Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Similar documents
Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptography IV: Asymmetric Ciphers

Asymmetric Encryption

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CIS 551 / TCOM 401 Computer and Network Security

Lecture 1: Introduction to Public key cryptography

Introduction to Modern Cryptography. Benny Chor

10 Public Key Cryptography : RSA

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Mathematics of Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Public Key Cryptography

RSA. Ramki Thurimella

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Public-Key Encryption: ElGamal, RSA, Rabin

Public-Key Cryptosystems CHAPTER 4

8.1 Principles of Public-Key Cryptosystems

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Public Key Algorithms

Introduction to Modern Cryptography. Benny Chor

10 Modular Arithmetic and Cryptography

Lecture Notes, Week 6

My brief introduction to cryptography

Ti Secured communications

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Discrete Mathematics GCD, LCM, RSA Algorithm

CRYPTOGRAPHY AND NUMBER THEORY

CPSC 467b: Cryptography and Computer Security

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

basics of security/cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

MATH 158 FINAL EXAM 20 DECEMBER 2016

ECE 646 Lecture 9. RSA: Genesis, operation & security

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Encryption: The RSA Public Key Cipher

8 Elliptic Curve Cryptography

Algorithmic Number Theory and Public-key Cryptography

Attacks on RSA & Using Asymmetric Crypto

RSA RSA public key cryptosystem

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Introduction to Cryptography. Lecture 8

THE RSA CRYPTOSYSTEM

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CPSC 467: Cryptography and Computer Security

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Cryptography. pieces from work by Gordon Royle

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

The Elliptic Curve in https

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Foundations of Network and Computer Security

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

9 Knapsack Cryptography

and Other Fun Stuff James L. Massey

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Number Theory & Modern Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Lecture V : Public Key Cryptography

Mathematics of Public Key Cryptography

Gurgen Khachatrian Martun Karapetyan

Introduction to Cybersecurity Cryptography (Part 5)

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Public Key Cryptography

1 Number Theory Basics

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Practice Assignment 2 Discussion 24/02/ /02/2018

Week 7 An Application to Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Theory of Computation Chapter 12: Cryptography

CS483 Design and Analysis of Algorithms

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Public-key Cryptography and elliptic curves

One can use elliptic curves to factor integers, although probably not RSA moduli.

Public-key Cryptography and elliptic curves

Introduction to Elliptic Curve Cryptography

RSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen

Mathematical Foundations of Public-Key Cryptography

The RSA cryptosystem and primality tests

COMP424 Computer Security

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

Cryptography. P. Danziger. Transmit...Bob...

Question: Total Points: Score:

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

MATH3302 Cryptography Problem Set 2

Lecture 7: ElGamal and Discrete Logarithms

Transcription:

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How do they get this key? This was an open problem was until 1976, when Diffie and Hellman published the paper New direction in Cryptography. Diffie-Hellman key-exchange protocol General description Small example Public: Fix a large prime number p Fix p = 17 Public: Fix a number g {2,..., p 1} called generator Alice chooses a {1,..., p 1} at random, computes g a mod p, sends this to Bob Bob chooses b {1,..., p 1} at random, computes g b mod p, sends this to Alice Fix g = 2 Alices chooses a = 7, computes 2 7 mod 17 = 9, sends this to Bob Bob chooses b = 11, computes 2 11 mod 17 = 8, sends this to Alice Alice computes K = (g b ) a mod p Alice computes K = 8 7 mod 17 = 15 Bob computes K = (g a ) b mod p Bob computes K = 9 11 mod 17 = 15 A passive attacker sees g a mod p and g b mod p. Finding the key from this information is related to two important problems: Computing g ab mod p given g a mod p and g b mod p is called the Computational Diffie-Hellman Problem (CDHP), computing a given g a For large values of p both problems are considered hard. mod p is called the Discrete-Logarithm Problem (DLP). Man-in-the-middle attack against Diffie-Hellman key exchange A passive (listening) attacker needs to solve the CDHP to obtain the key shared by Alice and Bob. How about an active attacker? Assume that all messages from Alice to Bob 1

and vice versa are routed through Oscar s computer. Oscar can read and modify all messages. Alice Oscar Bob Sends g a mod p receives g a mod p, sends g o mod p to Bob Sends g b mod p receives g b mod p, sends g o mod p to Alice Alice knows a, receives g o mod p, computes k 1 = (g o ) a mod p, Bob knows b, receives g o mod p, computes k 2 = (g o ) b Oscar computes k 1 and k 2 and communicates with Bob (saying I am Alice ) using k 2 and with Alice (saying I am Bob ) using k 1. Computational issues The main computations in Diffie-Hellman are exponentiations, computing g a mod p from g and a (fixed base) and (g b ) a from g b and a (variable base). If we could compute this by multiplying a times (or b times) we could solve the DLP (simply compare after each multiplication)! How do we compute the exponentiations efficiently? Example: Consider a = 37146 = 3 10000 + 7 1000 + 1 100 + 4 10 + 6 = (((((((3 10) + 7) 10) + 1) 10) + 4) 10) + 6 ( Horner scheme ) Now compute g a as ga = (((g 3 ) 10 g 7 ) 10 g 1 ) 10 g 4 ) 10 g 6. Transformation to the binary representation of a: Instead of writing a = a 0 + 10 a 1 + 100 a 2 + + 10 n a n with a i {0,..., 9}, i = 0,..., n write a in binary representation a = a 0 + 2 a 1 + 4 a 2 + + 2 n a n with a i {0, 1}, i = 0,..., n. Compute exponentation with the square-and-multiply algorithm: 2

Algorithm 1 Square-and-multiply algorithm Input: a = (a n,..., a 0 ), p, g Output: g a mod p r 1 for i from n downto 0 do r r 2 mod p if (a i = 1) then r r a mod p end if end for return r Example: Compute 2 12 mod 17. 12 = (1100) 2 = 1 8 + 1 4 + 0 2 + 0 1 r 1 i = 3 :r r 2 mod p(r = 1) r r g mod p(r = 2) i = 2 :r r 2 mod p(r = 4) r r g mod p(r = 8) i = 1 :r r 2 mod p(r = 64 mod 17 = 13) i = 0 :r r 2 mod p(r = 169 mod 17 = 16) return r(r = 16) Some remarks on Diffie-Hellman State-of-the-art Diffie-Hellman key exchange does not use this arithmetic modulo p but arithmetic on elliptic curves. The reason is that DLP and CDHP are harder to solve, at the same security level we can use the shorter keys (e.g. 256 bits instead of 3248 bits). There are more efficient algorithms than square-and-multiply, they all share the idea of scanning the exponent. Exponentiation g a can typically be made much faster than the exponentiation (g b ) a, because g is fixed (and g b is not). Dont use the square-and-multiply algorithm with a secret exponent in any realworld application! 3

Public-key cryptography The paper by Diffie and Hellman contained more than the key-exchange protocol, namely the idea of public-key cryptography: Use different keys to encrypt and to decrypt, Make encryption key public, keep the decryption key (private key) secret, Everybody can encrypt messages to,e.g, Alice, but only Alice (with her private key) can decrypt, Obvious: It must be impossible to decrypt with the public key (in particular it must be impossible to compute the private key from the public key). The paper only described this idea, it did not propose a way yo implement such a scheme. The RSA cryptosystem In 1978, Rivest, Shamir and Adleman proposed a concrete public-key cryptosystem called RSA cryptosystem. Mathematical preliminaries: What we used so far: addition, subtraction, multiplication modulo n. What about division or inversion? For each integer a with gcd(a, n) = 1 there exists an integer b such that a b mod n = 1. This integer b can be efficiently computed using the Extended Euclidean Algorithm. We call this integer b the inverse of a modulo n. Example: Let n = 7, a = 2, then b = 4 or let n = 7, a = 3, then b = 5. How many integers smaller than n have an inverse modulo n? This is what the Eulerian ϕ-function tells us: ϕ(n) = number of integers smaller than n that have an inverse modulo n. Example: For a prime p: ϕ(p) = p 1. For a product of two distict prime numbers p and q: ϕ(pq) = (p 1)(q 1). RSA key generation Pick two random large different prime numbers p and q, compute n = p q, choose e {3,..., ϕ(n) 1} such that e is invertible modulo ϕ(n), compute d, the inverse of e modulo ϕ(n). 4

Public key: (e, n), private key: d. Additional secret information: p, q, ϕ(n), can be deleted. RSA encryption Consider a message M, which is an integer smaller than n. Compute ciphertext: C = M e mod n RSA decryption Recover the message M from C by computing M = C d mod n. Why does RSA work? No proof here, see for example Handbook of Applied Cryptography, Section 8.3. Security of RSA We obviously need to consider chosen-plaintext attacks because everybody can encrypt. General question: Given many pairs (M i, C i ), i = 1,..., k, and given e, n fulfilling C i = M e i mod n, is it possible to find d, such that M i = C d i mod n, or is it possible to compute M t, given only C t = M e t mod n? If an attacker can factor n, i.e., compute p and q, he can easily compute ϕ(n) = (p 1)(q 1) and then compute the inverse of e modulo ϕ(n), which is the private key d. It would be sufficient for an attacker to compute ϕ(n) without computing p and q. This is not easier than factoring n. Assume we know n = p q and ϕ(n) = (p 1)(q 1). Then we can factor n as follows: ϕ(n) = (p 1)(q 1) = pq q p + 1 p + q = n ϕ(n) + 1, (1) 4n = 4pq = (p q) 2 (p + q) 2 (p q) 2 = (p + q) 2 4n, (2) q = ((p + q) (p q)). (3) Obtain p + q from equation (1), obtain p q from equation (2) and use both in equation (3) to obtain q (and p). An attacker could also consider computing d without knowing ϕ(n). This has been shown to be as hard as factoring n by Miller in 1975. Summary: The currently best known way to break RSA is factoring n. It has been shown that computing the private key is as hard as factoring, but it is not proven that computing M from M e mod n is as hard as factoring. 5

How hard is it to factor large numbers? Many numbers (those with small prime factors) can be factored relatively efficiently. RSA numbers (products of two large primes) are among the hardest to factor. RSA factoring records (factoring challenge numbers put online by RSA Security): Name Digits Bits Year Group RSA-100 100 330 April 1991 Lenstra et al. RSA-130 130 430 April 1996 Lenstra et al. RSA-576 174 576 Dec. 2003 Franke et al. RSA-640 193 640 Nov. 2005 Franke et al. Most recently: In December 2009, Kleinjung, Aoki, Franke, Lenstra, Thomé, Bos, Gaudry, Kruppa, Montgomery, Osvik, te Riele, Timofeev, and Zimmermann announced to have factored RSA-768 (768 bits, 232 decimal digits). The computation consisted of 3 steps (using the so-called number-field sieve) step 1: 1/2 year on 80 processors, step 2: almost 2 years on many hundreds of machines (estimate: 1500 years on one 22 GHz Opteron), step 3: 119 days on four clusters. Implementation issues of RSA Finding large prime numbers in the key generation can be done by choosing random numbers and testing whether they are prime. This will find prime numbers efficiently because there are many primes and because testing for primality is efficient (e.g., using the Miller-Rabin primality test). Exponentiation can be done as for Diffie-Hellman. General remarks about RSA Very common keysize: 1024 bits. Factoring such a number is estimated to be 1000 times harder than factoring RSA-768. RSA keysizes roughly corresponding to symmetric-key sizes (e.g. for an ideal block cipher), according to the recommendations by ECRYPT II from 2011: 816-bit RSA 64-bit symmetric 1008-bit RSA 72-bit symmetric 1248-bit RSA 80-bit symmetric... 3248-bit RSA 128-bit symmetric 6

15424-bit RSA 256-bit symmetric In principle, p and q are not required for decryption. Storing them alongside d allows us to speed up decryption. Other optimization: Use small public exponent e (e.g., e = 3). Have to be very careful, this can lead to weaknesses. Generally: Dont use plain RSA in practice, use various tweaks (for example: use a padding scheme to encrypt the same message to different ciphertexts) General remarks about public-key cryptography While RSA is based on the hardness of factoring large integers, we can also construct public-key schemes based on the hardness of the DLP (e.g. ElGamal encryption) Again, most state-of-the-art public-key cryptography use elliptic curves. All the schemes mentioned here (RSA, Diffie-Hellman, ElGamal, elliptic-curve cryptosystems) will be broken by quantum computers, when they can be build. 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback