Public-Key Cryptosystems CHAPTER 4

Transcription

1 Public-Key Cryptosystems CHAPTER 4

2 Introduction

3 How to distribute the cryptographic keys?

4 Naïve Solution

5 Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage: a quadratic number of keys is needed

6 Problems Someone (Key Distribution Center, KDC) need to distribute the keys. Feasible: if the users are, e.g., working in one company. Infeasible: if the users on the internet. Relies on the honesty of KDC. KDC needs to be permanently available. The users need to store large number of keys in a secure way For 1000 users, we need to = keys. Solution?

7 Public Key Cryptography PKC also solves the message source authentication problem: Only Alice can sign a message, using K. Anyone can verify the signature, using K'. Only if such a function could be found...

8 Diffie-Hellman Key Exchange The DHKE established in 1976 fundamentally has its security based on the DLP. It is obvious that to solve the DLP via polynomial time algorithms is not feasible. The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets.

9 Diffie-Hellman Key Exchange Some Preliminaries: Def: An element g is called a generator of a group G if every element in G can be expressed as the product of finitely many powers of g. Def: If p 1 is an integer, then the numbers coprime to p, taken modulo p, form a group with multiplication as its operation. It is written as (Z/pZ) or Z p*. This group is cyclic and any generator, g, of the group is called a primitive root mod p.

10 Diffie-Hellman Key Exchange Public Parameter Creation A trusted party chooses and publishes a large prime p and an integer g having a large order in Z p Alice Chooses a secret random integer a. Computes A g a (mod p) Along sends A to Busu Private Computation (Setup) Public Exchange of Values Private Computation Bob Chooses a secret random integer b. Computes B g b (mod p) Busu sends B to Along Along computes B a (mod p) Busu computes A b (mod p) The shared secret key is B a (mod p) (g b ) a g ab (g a ) b A b (mod p)

11 Diffie-Hellman Key Exchange If Eve wants to compute k, then she would need either a or b. Otherwise, Eve would need to solve a Discrete Logarithm Problem. There is no known algorithm to accomplish this in a reasonable amount of time.

12 Diffie-Hellman Key Exchange Example: Suppose Alice and Bob agree to use p = 47 and g = 5. Setup Alice chooses a number between 0 and 46, say a = 18. Bob chooses a number between 0 and 46, say b = 22. Exchange Alice publishes ga (mod p), i.e. u = 518 (mod 47) = 2. Bob publishes gb (mod p), i.e. v = 522 (mod 47) = 28.

13 Diffie-Hellman Key Exchange Private Computation: If Alice wants to know the secret key k, she takes Bob s public number, v = 28, and raises it to her private number, a = 18 (taking the result mod 47). This gives her: 2818 (mod 47) = 24. If Bob wants to know the secret key, he takes Alice s public number, u = 2, and raises it to his private number, b = 22 (taking the result mod 47). This gives him: 222 (mod 47) = 24. Thus, Alice and Bob have agreed upon a secret key, k = 24.

14 El-Gammal Public Key Cryptosystem The El-Gammal PKC was designed by Taher El-Gammal in It came after the RSA, but because of its underlying structure that utilizes the DLP, we present it first. Differing from the objective of a key exchange mechanism, a cryptosystem has the objective to encrypt messages.

15 Public Parameter Creation A trusted third party chooses and publishes a large prime p and a primitive root g modulo p. Key Creation Alice Bob Choose a private key 1 a p-1. Compute A = g a (mod p). Publish the public key A. Encryption Decryption Choose plaintext m. Choose random ephemeral key k. Use Along s public key A to compute: i. c 1 = g k (mod p) ii. c 2 = ma k (mod p) 4. Send ciphertext (c 1, c 2 ) to Along. Compute (c 1a ) -1 c 2 (mod p)=m.

16 El-Gammal Public Key Cryptosystem Proof: (Proof of correctness) a c 1 1 c 2 g ka 1 ma k g ka 1 mg ak m mod p. Example Create your own example.

17 El-Gammal Public Key Cryptosystem Plaintext x is masked by a random factor, g αk mod p. DH problem: Given g α, g k mod p, what is g αk mod p? p, g can be common. Then g k mod p can be computed in advance. Same k should not be used repeatedly. Performance: encryption: two exponentiations decryption: one exponentiation, one inversion Size: Ciphertext twice as large as plaintext.

18 Cryptanalysis on DHKE In general Eve has the following objective in order to break into a DHKE protocol: obtain Alice s random secret exponent or Bob s random secret exponent solving the DLP, but no sufficient algorithm solve it in feasible time. Is that the only way where Eve can break into the system?

19 Cryptanalysis on DHKE Definition 4.7.1(Diffie Hellman Problem) Let p be a prime number and g an integer. The Diffie Hellman Problem (DHP) is the problem of computing the value g ab mod p from the known values g a mod p and g b mod p.

20 Cryptanalysis on DHKE Remark It is clear that DHP is NOT MUCH HARDER THAN DLP (DHP p DLP). That is, if you solve DLP you solve DHP. BUT if Eve has an algorithm that solves DHP, Eve does not need to solve DLP. This means, there MAYBE a way to solve DHP without solving DLP. Unless if you can prove that DHP p DLP, it is only then Eve will have no other option to break DHKE other than solving the DLP. (DO YOU UNDERSTAND???)

21 Man in the middle attack on DHKE The MITM attack upon the DHKE is conducted as follows: Eve observes a key exchange between Alice and Bob. Eve intercepts Bob public value, B g b mod p. Eve masquerades as Alice and returns to Bob her public value, E g e mod p. Eve masquerades as Bob and returns to Alice her public value, E g e mod p. Then both Eve and Alice have the same shared key EA = g ae mod p and Eve and Bob have the same shared key EB = g be mod p Then upon intercepting intended from Bob to Alice, Eve can now read/modify. After reading, Eve can either modify or relay the cipher back to Alice encrypted with EA. Alice can decrypt by using Eve s public (to generate AE = g ea mod p ).

22 RSA Cryptosystem Definition (Euler s φ function) defined as the number of positive integers less than and relatively prime to n Let φ N be the number of integers 1 a N such that gcd a, N = 1 Example φ 10 = 4. The integers are 1,3,7,9 Proposition Let p and q be 2 distinct primes and N = pq. Then, φ N = p 1 q 1 Proof: (Assignment) Remark The function φ N counts the number of numbers that are relatively prime to N.

23 RSA Cryptosystem Theorem (Euler s theorem) If gcd a, N = 1, then aφ N 1 mod N, where is Euler s totient function. Proof: Example Compute mod 101. Solution: 101 is prime. From Fermat s little theorem mod 101. Therefore, mod 101.

24 RSA Cryptosystem Remark It is obvious that FLT helps to reduce the number of exponentiations involved. Exercises Divide by 101. What is the remainder? 2. Suppose you write a message as a number m mod 31. Encrypt m as m 7 mod 31. How would you decrypt? Assignment Hint: Decryption is done by raising the ciphertext to a power mod 31. Fermat s little theorem will be useful.

25 The RSA Algorithm Key Generation INPUT: The size n of the prime numbers. OUTPUT: A public key tuple N, e and a private key tuple p, q, d. 1. Generate two random and distinct n-bit strong primes p, q. 2. Compute N = pq and φ N = p 1 q Choose random e such that gcd e, φ N = Compute integer d such that ed 1 mod φ N. 5. Return the public key tuple N, e and a private key pair p, q, d.

26 The RSA Algorithm Encryption INPUT: The public key pair N, e and the message M Z N. OUTPUT: The ciphertext C. Compute C M e mod N Decryption INPUT: The private key d and the message ciphertext C. OUTPUT: The message M. Compute M C d mod N Proof: (Proof of correctness)

27 The RSA Algorithm Example: Perform encryption and decryption using the RSA algorithm for the following: 1. p = 17; q = 11, e = 7;M = p = 11; q = 13, e = 11;M = 7 3. p = 17; q = 31, e = 7;M = 2 In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key is e = 5, n = 35.What is the plaintext M?

28 RSA Cryptosystem Remark What is difficult for the adversary to do in order to break RSA? 2. Are the problems that the adversary need to overcome solvable in polynomial time? 3. Do you have an idea how to break RSA? Remark The RSA PKC relies on the difficulty of solving equations of the form x e c mod N (or c x e mod N ) where the quantities e, c and N are known. The security of RSA relies on the assumption that it is difficult to compute the e th roots modulo N. This problem is also known as the RSA problem.

29 RSA Cryptosystem Proposition Solving RSA problem p Factoring N = pq. Proof: If N = pq is factored then d can be computed via de 1 mod φ N RSA problem will be solved.. Then Remark It is still unknown whether if one solves the RSA problem, one is able to factor N = pq.

30 RSA Cryptosystem Proposition Let p and q be distinct primes and let e 1 be an integer that satisfies the condition gcd e, p 1 q 1 = 1. We know there exists a multiplicative inverse d of e such that de 1 mod p 1 q 1. Then the congruence relation x e c mod pq has the unique solution x c d mod pq. Remark What happens when if N is just a prime? We will now discuss that if N is just a prime (not a product of primes) it is comparatively easy to compute e th roots modulo N.

31 RSA Cryptosystem Proposition Let p be a prime and let e 1 be an integer that satisfies the condition gcd e, p 1 = 1. We know there exists an inverse d such that de 1 mod p 1. Then the congruence relation x e c mod p has the solution x c d mod p. Proof: From de 1 mod p 1 there exists k Z such that we have de = 1 + k p 1. Now, c d e c de c 1+k p 1 c c p 1 k c 1 k c mod p. This completes the proof that c d is the e th root modulo p of c.

32 RSA Cryptosystem Example Solving x mod Observe that 7919 is a prime. Now, let us find d in order to solve d mod 7918.We get (via Extended Euclidean Algorithm) d 5277 mod Hence, x mod 7919 is the solution.

33 RSA Cryptosystem Example Solve the congruence relation x mod Observe that the modulus is not a prime since from our earlier lectures (section 2.6) we can see that mod It happens that is a product of 2 prime numbers. But since we do not know the prime factors, we cannot use Proposition to help us!!!

34 RSA Cryptosystem ASSIGNMENT Alice publishes his Public key N= and exponent e = Bob wants to send to Alice the message m= Determine the ciphertext. 2. Determine Alice s private key d. 3. Alice receives a ciphertext c= from Bob. Decrypt the ciphertext. (Just provide the numbers)

35 Rabin Cryptosystem Introduced on 1979 by Rabin. The Rabin cryptosystem utilizes the square root modulo problem. Its an optimal implementation of RSA with the encryption exponent e = 2. The scheme utilizes the CR for decryption. The situation of a 4-to-1 mapping during decryption has deterred it from being utilized.

36 Rabin Cryptosystem Key Generation INPUT: The size n of the prime numbers. OUTPUT: A public key N = pq and a private key pair p, q. Generate two random and distinct n-bit strong primes p, q satisfying p 3 mod 4 and 2 n < p < 2 n+1, q 3 mod 4 and 2 n < q < 2 n+1. Compute N = pq.

37 Rabin Cryptosystem Encryption INPUT: The public key N = pq and the message M Z N. OUTPUT: The ciphertext C. Compute C M 2 mod N Decryption INPUT: The private key p, q and the ciphertext C. OUTPUT: The message M. Compute the square roots of C via CRT since we have the factors of N.

38 Rabin Cryptosystem Let m = 32 1) The key: K = {n, p, q} = {77, 7, 11} 2) The encryption function is applied: e k (m) = m 2 mod n = e k (32) = 32 2 mod 77 = 23 = c Now, the ciphertext c = 23 can be sent. 3) The decryption algorithm is applied: m p = c (p+1)/4 mod p = 23 (7+1)/4 mod 7 = 4 m q = c (q+1)/4 mod q = 23 (11+1)/4 mod 11 = 1

39 Rabin Cryptosystem The Rabin Cryptosystem: example (2) First, we compute b1 y b2 : N/7 b 1 1 mod 7 b 1 = 2 N/11 b 2 1 mod 11 b 2 = 8 x 4 mod 7 and x 1 mod 11 : x = a 1 b 1 (M/m 1 ) + a 2 b 2 (M/m 2 ) = 4 x 2 x x 8 x 7 x 144 = 67 mod 77 x = 67 x 3 mod 7 and x 1 mod 11 : x = a 1 b 1 (M/m 1 ) + a 2 b 2 (M/m 2 ) = 11 x 2 x x 8 x 1 x 122 = 45 mod 77 x = 45 For symmetry: = 10 x = = 32 x = 32

40 Rabin Cryptosystem Remark The Rabin cryptosystem is known to have decryption failure due to its 4-1 mapping. strategies to overcome this feature of the Rabin cryptosystem. Redundancy in the message [Menezes et.al., 1996]. This scheme has a probability 1 decryption failure of approximately 2l 1 where l is the least significant binary string of the message. Extra bits [Kurosawa et. al, 2001]. One will send 2 extra bits of information to specify the square root. The encryption process requires the computation of the Jacobi symbol. This results in a computational overhead which is much more than just computing a single square modulo N. Williams technique [Williams, 1980]. The encryption process requires the encryptor to compute a Jacobi symbol. Hence, losing the performance advantage of Rabin over RSA (as in point no.2).

41 Rabin-RZ Cryptosystem Key Generation INPUT: The size n of the prime numbers. OUTPUT: A public key N = p 2 q and a private key pair p, q. Generate two random and distinct n-bit strong primes p, q satisfying p 3 mod 4 and 2 n < p < 2 n 1, q 3 mod 4 and 2 n < q < 2 n 1. Compute N = p 2 q.

42 Rabin-RZ Cryptosystem Encryption INPUT: The public key N = p 2 q and the message M Z N. OUTPUT: The ciphertext C. Compute C M 2 mod N Decryption INPUT: The private key p, q and the ciphertext C. OUTPUT: The message M. M 2 C mod pq, Compute the square roots of C via CRT. Check k = C m2 p 2 q, if k then m is the unique solution

43 Rabin-RZ Cryptosystem Proof of correctness PoC: C m 2 mod N C = m 2 + k p 2 q k = C m i 2 p 2 q, where i=1 to 4 Check for k ϵ Z, so there is one solution {(k i, m i )} to solve.

44 Rabin-RZ Cryptosystem Bivariate function hard problem: Proposition: Let F(x 1, x 2,..., x n ) be a multivariate one-way function that maps F Z n Z+(2 n 1,2 n 1 ). Let F1 and F2 be such functions (either identical or non-identical) such that A 1 = F 1 (x 1, x 2,..., x n ), A 2 =F 2 (y 1, y 2,..., y n ) and gcd(a 1,A 2 )=1. Let u, v Z + (2 m 1,2 m 1). Let G(u,v)=A1u+A2v If at minimum m n 1 = k, where 2 k is exponentially large for any probabilistic polynomial time (PPT) adversary to sieve through all possible answers, it is infeasible to determine (u,v) over Z from G(u,v). Furthermore, (u,v)is unique for G(u,v) with high probability.