Public Key Algorithms

Transcription

1 1 Public Key Algorithms ffl hash: irreversible transformation(message) ffl secret key: reversible transformation(block) encryption digital signatures authentication RSA yes yes yes El Gamal no yes no Zero-knowledge proofs no no yes Diffie-Hellman: exchange of secrets all: pair (public, private) for each principal Slide 1 Modular Addition ffl addition modulo (mod) K (poor) cipher with key K ffl additive inverse: x: add until modulo (or 0) ffl decrypt by adding inverse Slide 2

2 2 Modular Multiplication ffl multiplication by 1, 3, 7, 9 works as cipher ffl multiplicative inverse x 1 : y x =1 ffl only 1, 3, 7, 9 have multiplicative inverses (e.g., 7 $ 3) ffl use Euclid s Algorithm to find inverse Slide 3 Totient Function ffl x; m relatively prime = no other common factor than 1 ffl relatively prime 6= prime (9 rel. prime 10) ffl e.g., 6 not relatively prime to 10: 2 divides both 6 and 10 ffl totient function ffi(n): number of numbers less than n relatively prime to n if n prime, f1; 2;:::;n 1g are rp ffi(n) =n 1 if n = p q, p; q distinct prime ffi(n) =(p 1)(q 1): Λ n = pq numbers in f0; 1; 2;:::;n 1g; exclude non-rp Λ exclude multiples of p or q Λ p multiples of q<pq(0,1,...), q multiples of p<pq Λ thus, exclude p + q 1 numbers don t count 0 twice Λ ffi(pq) =pq (p + q 1) = (p 1)(q 1) Slide 4

3 3 Modular Exponentiation x y mod n 6= x y+n mod n! x y Slide 5 Modular Exponentiation ffl encryption: x 3 works, x 2 does not ffl exponentiative inverse y of x: (a x ) y = a ffl columns: 1=5; 2=6; 3=7;::: ffl x y mod n = x y mod ffi(n) mod n ffl rp(10) = f1; 3; 7; 9g ffi(n) =4 ffl true for almost all n: anyn =product of distinct primes (square-free) ffl for any y with y =1 (mod ffi(n)) x y mod n = x mod n (e.g., 1, 5 and 9) Slide 6

4 4 RSA ffl Rivest, Shamir, Adleman ffl variable key length (common: 512 bits) ffl ciphertext length = key length ffl slow mostly used to encrypt secret for secret key cryptography Slide 7 RSA Algorithm Generate private and public key: ffl choose two large primes, p and q, about 256 bits (77 digits) each ffl n = p q (512 bits), don t reveal p and q ffl factoring 512 bit number is hard public key: e rp ffi(n) =(p 1)(q 1) he; ni private key: d =(e mod ffi(n)) 1 hd; ni encryption: of m<n: c = m e mod n decryption: m = c d mod n verification: m = s e mod n (signature s) Slide 8

5 5 RSA example p = 47 q = 71 n = pq = 3337 e = 79 prime, i.e., rp to (p 1)(q 1) d = 79 1 mod 3220 = 1019 m = m 1 = 688 c 1 = mod 3337 = 1570 p 1 = mod 3337 = 688 Slide 9 Why does RSA work? ffl n = pq, ffi(n) =(p 1)(q 1) ffl de =1 (mod ffi(n)) since e rp ffi(n) and d = e 1 ffl x de = x (mod n)8x ffl encryption: x e ffl decryption: (x e ) d = x ed = x ffl signature: reverse Slide 10

6 6 Why is RSA secure? ffl factor 512-bit number: half million MIPS years (= all US computers for one year) ffl given public key he; ni ffl need to find exponentiative inverse of e ffl need to know p, q to compute ffi(n) ffl abuse: if limited set of messages, can compare append random number ffl 2/2/1999: RSA-140 was factored. Slide 11 RSA Efficiency: Exponentiating ffl mod 678 = ( )=678 ffl modular reduction after each multiply: ffl (a b c) modm = (((a b) modm) c) modm = = = 213 (mod 678) = = = 435 (mod 678) = = = 435 (mod 678) ffl 54 small multiplies, 54 divides ffl exponent power of 2: = = = 213 (mod 678) = = = 671 (mod 678) = = = 213 (mod 678) Slide 12

7 7 ffl 123 2x+1 = 123 2x 123 Slide 13 RSA Efficiency: Exponentiating 54 = ; start with exponent ψ = = = 213 (mod 678) = = = 435 (mod 678) 110 ψ = = = 63 (mod 678) 1100 ψ = = 3969 = 579 (mod 678) = = = 27 (mod 678) ψ = = 729 = 51 (mod 678) = = 6273 = 171 (mod 678) ψ = = = 87 (mod 678) or x 54 = (((((x) 2 x) 2 ) 2 x) 2 x) 2 =87 (mod 678) 8 multiplies, 8 divides linearly with exponent bits Slide 14

8 8 RSA Implementation public key: O(k 2 ), private key: O(k 3 ), key generation: O(k 4 ) ffl fastest RSA hardware: 300 kb/s DES Pijnenburg PCC101 CFB 90 Mb/s Vasco CRY12C102 CFB 22 Mb/s RSA Pijnenburg PCC kb/s kb/s Vasco PQR kb/s ffl 90 MHz Pentium: throughput (private key) of 21.6 kb/s, 7.4 kb/s per second with a 1024-bit modulus ffl DES software: 100 times faster than RSA ffl DES hardware: 1,000 to 10,000 times faster Slide 15 Finding Big Primes p and q ffl infinite number of primes, probability 1= ln n ffl ten-digit number: 1 in 23, hundred-digit: 1 in 230 ffl pick at random and check if prime ffl bad: divide by all p n ffl Euler s Theorem: a rp n a ffi(n) =1 (mod n) ffl if n prime, ffi(n) =n 1 Theorem 1 (Fermat s Little Theorem) If p is prime and 0 <a<p, a p 1 =1 (mod p) ffl if p not prime, does not usually hold ffl pick some a<n, compute a n 1 mod n?! 1 ffl probability of accepting bad n: repeat Slide 16

9 9 Carmichael Numbers ffl Carmichael numbers n: not prime, but a n 1 =1 factor in n) (mod n)8a (where a not a ffl infinitely many ffl first few: 561, 1105, 1729, 2465, 2821, 6601, 8911 ffl 246,683 below ffl example: mod 561 = 1, but3 560 mod 561 = 375 Slide 17 Finding Big Primes p and q: Miller and Rabin Variation on Fermat test: ffl express n 1 as 2 b c,whereb 0 ffl compute a n 1 (mod n) (Fermat) as (a c ) 2b (mod n) ffl square b times ffl if not 1 not prime; if 1, test: if a c (mod n) 6= 1 squaring not-1! 1 square root of 1 rule: if n is prime (mod n), p 1 are 1 and 1(= n 1) if p 1 6= ±1, n not prime try many values for a; 75% of a fail the test if n not prime Slide 18

10 10 Big Primes: Implementation 1. pick odd random number n 2. check n=f3; 5; 7; 11;:::g and try again 3. repeat until failure or confidence: (a) pick random a and compute a c (mod n), with n 1=2 b c (b) compute a c,thenb times: (a c ) 2 (c) if result = 1: operand = ±1? no prime if not Slide 19 Finding d and e ffl e = any number rp to (p 1)(q 1) ffl ed =1 (mod ffi(n)) Euclid s algorithm Options for picking e: 1. pick randomly until e is rp to (p 1)(q 1) 2. choose e and pick p; q so that (p 1); (q 1) are rp to e Slide 20

11 11 Having a Small Constant e ffl e same small number ffl d can t be small (searchable) ffl e =3or e = ffl can t use 2: not rp to (p 1)(q 1) ffl message must be bigger than 3p n ffl send copies of message to three people: e i = h3;n i i Trudy: m 3 mod n 1 n 2 n 3 = m 3 (Chinese remainder) choose random/individualized padding Slide 21 RSA: e =3 ffl 3rptoffi(n) =(p 1)(q 1) since d = e 1 ffl each p 1, q 1 must be rp to 3 ffl 3 is factor of x x mod3=0 ffl (p 1) rp 3 p =2 (mod 3) (p 1) = 1 (mod 3) ffl (q 1) rp 3 q =2 (mod 3) (q 1) = 1 (mod 3) ffl choose p = r 3+2, r random, odd Slide 22

12 12 RSA: e = ffl = , (Mersenne prime: 2 n 1!) ffl only 17 multiplies to exponentiate: x 216 x ffl random 512-bit number: 768 multiplies ffl avoid 3 problems: 1. few m with m <n(512 bits) 2. have to send to 65,537 recipients 3. n rp ffi(n) reject p; q =1 (mod 65537) Slide 23 RSA Threats: Smooth Numbers ffl product of small primes ffl signed m 1 ;m 2 can compute signatures on m 1 m 2 ;m 1 =m 2 ;m j 1 ;mj 2 ;mj 1 mk 2 ffl example: m 2 1 :(md 1 mod n)2 mod n ffl if m 1 =m 2 is prime, can fake signature on that prime ffl any product of this collection ffl pad with zero on left small number smooth " ffl pad on right with x bits n 2 x ffl pad on right with random data cube root problem Slide 24

13 13 RSA Threats: Cube Root Problem ffl Carol wants your signature for message with digest h ffl message digest h; h 0 = pad with zeros on right ffl signature r = d 3p h 0 e r e = r 3 = h 0 Slide 25 Public Key Cryptography Standards (PKCS) ffl operational standards ffl deal with threats (smooth numbers, multiple recipients,...) ffl encryption with PKCS#1 random padding prevents guessing from known messages random padding prevents e =3, multiple-recipient attack cube root decryption longer than 21 bytes (> 11 + data) ffl signing with PKCS#2 large padding not smooth include digest algorithm prevent spoofing Slide 26

14 14 PKCS #1 RFC 2313 Also X.509: RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicexponent INTEGER } -- e Encryption block = 00jBTjPSj00jD with padding PS of k 3 jdj octets. 0 private-key 00 1 private-key FF (large!) 2 public-key pseudo-random Slide 27 PKCS #1 Signature DigestInfo ::= SEQUENCE { digestalgorithm DigestAlgorithmIdentifier, digest Digest } DigestAlgorithmIdentifier ::= AlgorithmIdentifier AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) digestalgorithm(2) 5 } Digest ::= OCTET STRING Slide 28

15 15 Diffie-Hellman Key Exchange ffl shared key, public communication ffl no authentication of partners ffl p prime, ß 512 bits, public ffl g<p, public ffl Alice, Bob choose random, secret S A, S B ffl transmit T A = g SA mod p, T B = g SB mod p ffl Alice computes T S A B (mod p) =(g SB ) S A (mod p) ffl both get same number = key ffl would need to compute discrete logs to get S A from g S A ffl not secure against bucket-brigade attacks Slide 29 ffl public numbers instead of invention Slide 30

16 16 Bucket Brigade Attack ffl man-in-the-middle ffl X establishes security association with Alice, Bob ffl can read/write from/to both ffl relays messages, passwords between them ffl prevention: make g SA mod p public can t be replaced Slide 31 Diffie-Hellman: Offline ffl Bob publishes hp B ;g B ;T B i ffl Alice computes K AB = T S A B mod p B ffl Alice sends g S A B mod p B to Bob Slide 32

17 17 El Gamal Signatures ffl D-H: public: hg; p; T i; private:s; g s mod p = T ffl new public/private key for each message ffl compute T m = g Sm mod p for random S m for each msg. m ffl digest d m = mjt m ffl signature = X = S m + d m S (mod p 1) ffl transmit m; X; T m ffl verification: g X =?T m T d m mod p g X = g S m+d m S = g S m g Sdm = T m T dm (mod p) Slide 33 El Gamal Properties Exercises: ffl message modification signature won t match ffl signature does not divulge S ffl don t know S can t sign Slide 34

18 18 Digital Signature Standard (DSS) ffl related to El Gamal, but some computations modq, q = 160 bits < jpj = 512 bits ffl speeded up for signer rather than verifier: chip cards Slide 35 DSS Algorithm 1. generate public p (512 bit prime) and q (160 bit prime) p = kq generate public g g q =1 (mod p) 3. choose long-term ht;si with random S T = g S mod p for S<q 4. choose ht m ;S m i with random S m ffl T m =((g Sm mod p) modq ffl calculate S 1 m mod q 5. calculate d m = SHS(message) Slide 36

19 19 6. signature X = S 1 m (d m + ST m )modq 7. transmit m; T m ;X 8. verify based on d m : z =? T m x = d m X 1 mod q y = T m X 1 mod q z = (g X T y mod p) modq Slide 37 DSS Algebra v = (d m + ST m ) 1 mod q X 1 = (S 1 m (d m + ST m )) 1 = S m (d m + ST m ) 1 = S m v mod q x = d m X 1 = d m S m v mod q y = T m X 1 = T m S m v mod q z = g x T y = g d ms m v g ST m S m v = g (d m+st m )S m v = g S m = T m mod p mod q any multiple of q in exponent drops out Slide 38

20 20 RSA vs. DSS ffl fixed moduli fflhp; q; gi pick one juicy target ffl trapdoor primes ffl slower than RSA(e =3), but signatures can be done ahead of time ffl needs per-message random secret ffl patent (Schnorr) Slide 39 Zero-Knowledge Proofs ffl prove knowledge without revealing it ffl RSA signatures ffl graph isomorphism: rename vertices ffl Alice: graph A and B ο A ffl public key: graphs A; B ffl private key: mapping between vertices ffl Alice: create G i and sends to Bob ffl Bob! Alice: how did A or B! G i? ffl zero-knowledge: Bob knows some G i s ffl Fred can create G i from either A or B, but not both Slide 40

21 21 Zero-Knowledge Proofs: Fiat-Shamir ffl Alice: public key hn; vi, n = pq ffl v: Alice knows secret s = p v (mod n) 1. Alice chooses k random numbers r 1 ;:::;r k 2. Alice sends r 2 i mod n 3. Bob chooses a random subset 1 of ri 2 subset 1 subset 2 Alice sends sr i mod n r i mod n Bob checks (sr i ) 2 (r i ) 2 =? vr 2 i (r i ) 2 Fred 4. finding square roots is hard (r i ) 2 (easy) Slide Fred gets some hri 2 ;sr ii 6. can use these for subset 1, pick own for subset 2 7. Carol picks which she wants much faster than RSA: 45 multiplies for Alice, Bob Slide 42