Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 7 Stefan Dziembowski

Published byAbel Little Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 7 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 7 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 Plan 1.Introduction to public-key cryptography 2.Diffie-Hellman key exchange 3.Trapdoor one-way permutations

3 How to distribute the cryptographic keys? If the users can meet in person beforehand – it’s simple. But what to do if they cannot meet? (a typical example: on-line shopping)

4 A naive solution: P5P5 P1P1 P3P3 P2P2 P4P4 K 13 K 12 K 14 K 15 give to every user P i a separate key K ij to communicate with every P j

5 P5P5 P1P1 P3P3 P2P2 P4P4 In general: a quadratic number of keys is needed

6 Problems: Someone (a Key Distribution Center, KDC) needs to “give the keys” –feasible if the users are e.g. working in one company –infeasible on the internet –relies on the honesty of KDC –KDC needs to be permanently available –... The users need to store large numbers of keys in a secure way

7 The solution: Public-Key Cryptography Whitfield Diffie and Martin Hellman (1976)Ralph Merkle (1974)

8 A little bit of history Diffie and Hellman were the first to publish a paper containing the idea of the public-key cryptography: W.Diffie and M.E.Hellman, New directions in cryptography IEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654. A similar idea was described by Ralph Merkle: –in 1974 he described it in a project proposal for a Computer Security course at UC Berkeley (it was rejected) –in 1975 he submitted it to the CACM journal (it was rejected) (see http://www.merkle.com/1974/ )http://www.merkle.com/1974/ It 1997 the GCHQ (the British equivalent of the NSA) revealed that they new it already in 1973.

9 The idea Instead of using one key K, use 2 keys (e,d), where –e is used for encryption, –d is used for decryption, or –d is used for computing a tag, –e is used for verifying correctness of the tag. Moreover: e can be public, and only d has to be kept secret! That’s why it’s called: public-key cryptography this will be called “signatures” Sign – the signing algorithm

10 Anyone can send encrypted messages to anyone else P5P5 P1P1 P3P3 P2P2 P4P4 e1e1 e2e2 e3e3 e4e4 e5e5 2. reads e 3 1. P 1 wants to send m to P 3 3. sends E(e 3,m) public register: d3d3 4. P 3 computes D(d 3,m)

11 Anyone can verify the signatures P5P5 P1P1 P3P3 P2P2 P4P4 e1e1 e2e2 e3e3 e4e4 e5e5 1. Sign(d 3,m) public register: Sign(d 3,m) 2. reads e 3 d3d3 3. computes Vrfy(e 3,m)

12 Things that need to be discussed Who maintains “the register”? How to contact it securely? How to revoke the key (if it is lost)?... We will discuss this things later (when we will be talking about the Public-Key Infrastructure)

13 anyone can lock it But is it possible? In “physical world”: yes! Examples: 1.“normal” signatures 2.padlocks: the key is needed to unlock

14 Diffie and Hellman (1976) Diffie and Hellman proposed the public key cryptography in 1976. They just proposed the concept, not the implementation. But they have shown a protocol for key- exchange.

15 listens Key exchange AliceBob initially they share no secret key k Eve should have no information about k We will formalize it later. Let’s first show the protocol.

16 The Diffie-Hellman Key exchange G – a group, where discrete log is hard q = |G| g – a generator of G Alice Bob x ← Z q h 1 = g x y ← Z q h 2 = g y output: k A =(h 2 ) x output: k B =(h 1 ) y equal to: g yx equal to: g xy equal!

17 Security of the Diffie-Hellman exchange Eve h 1 = g x h 2 = g y G,g knows Eve should have no information about g yx g yx ?

18 Is it secure? If the discrete log in G is easy then the DH key exchange is not secure. (because the adversary can compute x and y from g x and g y ) If the discrete log in G is hard, then... it may also not be completely secure

19 Example: G = Z p * Alice Bob x ← Z q h 1 = g x y ← Z q h 2 = g y x is even iff h 1 is a QR y is even iff h 2 is a QR Therefore: g yx is a QR iff (h 1 is a QR) or (h 2 is a QR) So, Eve can compute some information about g yx (namely: if it is a QR, or not). g yx ?

20 Is it a problem, or not? We need to 1.formalize what we mean by secure key exchange, 2.identify the assumptions needed to prove the security.

21 AliceBob key k “transcript” T: the sequence of exchanged messages: interactive randomized Turing machine A interactive randomized Turing machine B A protocol is a pair (A,B) of randomized Turing machines. Informal definition: (A,B) is secure if no “efficient adversary” can distinguish k from random, given T, with a “non-negligible advantage”. key k T random string of the same length ?

22 How to formalize it? A B key k є {0,1} n security parameter 1 n key k є {0,1} n T We say (A,B) is secure a secure key-exchange protocol if the output of A and B is always the same, and A polynomial-time M that outputs 0 or 1 | Prob [M(1 n,T,k) = 1] - Prob [M(1 n,T,r) = 1] | is negligible in n r is random and |r| = n

23 How does the protocol look now? It needs to be defined for any parameter 1 n. Therefore we need an algorithm H that on input 1 n outputs: –a description of G of order q, such that |q| = n, –a generator g of G.

24 How does the protocol look now? Alice Bob x ← Z q y ← Z q h 2 = g y security parameter 1 n (G,g),q, h 1 = g x (G,g) ← H(1 n ) output: k A =(h 2 ) x output: k B =(h 1 ) y (Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.) If such a key exchange protocol is secure, we say that: the Decisional Diffie-Hellman (DDH) problem is hard with respect to H)

25 An example of H where DDH is believed to be hard QR(p ) H(1 n ): 1.generate a random strong prime p of length n+1. 2.set q := (p-1)/2. 3.choose any x є Z p * such that x ≠ ±1 (mod p). 4.set g := x 2 mod p. 5.output (p,g). Other groups are also used (e.g. groups based on the elliptic curves).

26 Practical considerations 1.It is common to chose any Z p * (for prime p), instead of QR(p). 2.In some standards p is fixed, for example the RFC3526 document specifies the primes of following lengths: 1536, 2048, 3072, 4096, 6144, 8192. This is the 1536-bit prime: FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF. the generator is: 2.

27 A problem The protocols that we discussed are secure only against a passive adversary (that only eavesdrop). What if the adversary is active? She can launch a man-in-the-middle attack.

28 Man in the middle attack AliceBob key kkey k’key kkey k’ I am Bob I am Alice A very realistic attack! So, is this thing totally useless? No! (it is useful as a building block)

29 Two questions remain How to construct the public-key encryption? How to construct the signature schemes? turns out: these questions are related

30 The observation of Diffie and Hellman: plaintexts ciphertexts (e,d) – the key pair E(e,x) D(d,y) easy only if one knows d tags (“signatures”) messages Vrfy(e,x) Tag(d,y) easy only if one knows d public-key encryption: signature schemes: Looks similar...

31 Trapdoor permutations XX easy easy: one can compute E e -1 if one knows a trapdoor d hard (otherwise) EeEe this is denoted D d A family of permutations indexed by pairs (e,d): { E : X → X } (e,d) є keys such that:

32 How to encrypt a message m messagesplaintexts m := D d (c) c := E e (m) one can compute it only if one knows d encryption decryption: Warning: in general it’s not that simple. We will explain it later.

33 How to sign a message m signaturesmessages D d (m) E e (m) one can compute it only if one knows d signing: verifying: Warning: in general it’s not that simple. We will explain it later.

34 Do such functions exist? Ron Rivest, Adi Shamir, and Leonard Adleman (1977) yes! RSA function is a trapdoor permutation!

35 The RSA function N = pq, such that p and q are large primes e is such that gcd(e,d) = 1 d is such that ed = 1 (mod φ(N)) E e : Z N * → Z N * is defined as: E(m) = m e mod N. D d : Z N * → Z N * is defined as: D(c) = c d mod N. Does it work? D(E(m)) = m d mod N. we get D d (E e (m)) = ( m e ) d = m ed = m 1 mod φ(N) φ(N)) = (p-1)(q-1). public key: (N,e) private key: (N,d)

36 Is it a trapdoor permutation? If one can factor large integers → no! (because one can compute φ(N)) Is there an implication in the opposite direction? nobody knows...

37 What can be shown 1.Computing φ(N) is as hard as factoring (we have shown it a week ago). 2.Computing d from (e,N) is as hard as factoring.

Download ppt "Cryptography Lecture 7 Stefan Dziembowski"

Similar presentations

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Identity Based Encryption

Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Chapter3 Public-Key Cryptography and Message Authentication.

Chapter3 Public-Key Cryptography and Message Authentication.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.

Similar presentations

Ads by Google