encryption (of m in Zp): Choose random r in Zq k = gr mod p c = myr mod p Output (k,c) Decryption of (k,c) M = ck-x mod p Secure under discrete logarithm assumption Show the computation – they somehow don’t get it right away. 9/22/2018 Lecture 3: Pubic Key Cryptography

48 ElGamal Example: dummy
Let’s construct an example KeyGen: p = 11, q = 2 or 5; let’s say q = 5 2 is a generator of Z11* g = 22 = 4 x = 7; y = 47 mod 11 = 5 Enc(3): r = 9  k = 49 mod 11 = 3 c = 3*59 mod 11 = 5 Dec(3,5): m = 5*3-7 mod 11 = 3 9/22/2018 Lecture 3: Pubic Key Cryptography

49 Lecture 3: Pubic Key Cryptography
Digital Signatures Message Integrity Detect if message is tampered with while in the transit Source/Sender Authentication No forgery possible Non-repudiation If I sign something, I can not deny later A trusted third party (court) can resolve dispute 9/22/2018 Lecture 3: Pubic Key Cryptography

50 Lecture 3: Pubic Key Cryptography
Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer Show the exact operation: when you verify, you either get a “yes” or a “no”. Not really something as in encryption. 9/22/2018 Lecture 3: Pubic Key Cryptography

51 Security Notion/Model for signatures
Existential Forgery under (adaptively) chosen message attack Adversary (adaptively) chooses messages mi of its choice Obtains the signature si on each mi Outputs any message m (≠ mi) and a signature s on m 9/22/2018 Lecture 3: Pubic Key Cryptography

52 Lecture 3: Pubic Key Cryptography
RSA Signatures Key Generation: same as in encryption Sign(m): s = md mod N Verify(m,s): (se == m mod N) The above text-book version is insecure In practice, we use a randomized version of RSA Hash the message and then sign the hash 9/22/2018 Lecture 3: Pubic Key Cryptography

53 Digital Signature Standard (DSS)
Adopted as standard in 1994 Security based on hardness of the discrete logarithm problem 9/22/2018 Lecture 3: Pubic Key Cryptography

54 DSS Signing/Verification
9/22/2018 Lecture 3: Pubic Key Cryptography

55 Lecture 3: Pubic Key Cryptography
DSA Example: Refer to of HAC 9/22/2018 Lecture 3: Pubic Key Cryptography

56 Lecture 3: Pubic Key Cryptography
Some questions 2-1 mod 4 =? What is the complexity of (a+b) mod m (a*b) mod m a-1 mod (m) xc mod (n) c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). What is RSA_Enc(m1m2)? Homomorphic property What is RSA_Enc(2m1)? Malleability (not a good property!) Is it possible to find inverses mod n (RSA modulus)? 9/22/2018 Lecture 3: Pubic Key Cryptography

57 Lecture 3: Pubic Key Cryptography
Order of a group is 5. What can be the order of an element in this group? RSA stands for Robust Security Algorithm, right? If e is small (such as 3) Encryption is faster than decryption or the other way round? What about signing and verification? Private key crypto has key distribution problem and Public key crypto is slow How about a hybrid approach? Do you know how ssl/ssh works? 9/22/2018 Lecture 3: Pubic Key Cryptography

58 Lecture 3: Pubic Key Cryptography
Key generation in RSA is than in DL-based schemes (El Gamal/DSS) I encrypt m with Alice’s RSA PK, I get c I encryt m again, I get --? What does this mean? I encrypt m with Alice’s ElGamal PK, I get c What if I do the above with DES? 9/22/2018 Lecture 3: Pubic Key Cryptography

59 Lecture 3: Pubic Key Cryptography
Find x such that x = 4 mod 5 x = 7 (mod 8) x = 3 (mod 9) Chinese Remainder Theorem Can be applied to speed up RSA decryption/signing At home reading assignment!!! 9/22/2018 Lecture 3: Pubic Key Cryptography

60 Lecture 3: Pubic Key Cryptography
Further Reading Cryptography: Theory and Practice – D. Stinson. CRC Press. Cryptography and Network Security – William Stallings. Applied Cryptography – B. Schneier. John Wiley. North American Crypto archive Crypto Resource page Ron Rivest’s crypto page Cryptography Research Inc. Resource page Cryptography archive: AES home page 9/22/2018 Lecture 3: Pubic Key Cryptography


Download ppt "Lecture 3: Public Key Cryptography"

Similar presentations


Ads by Google