Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-853:Algorithms in the Real World

Published byDora Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: "15-853:Algorithms in the Real World"— Presentation transcript:

1 15-853:Algorithms in the Real World
Cryptography III Public Key Cryptosystems 15-853

2 Cryptography Outline Introduction: terminology and background
Primitives: one-way hash functions, trapdoors, … Protocols: digital signatures, key exchange, .. Number Theory: groups, fields, … Private-Key Algorithms: Rijndael, DES, RC4 Cryptanalysis: Differential, Linear Public-Key Algorithms: Knapsack, RSA, El-Gamal, Blum-Goldwasser Case Studies: Kerberos, Digital Cash 15-853

3 Public Key Cryptosystems
Introduced by Diffie and Hellman in 1976. Plaintext Public Key systems K1 = public key K2 = private key K1 Encryption Ek(M) = C Cyphertext Digital signatures K1 = private key K2 = public key K2 Decryption Dk(C) = M Original Plaintext Typically used as part of a more complicated protocol. 15-853

4 One-way trapdoor functions
Both Public-Key and Digital signatures make use of one-way trapdoor functions. Public Key: Encode: c = f(m) Decode: m = f-1(c) using trapdoor Digital Signatures: Sign: c = f-1(m) using trapdoor Verify: m = f(c) 15-853

5 Example of SSL SSL (Secure Socket Layer) is the standard for the web (https). Protocol (somewhat simplified): B->A: hello I would like a secure connection A->B: Hi, I’m amazon.com, |amazon.com|verisign B->A: Prove it A->B: Bob this is amazon, <[Bob this is amazon]>amazon’s private key B->A: ok Amazon, here is a shared-key, {key}amazon’s public key A->B: (message,[message])key |h|issuer = Certificate = Issuer, <h,h’s public key, time stamp>issuer’s private key <…>private key = Digital signature {…}public key = Public encryption [..] = Secure Hash (…)key = Private encryption 15-853

6 Public Key History Some algorithms
Merkle-Hellman, 1978, based on “knapsack problem” McEliece, 1978, based on algebraic coding theory RSA, 1978, based on factoring Rabin, 1979, security can be reduced to factoring ElGamal, 1985, based on Discrete logs Blum-Goldwasser, 1985, based on quadratic residues Elliptic curves, 1985, discrete logs over Elliptic curves Chor-Rivest, 1988, based on knapsack problem NTRU, 1996, based on Lattices XTR, 2000, based on discrete logs of a particular field 15-853

7 Diffie-Hellman Key Exchange
A group (G,*) and a primitive element (generator) g is made public. Alice picks a, and sends ga to Bob Bob picks b and sends gb to Alice The shared key is gab Note this is easy for Alice or Bob to compute, but assuming discrete logs are hard is hard for anyone else to compute. Can someone see a problem with this protocol? 15-853

8 Person-in-the-middle attack
Alice Bob Mallory ga gb gd gc Key1 = gad Key1 = gcb Mallory gets to listen to everything. 15-853

9 Merkle-Hellman Gets “security” from the Subet Sum (also called knapsack) which is NP-hard to solve in general. Subset Sum (Knapsack): Given a sequence W = {w0,w1, …,wn-1}, wi  Z of weights and a sum S, calculate a boolean vector B, such that: Even deciding if there is a solution is NP-hard. Note that there are several definitions of the “knapsack problem”. That’s why I put this definition in quotes. 15-853

10 Merkle-Hellman W is superincreasing if:
It is easy to solve the subset-sum problem for superincreasing W in O(n) time. Main idea: Hide the easy case by multiplying each wi by a constant a modulo a prime p Public key: W’ Private key: a, p : Dw(S) = solve for Bi 15-853

11 Merkle Hellman: Problem
Was broken by Shamir in 1984. Shamir showed how to use integer programming to solve the particular class of Subset Sum problems in polynomial time. Lesson: don’t leave your trapdoor loose. 15-853

12 RSA Invented by Rivest, Shamir and Adleman in 1978
Based on difficulty of factoring. Used to hide the size of a group Zn* since: . Has not beed reduced to factoring: an algorithm that generates m from c does not give an efficient algorithm for factoring On the other hand, finding the private-key has been reduced to factoring. There is an efficient algorithm for factoring given one that can find the private key. 15-853

13 RSA Public-key Cryptosystem
What we need: p and q, primes of approximately the same size n = pq (n) = (p-1)(q-1) e  Z (n)* d = e-1 mod (n) Public Key: (e,n) Private Key: d Encode: m  Zn E(m) = me mod n Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Zn,+) so why isn’t it always easy? Decode: D(c) = cd mod n 15-853

14 RSA continued Why it works: D(c) = cd mod n = med mod n
= m1 + k(p-1)(q-1) mod n = m1 + k(n) mod n = m(m(n))k mod n = m Why is this argument not quite sound? What if m  Zn* then m(n)  1 mod n Answer 1: Not hard to show that it still works. Answer 2: jackpot – you’ve factored n 15-853

15 RSA computations To generate the keys, we need to
Find two primes p and q. Generate candidates and use primality testing to filter them. Find e-1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log2(n) To encode and decode Take me or cd. Use the power method. Takes time log(e) log2(n) and log(d) log2(n) . In practice e is selected to be small so that encoding is fast. 15-853

16 Security of RSA Warning:
Do not use this or any other algorithm naively! Possible security holes: Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors p1 and q1, and p1 and q1 should have large factors, … p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). E cannot be too small Don’t use same n for different e’s. You should always “pad” 15-853

17 Algorithm to factor given d and e
If an attacker has an algorithm that generates d from e, then he/she can factor n in PPT. Variant of the Rabin-Miller primality test. Function TryFactor(e,d,n) write ed – 1 as 2sr, r odd choose w at random < n v = wr mod n if v = 1 then return(fail) while v  1 mod n v0 = v v = v2 mod n if v0 = n - 1 then return(fail) return(pass, gcd(v0 + 1, n)) LasVegas algorithm Probability of pass is > .5. Will return p or q if it passes. Try until you pass. Note that the only roots of unity for a prime are 1 and n-1. This algorithm gives a hint of why you should have a large prime factor for (p-1) and/or (q-1) 15-853

18 RSA Performance Performance: (600Mhz PIII) (from: ssh toolkit):
Algorithm Bits/key Mbits/sec RSA Keygen 1024 .35sec/key 2048 2.83sec/key RSA Encrypt 1786/sec 3.5 672/sec 1.2 RSA Decrypt 74/sec .074 12/sec .024 ElGamal Enc. 31/sec .031 ElGamal Dec. 61/sec .061 DES-cbc 56 95 twofish-cbc 128 140 Rijdael 180 15-853

19 RSA in the “Real World” Part of many standards: PKCS, ITU X.509, ANSI X9.31, IEEE P1363 Used by: SSL, PEM, PGP, Entrust, … The standards specify many details on the implementation, e.g. e should be selected to be small, but not too small “multi prime” versions make use of n = pqr… this makes it cheaper to decode especially in parallel (uses Chinese remainder theorem). 15-853

20 Factoring in the Real World
Quadratic Sieve (QS): Usedin 1994 to factor a 129 digint (428-bit) number Machines, 8 months. Number field Sieve (NFS): Used in 1999 to factor 155 digit (512-bit) number. 35 CPU years. At least 4x faster than QS 15-853

21 ElGamal Based on the difficulty of the discrete log problem.
Invented in 1985 Digital signature and Key-exchange variants Digital signature is AES standard Public Key used by TRW (avoided RSA patent) Works over various groups Zp, Multiplicative group GF(pn), Elliptic Curves 15-853

22 ElGamal Public-key Cryptosystem
(G,*) is a group  a generator for G a  Z|G|  = a G is selected so that it is hard to solve the discrete log problem. Encode: Pick random k  Z|G| E(m) = (y1, y2) = (k, m * k) Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Zn,+) so why isn’t it always easy? Decode: D(y) = y2 * (y1a) = (m * k) * (ka) = m * k * (k) = m You need to know a to easily decode y! Public Key: (, ) and some description of G Private Key: a 15-853

23 ElGamal Example N = 587 G = 5 15-853

24 Probabilistic Encryption
For RSA one message goes to one cipher word. This means we might gain information by running Epublic(M). Probabilistic encryption maps every M to many C randomly. Cryptanalysist cant tell whether C = Epublic(M). ElGamal is an example (based on the random k), but it doubles the size of message. 15-853

25 BBS “secure” random bits
BBS (Blum, Blum and Shub, 1984) Based on difficulty of factoring, or finding square roots modulo n = pq. Fixed p and q are primes such that p = q = 3 (mod 4) n = pq (is called a Blum integer) For a particular bit seq. Seed: random x relatively prime to n. Initial state: x0 = x2 ith state: xi = (xi-1)2 ith bit: lsb of xi Note that: Therefore knowing p and q allows us to find x0 from xi 15-853

26 Blum-Goldwasser: A stream cypher
Public key: n (= pq) Private key: p or q xi xor mi (0  i  l) ci (0  i  l) bi Random x x2 mod n BBS lsb ci (l  i  l + log n) = xl Encrypt: Decrypt: Using p and q, find Use this to regenerate the bi and hence mi 15-853

27 Quantum Cryptography In quantum mechanics, there is no way to take a measurement without potentially changing the state. E.g. Measuring position, spreads out the momentum Measuring spin horizontally, “spreads out” the spin probability vertically Related to Heisenberg’s uncertainty principal 15-853

28 Using photon polarization
= or ? (equal probability) = or ? (equal probability) measure diagonal measure square destroys state 15-853

29 Quantum Key Exchange Alice sends bob photon stream randomly polarized in one of 4 polarizations: Bob measures photons in random orientations e.g.: x + + x x x + x (orientations used) \ | \ / / \ (measured polarizations) and tells Alice in the open what orientations he used, but not what he measured. Alice tells Bob in the open which are correct Bob and Alice keep the correct values Susceptible to a man-in-the-middle attack 15-853

30 In the “real world” Not yet used in practice, but experiments have verified that it works. IBM has working system over 30cm at 10bits/sec. More recently, up to 10km of fiber. 15-853

Download ppt "15-853:Algorithms in the Real World"

Similar presentations

15-853Page 1 CPS 214 Computer Networks and Distributed Systems Cryptography Basics RSA SSL SSH Kerberos.

15-853Page 1 CPS 214 Computer Networks and Distributed Systems Cryptography Basics RSA SSL SSH Kerberos.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
95-712 OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.

OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
15-853Page 1 15-853:Algorithms in the Real World Cryptography 3, 4 and 5.

15-853Page :Algorithms in the Real World Cryptography 3, 4 and 5.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.

The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Topic 18: RSA Implementation and Security

Topic 18: RSA Implementation and Security
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Similar presentations

Ads by Google