Public Key Cryptgraphy Tim van der Hrst & Kent Seamns Last Updated: Oct 5, 2017
Asymmetric Encryptin
Why Public Key Crypt is Cl Has a linear slutin t the key distributin prblem Symmetric crypt has an expnential slutin Send messages t peple yu dn t share a secret key with S nly they can read it They knw it came fr yu
Number Thery
Prime Numbers Definitin: An integer whse nly factrs are 1 and itself There are an infinite number f primes Hw many primes are there? Any large number n has abut a 1 in ln(n) chance f being prime
Prime Number Questins* If everyne needs a different prime number wn t we run ut? Apprximately 10 151 primes 512 bits (r less) Atms in the universe: 10 77 If every atm in the universe needed 1 billin primes every micrsecnd frm the beginning f time until nw yu wuld need 10 109 primes That means there s still abut 10 151 left What if tw peple pick the same prime? Odds are significantly less than the dds f yur cmputer spntaneusly cmbusting at the exact mment yu win the ltt Surce: Applied Cryptgraphy (Schneier)
Prime Number Questins* Culdn t smene create a database f all primes and use that t break public key crypt? Assuming yu culd stre 1 GB/gram, then the weight f a drive cntaining the 512-bit primes wuld exceed the Chandrasar limit and cllapse int a black hle Surce: Applied Cryptgraphy (Schneier)
Prime Factrizatin : The Fundamental Therem f Arithmetic All integers can be expressed as a prduct f (pwers f) primes 48 = 2 * 2 * 2 *2* 3 Factrizatin is the prcess f finding the prime factrs f a number This is a hard prblem fr large numbers
Greatest Cmmn Divisr (GCD) A.k.a., greatest cmmn factr The largest number that evenly divides tw numbers GCD (15, 25) = 5
Relatively Prime Tw numbers x and y are relatively prime if their GCD = 1 N cmmn factrs except 1 Example 38 and 55 are relatively prime 38 = 2 * 19 55 = 5 * 11
Mdular (%) Arithmetic Smetimes referred t as clck arithmetic r arithmetic n a circle Tw numbers a and b are said t be cngruent (equal) mdul N iff (a-b)/n=0 Their difference is divisible by N with n remainder Their difference is a multiple f N a%n º b%n Example: 30 and 40 are cngruent md 10 Mdul peratin Find the remainder (residue) 15 md 10 = 5
Ntatin Z - the set f integers { -2,-1,0,1,2 } Z n - the set f integers mdul n; {0..n-1} Z n * - the multiplicative grup f integers mdul n the set f integers mdul n that are relatively prime t n Z n * is clsed under multiplicatin md n Z n * des nt cntain 0 since the GCD(0,n)=n Z 10 * =? Z 12 * =? Z 14 * =?
Additive Inverse In Z, the additive inverse f 3 is -3, since 3 + -3 = 0, the additive identity. In Z n, the additive inverse f a is n-a, since a+(n-a) = n, which is cngruent t 0 (md n). What is the additive inverse f 4 md 10?
Multiplicative Inverse In Z, the multiplicative inverse f 3 is 1/3, since 3*1/3=1 The multiplicative identity in bth Z and Z n is 1 The multiplicative inverse f 3 md 10 is 7, since 3*7=21=1 (md 10) This culd be written 3-1, r (rarely) 1/3
Distributive Prperty Distributin in + and * Mdular arithmetic is distributive. a+b (md n) = (a md n) + (b md n) (md n)
Big Examples What is the sum f these numbers mdul 20? 1325104987134069812734109243861723406983176 1346139046817340961834764359873409884750983 3632462309486723465794078340898340923876314 3641346983862309587235093857324095683753245 + 2346982743069384673469268723406982374936877
Big Examples What is the prduct f these numbers mdul 25? 1234659823572938572 2139582753931306947 1398173619384713413 2496827464249812355 2436781359183781379 * 1351839761361377050
Mdular Expnentiatin Prblems f the frm c = b e md m given base b, expnent e, and mdulus m If b, e, and m are nn-negative and b < m, then a unique slutin c exists and has the prperty 0 c < m Fr example, 12 = 5 2 md 13 Mdular expnentiatin prblems are easy t slve, even fr very large numbers Hwever, slving the discrete lgarithm (finding e given c, b, and m) is believed t be difficult
Brute Frce Methd The mst straightfrward methd t calculating a mdular expnent is t calculate b e directly, then t take this number mdul m. Cnsider trying t cmpute c, given b = 4, e = 13, and m = 497: One culd use a calculatr t cmpute 4 13 ; this cmes ut t 67,108,864. Taking this value mdul 497, the answer c is determined t be 445. Nte that b is nly ne digit in length and that e is nly tw digits in length, but the value b e is 10 digits in length. In strng cryptgraphy, b is ften at least 256 binary digits (77 decimal digits). Cnsider b = 5 * 10 76 and e = 17, bth f which are perfectly reasnable values. In this example, b is 77 digits in length and e is 2 digits in length, but the value b e is 1304 decimal digits in length. Such calculatins are pssible n mdern cmputers, but the sheer enrmity f such numbers causes the speed f calculatins t slw cnsiderably. As b and e increase even further t prvide better security, the value b e becmes unwieldy. The time required t perfrm the expnentiatin depends n the perating envirnment and the prcessr. If expnentiatin is perfrmed as a series f multiplicatins, then this requires O(e) time t cmplete. Surce: wikipedia mdular expnentiatin
Diffie Hellman Prject Write yur wn mdular expnentiatin rutine Use a bignum library Divide and cnquer algrithm O(lg e)
Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange Allws tw users t establish a secret key ver an insecure medium withut any prir secrets Tw system parameters p and g. Public values that may be used by all the users in a system Parameter p is a large prime number Parameter g (usually called a generatr) is an integer less than p, such that fr every number n with 0 < n < p, there is a pwer k f g such that n = g k md p g is primitive rt
Diffie-Hellman Key Exchange Suppse Alice and Bb want t establish a shared secret key Alice and Bb agree n r use public values p,g p is a large prime number g is a generatr Alice generates a randm private value a and Bb generates a randm private value b where a and b are integers Alice and Bb derive their public values using parameters p and g and their private values Alice's public value = g a md p Bb s public value is g b md p Alice and Bb exchange their public values Alice cmputes g ba = (g b ) a md p Bb cmputes g ab = (g a ) b md p Since g ab = g ba = k, Alice and Bb nw have a shared secret key k
A Crwded Rm f a=50 5 50 % 47 = 14 Mathematicians 31 50 % 47 = 18 g=5 P=47 b=49 5 49 % 47 = 31 14 49 % 47 = 18 14 31
Why is DH Secure? Discrete lgarithm prblem Inverse f mdular expnentiatin c = b e md m e is called the discrete lgarithm Slving the discrete lgarithm (finding e given c, b, and m) is believed t be difficult fr large numbers
Attacks Against DH Diffie-Hellman Key Exchange is secure against a passive attacker Hw can an active attacker disrupt the prtcl? Man in the middle Mdify Alice/Bb public values as they are exchanged Replace with Mallry s public values Replace with the value 1 Replace with h, where h has a small rder
Practical Cnsideratins Chse a safe prime p where p=2q+1 where q is als prime Hw big shuld p be? 2048 bits (Surce: Cryptgraphy Engineering, Fergusn et al.) Use p, q, and g fr perfrmance reasns (smaller subgrup) Check public values fr security prperties Public values nt equal t 1 Public values that d nt belng in t small a grup Hash final result f DH t generate a shared key fr Alice/Bb Hw t frtify the prtcl against active attackers? Create a certified list f public values Use digitally signed public parameters