Public Key Algorithms

Similar documents
Public Key Algorithms

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

CIS 551 / TCOM 401 Computer and Network Security

Overview. Public Key Algorithms II

Lecture V : Public Key Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Asymmetric Encryption

RSA. Ramki Thurimella

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Lecture 1: Introduction to Public key cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Introduction to Modern Cryptography. Benny Chor

Cryptography IV: Asymmetric Ciphers

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Algorithmic Number Theory and Public-key Cryptography

Introduction to Public-Key Cryptosystems:

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

10 Public Key Cryptography : RSA

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Public-Key Cryptosystems CHAPTER 4

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

The RSA cryptosystem and primality tests

Ti Secured communications

Mathematics of Cryptography

Introduction to Modern Cryptography. Benny Chor

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Fundamentals of Modern Cryptography

Public Key Cryptography

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

10 Modular Arithmetic and Cryptography

Mathematical Foundations of Public-Key Cryptography

RSA RSA public key cryptosystem

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Public-key Cryptography and elliptic curves

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

1 Number Theory Basics

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Public Key Cryptography

Public Key Cryptography

Introduction to Elliptic Curve Cryptography. Anupam Datta

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

ASYMMETRIC ENCRYPTION

CPSC 467: Cryptography and Computer Security

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

CRYPTOGRAPHY AND NUMBER THEORY

Public Key Cryptography

Number theory (Chapter 4)

Winter 2011 Josh Benaloh Brian LaMacchia

Public-Key Encryption: ElGamal, RSA, Rabin

Pseudo-random Number Generation. Qiuliang Tang

Encryption: The RSA Public Key Cipher

Discrete Logarithm Problem

Introduction to Cryptography. Lecture 8

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

basics of security/cryptography

dit-upm RSA Cybersecurity Cryptography

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Public Key Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

8.1 Principles of Public-Key Cryptosystems

10 Concrete candidates for public key crypto

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

Foundations of Network and Computer Security

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Number Theory & Modern Cryptography

Discrete mathematics I - Number theory

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Carmen s Core Concepts (Math 135)

Chapter 4 Public Key Cryptology - Part I

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

CPSC 467b: Cryptography and Computer Security

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Network Security: Hashes

Introduction to Cryptography. Lecture 6

One can use elliptic curves to factor integers, although probably not RSA moduli.

Information Security

Discrete Mathematics GCD, LCM, RSA Algorithm

Attacks on RSA & Using Asymmetric Crypto

Cryptography. P. Danziger. Transmit...Bob...

Question: Total Points: Score:

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Transcription:

1 Public Key Algorithms ffl hash: irreversible transformation(message) ffl secret key: reversible transformation(block) encryption digital signatures authentication RSA yes yes yes El Gamal no yes no Zero-knowledge proofs no no yes Diffie-Hellman: exchange of secrets all: pair (public, private) for each principal Slide 1 Modular Addition ffl addition modulo (mod) K (poor) cipher with key K ffl additive inverse: x: add until modulo (or 0) ffl decrypt by adding inverse Slide 2

2 Modular Multiplication 0 1 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 7 8 9 2 0 2 4 6 8 0 2 4 6 8 3 0 3 6 9 2 5 8 1 4 7 ffl multiplication by 1, 3, 7, 9 works as cipher ffl multiplicative inverse x 1 : y x =1 ffl only 1, 3, 7, 9 have multiplicative inverses (e.g., 7 $ 3) ffl use Euclid s Algorithm to find inverse Slide 3 Totient Function ffl x; m relatively prime = no other common factor than 1 ffl relatively prime 6= prime (9 rel. prime 10) ffl e.g., 6 not relatively prime to 10: 2 divides both 6 and 10 ffl totient function ffi(n): number of numbers less than n relatively prime to n if n prime, f1; 2;:::;n 1g are rp ffi(n) =n 1 if n = p q, p; q distinct prime ffi(n) =(p 1)(q 1): Λ n = pq numbers in f0; 1; 2;:::;n 1g; exclude non-rp Λ exclude multiples of p or q Λ p multiples of q<pq(0,1,...), q multiples of p<pq Λ thus, exclude p + q 1 numbers don t count 0 twice Λ ffi(pq) =pq (p + q 1) = (p 1)(q 1) Slide 4

3 Modular Exponentiation x y mod n 6= x y+n mod n! x y 0 1 2 3 4 5 6 7 8 9 10 11 12 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 2 4 8 6 2 4 8 6 2 4 8 6 3 1 3 9 7 1 3 9 7 1 3 9 7 1 4 1 4 6 4 6 4 6 4 6 4 6 4 6 5 1 5 5 5 5 5 5 5 5 5 5 5 5 6 1 6 6 6 6 6 6 6 6 6 6 6 6 7 1 7 9 3 1 7 9 3 1 7 9 3 1 8 1 8 4 2 6 8 4 2 6 8 4 2 6 9 1 9 1 9 1 9 1 9 1 9 1 9 1 Slide 5 Modular Exponentiation ffl encryption: x 3 works, x 2 does not ffl exponentiative inverse y of x: (a x ) y = a ffl columns: 1=5; 2=6; 3=7;::: ffl x y mod n = x y mod ffi(n) mod n ffl rp(10) = f1; 3; 7; 9g ffi(n) =4 ffl true for almost all n: anyn =product of distinct primes (square-free) ffl for any y with y =1 (mod ffi(n)) x y mod n = x mod n (e.g., 1, 5 and 9) Slide 6

4 RSA ffl Rivest, Shamir, Adleman ffl variable key length (common: 512 bits) ffl ciphertext length = key length ffl slow mostly used to encrypt secret for secret key cryptography Slide 7 RSA Algorithm Generate private and public key: ffl choose two large primes, p and q, about 256 bits (77 digits) each ffl n = p q (512 bits), don t reveal p and q ffl factoring 512 bit number is hard public key: e rp ffi(n) =(p 1)(q 1) he; ni private key: d =(e mod ffi(n)) 1 hd; ni encryption: of m<n: c = m e mod n decryption: m = c d mod n verification: m = s e mod n (signature s) Slide 8

5 RSA example p = 47 q = 71 n = pq = 3337 e = 79 prime, i.e., rp to (p 1)(q 1) d = 79 1 mod 3220 = 1019 m = 688232687666683 m 1 = 688 c 1 = 688 79 mod 3337 = 1570 p 1 = 1570 1019 mod 3337 = 688 Slide 9 Why does RSA work? ffl n = pq, ffi(n) =(p 1)(q 1) ffl de =1 (mod ffi(n)) since e rp ffi(n) and d = e 1 ffl x de = x (mod n)8x ffl encryption: x e ffl decryption: (x e ) d = x ed = x ffl signature: reverse Slide 10

6 Why is RSA secure? ffl factor 512-bit number: half million MIPS years (= all US computers for one year) ffl given public key he; ni ffl need to find exponentiative inverse of e ffl need to know p, q to compute ffi(n) ffl abuse: if limited set of messages, can compare append random number ffl 2/2/1999: RSA-140 was factored. Slide 11 RSA Efficiency: Exponentiating ffl 123 54 mod 678 = (123 123 )=678 ffl modular reduction after each multiply: ffl (a b c) modm = (((a b) modm) c) modm 123 2 = 123 123 = 15129 = 213 (mod 678) 123 3 = 123 213 = 26199 = 435 (mod 678) 123 4 = 123 435 = 53505 = 435 (mod 678) ffl 54 small multiplies, 54 divides ffl exponent power of 2: 123 32 123 2 = 123 123 = 15129 = 213 (mod 678) 123 4 = 213 213 = 45369 = 671 (mod 678) 123 8 = 621 621 = 385641 = 213 (mod 678) Slide 12

7 ffl 123 2x+1 = 123 2x 123 Slide 13 RSA Efficiency: Exponentiating 54 = 110110 2 ; start with exponent 1. 10 ψ- 123 2 = 123 123 = 15129 = 213 (mod 678) 11 +1 123 3 = 213 123 = 26199 = 435 (mod 678) 110 ψ- 123 6 = 435 435 = 189225 = 63 (mod 678) 1100 ψ- 123 12 = 63 63 = 3969 = 579 (mod 678) 1101 +1 123 13 = 579 123 = 71217 = 27 (mod 678) 11010 ψ- 123 26 = 27 27 = 729 = 51 (mod 678) 11011 +1 123 27 = 51 123 = 6273 = 171 (mod 678) 110110 ψ- 123 54 = 171 171 = 29241 = 87 (mod 678) or x 54 = (((((x) 2 x) 2 ) 2 x) 2 x) 2 =87 (mod 678) 8 multiplies, 8 divides linearly with exponent bits Slide 14

8 RSA Implementation public key: O(k 2 ), private key: O(k 3 ), key generation: O(k 4 ) ffl fastest RSA hardware: 300 kb/s DES Pijnenburg PCC101 CFB 90 Mb/s Vasco CRY12C102 CFB 22 Mb/s RSA Pijnenburg PCC202 512 40 kb/s 1024 25 kb/s Vasco PQR512 512 32 kb/s ffl 90 MHz Pentium: throughput (private key) of 21.6 kb/s, 7.4 kb/s per second with a 1024-bit modulus ffl DES software: 100 times faster than RSA ffl DES hardware: 1,000 to 10,000 times faster Slide 15 Finding Big Primes p and q ffl infinite number of primes, probability 1= ln n ffl ten-digit number: 1 in 23, hundred-digit: 1 in 230 ffl pick at random and check if prime ffl bad: divide by all p n ffl Euler s Theorem: a rp n a ffi(n) =1 (mod n) ffl if n prime, ffi(n) =n 1 Theorem 1 (Fermat s Little Theorem) If p is prime and 0 <a<p, a p 1 =1 (mod p) ffl if p not prime, does not usually hold ffl pick some a<n, compute a n 1 mod n?! 1 ffl probability of accepting bad n: 10 13 repeat Slide 16

9 Carmichael Numbers ffl Carmichael numbers n: not prime, but a n 1 =1 factor in n) (mod n)8a (where a not a ffl infinitely many ffl first few: 561, 1105, 1729, 2465, 2821, 6601, 8911 ffl 246,683 below 10 16 ffl example: 7 560 mod 561 = 1, but3 560 mod 561 = 375 Slide 17 Finding Big Primes p and q: Miller and Rabin Variation on Fermat test: ffl express n 1 as 2 b c,whereb 0 ffl compute a n 1 (mod n) (Fermat) as (a c ) 2b (mod n) ffl square b times ffl if not 1 not prime; if 1, test: if a c (mod n) 6= 1 squaring not-1! 1 square root of 1 rule: if n is prime (mod n), p 1 are 1 and 1(= n 1) if p 1 6= ±1, n not prime try many values for a; 75% of a fail the test if n not prime Slide 18

10 Big Primes: Implementation 1. pick odd random number n 2. check n=f3; 5; 7; 11;:::g and try again 3. repeat until failure or confidence: (a) pick random a and compute a c (mod n), with n 1=2 b c (b) compute a c,thenb times: (a c ) 2 (c) if result = 1: operand = ±1? no prime if not Slide 19 Finding d and e ffl e = any number rp to (p 1)(q 1) ffl ed =1 (mod ffi(n)) Euclid s algorithm Options for picking e: 1. pick randomly until e is rp to (p 1)(q 1) 2. choose e and pick p; q so that (p 1); (q 1) are rp to e Slide 20

11 Having a Small Constant e ffl e same small number ffl d can t be small (searchable) ffl e =3or e = 65537 ffl can t use 2: not rp to (p 1)(q 1) ffl message must be bigger than 3p n ffl send copies of message to three people: e i = h3;n i i Trudy: m 3 mod n 1 n 2 n 3 = m 3 (Chinese remainder) choose random/individualized padding Slide 21 RSA: e =3 ffl 3rptoffi(n) =(p 1)(q 1) since d = e 1 ffl each p 1, q 1 must be rp to 3 ffl 3 is factor of x x mod3=0 ffl (p 1) rp 3 p =2 (mod 3) (p 1) = 1 (mod 3) ffl (q 1) rp 3 q =2 (mod 3) (q 1) = 1 (mod 3) ffl choose p = r 3+2, r random, odd Slide 22

12 RSA: e = 65537 ffl 65537 = 2 16 +1, (Mersenne prime: 2 n 1!) ffl only 17 multiplies to exponentiate: x 216 x ffl random 512-bit number: 768 multiplies ffl avoid 3 problems: 1. few m with m 65537 <n(512 bits) 2. have to send to 65,537 recipients 3. n rp ffi(n) reject p; q =1 (mod 65537) Slide 23 RSA Threats: Smooth Numbers ffl product of small primes ffl signed m 1 ;m 2 can compute signatures on m 1 m 2 ;m 1 =m 2 ;m j 1 ;mj 2 ;mj 1 mk 2 ffl example: m 2 1 :(md 1 mod n)2 mod n ffl if m 1 =m 2 is prime, can fake signature on that prime ffl any product of this collection ffl pad with zero on left small number smooth " ffl pad on right with x bits n 2 x ffl pad on right with random data cube root problem Slide 24

13 RSA Threats: Cube Root Problem ffl Carol wants your signature for message with digest h ffl message digest h; h 0 = pad with zeros on right ffl signature r = d 3p h 0 e r e = r 3 = h 0 Slide 25 Public Key Cryptography Standards (PKCS) ffl operational standards ffl deal with threats (smooth numbers, multiple recipients,...) ffl encryption with PKCS#1 random padding prevents guessing from known messages random padding prevents e =3, multiple-recipient attack cube root decryption longer than 21 bytes (> 11 + data) ffl signing with PKCS#2 large padding not smooth include digest algorithm prevent spoofing Slide 26

14 PKCS #1 RFC 2313 Also X.509: RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicexponent INTEGER } -- e Encryption block = 00jBTjPSj00jD with padding PS of k 3 jdj octets. 0 private-key 00 1 private-key FF (large!) 2 public-key pseudo-random Slide 27 PKCS #1 Signature DigestInfo ::= SEQUENCE { digestalgorithm DigestAlgorithmIdentifier, digest Digest } DigestAlgorithmIdentifier ::= AlgorithmIdentifier AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) digestalgorithm(2) 5 } Digest ::= OCTET STRING Slide 28

15 Diffie-Hellman Key Exchange ffl shared key, public communication ffl no authentication of partners ffl p prime, ß 512 bits, public ffl g<p, public ffl Alice, Bob choose random, secret S A, S B ffl transmit T A = g SA mod p, T B = g SB mod p ffl Alice computes T S A B (mod p) =(g SB ) S A (mod p) ffl both get same number = key ffl would need to compute discrete logs to get S A from g S A ffl not secure against bucket-brigade attacks Slide 29 ffl public numbers instead of invention Slide 30

16 Bucket Brigade Attack ffl man-in-the-middle ffl X establishes security association with Alice, Bob ffl can read/write from/to both ffl relays messages, passwords between them ffl prevention: make g SA mod p public can t be replaced Slide 31 Diffie-Hellman: Offline ffl Bob publishes hp B ;g B ;T B i ffl Alice computes K AB = T S A B mod p B ffl Alice sends g S A B mod p B to Bob Slide 32

17 El Gamal Signatures ffl D-H: public: hg; p; T i; private:s; g s mod p = T ffl new public/private key for each message ffl compute T m = g Sm mod p for random S m for each msg. m ffl digest d m = mjt m ffl signature = X = S m + d m S (mod p 1) ffl transmit m; X; T m ffl verification: g X =?T m T d m mod p g X = g S m+d m S = g S m g Sdm = T m T dm (mod p) Slide 33 El Gamal Properties Exercises: ffl message modification signature won t match ffl signature does not divulge S ffl don t know S can t sign Slide 34

18 Digital Signature Standard (DSS) ffl related to El Gamal, but some computations modq, q = 160 bits < jpj = 512 bits ffl speeded up for signer rather than verifier: chip cards Slide 35 DSS Algorithm 1. generate public p (512 bit prime) and q (160 bit prime) p = kq +1 2. generate public g g q =1 (mod p) 3. choose long-term ht;si with random S T = g S mod p for S<q 4. choose ht m ;S m i with random S m ffl T m =((g Sm mod p) modq ffl calculate S 1 m mod q 5. calculate d m = SHS(message) Slide 36

19 6. signature X = S 1 m (d m + ST m )modq 7. transmit m; T m ;X 8. verify based on d m : z =? T m x = d m X 1 mod q y = T m X 1 mod q z = (g X T y mod p) modq Slide 37 DSS Algebra v = (d m + ST m ) 1 mod q X 1 = (S 1 m (d m + ST m )) 1 = S m (d m + ST m ) 1 = S m v mod q x = d m X 1 = d m S m v mod q y = T m X 1 = T m S m v mod q z = g x T y = g d ms m v g ST m S m v = g (d m+st m )S m v = g S m = T m mod p mod q any multiple of q in exponent drops out Slide 38

20 RSA vs. DSS ffl fixed moduli fflhp; q; gi pick one juicy target ffl trapdoor primes ffl slower than RSA(e =3), but signatures can be done ahead of time ffl needs per-message random secret ffl patent (Schnorr) Slide 39 Zero-Knowledge Proofs ffl prove knowledge without revealing it ffl RSA signatures ffl graph isomorphism: rename vertices ffl Alice: graph A and B ο A ffl public key: graphs A; B ffl private key: mapping between vertices ffl Alice: create G i and sends to Bob ffl Bob! Alice: how did A or B! G i? ffl zero-knowledge: Bob knows some G i s ffl Fred can create G i from either A or B, but not both Slide 40

21 Zero-Knowledge Proofs: Fiat-Shamir ffl Alice: public key hn; vi, n = pq ffl v: Alice knows secret s = p v (mod n) 1. Alice chooses k random numbers r 1 ;:::;r k 2. Alice sends r 2 i mod n 3. Bob chooses a random subset 1 of ri 2 subset 1 subset 2 Alice sends sr i mod n r i mod n Bob checks (sr i ) 2 (r i ) 2 =? vr 2 i (r i ) 2 Fred 4. finding square roots is hard (r i ) 2 (easy) Slide 41 5. Fred gets some hri 2 ;sr ii 6. can use these for subset 1, pick own for subset 2 7. Carol picks which she wants much faster than RSA: 45 multiplies for Alice, Bob Slide 42

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback