Lecture 8. Public Key Cryptography (Diffie-Hellman and RSA)

Size: px

Start display at page:

Download "Lecture 8. Public Key Cryptography (Diffie-Hellman and RSA)"

Leslie Johnston
5 years ago
Views:

1 Lecture 8 Pulic Key Crytogrhy (Diffie-Hellmn nd RSA) 1

2 Pulic Key Crytogrhy Asymmetric crytogrhy Inented in (Diffie-Hellmn nd Riest-Shmir- Adlemn) To keys: rite (SK), ulic (PK) Encrytion: ith ulic key; Decrytion: ith rite key Digitl Signtures: Signing y rite key; Verifiction y ulic key. i.e., encryt messge digest/hsh -- h(m) -- ith rite key Authorshi (uthentiction) Integrity: Similr to MAC Non-reudition: cn t do ith secret key crytogrhy Much sloer thn conentionl crytogrhy Often used together ith conentionl crytogrhy, e.g., to encryt session keys 2

3 Pulic Key Crytogrhy Bo s ulic key PK B Bo s rite key SK B lintext messge, m encrytion lgorithm cihertext PK (m) B decrytion lgorithm lintext messge m = SK (PK (m)) B B 3

4 Key Pre-distriution: Diffie-Hellmn Ne Directions in Crytogrhy 1976 System ide rmeters : lrge rime, genertor in Z Alice's secret:, ulic: Bo's secret:, ulic: Alice hs: Bo hs: * y = mod y = mod y = mod y = mod K = ( y ) mod = K = ( y ) mod 4

5 Pulic Key Pre-distriution: Diffie-Hellmn Alice comutes K Secure communiction ith K Bo comutes K = K Ee knos:,, y nd y 5

6 Pulic Key Pre-distriution: Diffie-Hellmn Diffie Hellmn Prolem: lrge rime, genertor in Z Gien : y = mod nd y = mod FIND : mod * Discrete Log Prolem: Gien : y = mod FIND : 6

7 Pulic Key Pre-distriution: Diffie-Hellmn Decision DH Prolem: lrge rime, genertor Gien : y = mod, y = mod Distinguish : K = mod from rndom numer! DH Assumtion: DH rolem is HARD (not P) DL Assumtion: DL rolem is HARD (not P) DDH Assumtion: soling DDH rolem is HARD (not P) 7

8 Choose rndom Interctie (Pulic) Key Exchnge: Diffie-Hellmn y = mod Comute K = ( y ) mod y = mod Choose Secure communiction ith K rndom, Comute K = ( y ) mod Ee is ssie 8

9 The Mn-in-the-Middle (MitM) Attck (ssume Ee is n ctie dersry!) Choose rndom y = mod Comute K = ( y ) mod y = mod Secure communiction ith K Choose rndom, Comute K = ( y ) mod 9

10 RSA (1976-8) Let n = q here,q lrge rimes e,d R Z n nd ed 1 mod Φ(n) here : Φ(n) = ( 1)(q 1) = q q 1 Secrets :,q,d Pulics : n,e Encrytion : messge = m < n E(x) = y = m e mod n Decrytion : cihertext = y D( y) = x' = y d mod n 10

11 Why does it ll ork? x Z * n x ed = x 1modΦ(n) mod n = x c*φ(n)+1 mod n = x But, recll tht: g Φ(n) =1 mod n (Lgrnge) 11

12 Ho does it ll ork? Exmle: =5 q=7 n=35 (-1)(q-1)=24=3*2 3 ick e=11, d=11 x=2, E(x)=2048 mod 35 =18=y y=18, D(y)= e+13 mod 35 = 2 Exmle: =17 q=13 n=221 (-1)(q-1)=192=3 4 *2 ick e=5, d=77 Cn e ick 16? 9? 27? 185? x=5, E(x)=3125 mod 221 = 31 D(y)=31 77 = e+114 mod 221 = 5 12

13 Why is it Secure? Conjecture: reking RSA is olynomilly equilent to fctoring n Recll tht n is ery, ery lrge! Why: n hs unique fctors, q Gien nd q, comuting (-1)(q-1) is esy: ed 1mod Φ( n) Use extended Euclidin! 13

14 Exonentition Costs Integer multiliction -- O( 2 ) here is it-size of the se Modulr reduction -- O( 2 ) Thus, modulr multiliction -- O( 2 ) Modulr exonentition (s in RSA) -- m e mod n Nïe method: e-1 modulr roducts -- O( 2 *e) BUT ht if e is lrge, (lmost) s lrge s n? Let L= e (e.g., l=1024 for 1024-it RSA exonent) We cn ssume nd l re ery close, lmost the sme Squre-nd-multily method orks in O( 3 ) time O( 2 *2l) 14

15 Squre-nd-Multily gol : comute l = sizeof ( n); tem = 1; for ( i = l 1; i >= 0; i ) { tem* = tem; tem % = n; if ( e[i] ) { tem* m = m; tem% = n; } } e mod n From left to right in e Exmle 1: e=100 Exmle 2: e= Exmle 3: e=

16 Seeding u RSA Decrytion Let : C - RSA cihertext d = d mod( 1) d = d mod( q 1) q comute: M = C mod q M = C mod q q nd sole: M = M mod M = M mod q d d q M = [ M + M q ( q( q 1 1 mod ) mod q)]mod( q) 16

17 More on RSA Modulus n is unique er user à 2 or more rties cnnot shre the sme n Wht hens if Alice nd Bo shre the sme modulus? Alice hs (e,d,n) nd Bo (e,d,n) Alice nts to comute d (Bo s rite key) She knos tht: e * d = 1 mod hi(n) So: e * d = k * hi(n) + 1 nd: e * d - 1 = k * hi(n) Alice just needs to comute inerse of e mod X here X = e * d 1 = k * hi(n) let s cll this inerse d nd rememer tht: d * e = k * k * hi(n) + 1 cn e e sure tht: d = d? Is it ossile tht e hs no inerse mod X? Yes, if e =hi(n) or gcd(e,k)>1 ut this is ery, ery UNLIKELY! For ll decrytion uroses, d is EQUIVALENT to d Suose Ee encryted for Bo: C = (m) e mod n Alice comutes: C d mod n = m e d mod n = (m) k * k * hi(n) + 1 mod n = m 17

QUADRATIC RESIDUES MATH 372. FALL INSTRUCTOR: PROFESSOR AITKEN

QUADRATIC RESIDUES MATH 372. FALL INSTRUCTOR: PROFESSOR AITKEN QUADRATIC RESIDUES MATH 37 FALL 005 INSTRUCTOR: PROFESSOR AITKEN When is n integer sure modulo? When does udrtic eution hve roots modulo? These re the uestions tht will concern us in this hndout 1 The