Public-Key Cryptosystems CHAPTER 4

Similar documents
Lecture 1: Introduction to Public key cryptography

10 Public Key Cryptography : RSA

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptography IV: Asymmetric Ciphers

Practice Assignment 2 Discussion 24/02/ /02/2018

CPSC 467b: Cryptography and Computer Security

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture Notes, Week 6

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Mathematics of Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

RSA RSA public key cryptosystem

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Question: Total Points: Score:

Introduction to Modern Cryptography. Benny Chor

CPSC 467: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Carmen s Core Concepts (Math 135)

Introduction to Cryptography. Lecture 8

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public-Key Encryption: ElGamal, RSA, Rabin

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

One can use elliptic curves to factor integers, although probably not RSA moduli.

Discrete Logarithm Problem

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

RSA. Ramki Thurimella

A new security notion for asymmetric encryption Draft #12

Public Key Encryption

An Introduction to Probabilistic Encryption

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Asymmetric Encryption

Lecture V : Public Key Cryptography

Cryptography. P. Danziger. Transmit...Bob...

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Introduction to Modern Cryptography. Benny Chor

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

CIS 551 / TCOM 401 Computer and Network Security

A new security notion for asymmetric encryption Draft #10

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Week 7 An Application to Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Number theory (Chapter 4)

Other Public-Key Cryptosystems

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Solution to Midterm Examination

CPSC 467b: Cryptography and Computer Security

Number Theory & Modern Cryptography

Cryptography and Security Midterm Exam

1 Number Theory Basics

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Methods of Public-Key Cryptography. Émilie Wheeler

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Algorithmic Number Theory and Public-key Cryptography

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

8.1 Principles of Public-Key Cryptosystems

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

10 Modular Arithmetic and Cryptography

The security of RSA (part 1) The security of RSA (part 1)

Public Key Cryptography

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

Math/Mthe 418/818. Review Questions

Public Key Algorithms

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Lecture 11: Key Agreement

Discrete Mathematics GCD, LCM, RSA Algorithm

Introduction to Cybersecurity Cryptography (Part 5)

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Cryptography and Security Final Exam

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Fundamentals of Modern Cryptography

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

CPSC 467b: Cryptography and Computer Security

arxiv: v3 [cs.it] 14 Nov 2012

14 Diffie-Hellman Key Agreement

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Cryptography. pieces from work by Gordon Royle

CPSC 467b: Cryptography and Computer Security

Other Public-Key Cryptosystems

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

ASYMMETRIC ENCRYPTION

Introduction to Cybersecurity Cryptography (Part 4)

Notes for Lecture 17

Transcription:

Public-Key Cryptosystems CHAPTER 4

Introduction

How to distribute the cryptographic keys?

Naïve Solution

Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage: a quadratic number of keys is needed

Problems Someone (Key Distribution Center, KDC) need to distribute the keys. Feasible: if the users are, e.g., working in one company. Infeasible: if the users on the internet. Relies on the honesty of KDC. KDC needs to be permanently available. The users need to store large number of keys in a secure way For 1000 users, we need to 1000 2 = 1000000 keys. Solution?

Public Key Cryptography PKC also solves the message source authentication problem: Only Alice can sign a message, using K. Anyone can verify the signature, using K'. Only if such a function could be found...

Diffie-Hellman Key Exchange The DHKE established in 1976 fundamentally has its security based on the DLP. It is obvious that to solve the DLP via polynomial time algorithms is not feasible. The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets.

Diffie-Hellman Key Exchange Some Preliminaries: Def: An element g is called a generator of a group G if every element in G can be expressed as the product of finitely many powers of g. Def: If p 1 is an integer, then the numbers coprime to p, taken modulo p, form a group with multiplication as its operation. It is written as (Z/pZ) or Z p*. This group is cyclic and any generator, g, of the group is called a primitive root mod p.

Diffie-Hellman Key Exchange Public Parameter Creation A trusted party chooses and publishes a large prime p and an integer g having a large order in Z p Alice Chooses a secret random integer a. Computes A g a (mod p) Along sends A to Busu Private Computation (Setup) Public Exchange of Values Private Computation Bob Chooses a secret random integer b. Computes B g b (mod p) Busu sends B to Along Along computes B a (mod p) Busu computes A b (mod p) The shared secret key is B a (mod p) (g b ) a g ab (g a ) b A b (mod p)

Diffie-Hellman Key Exchange If Eve wants to compute k, then she would need either a or b. Otherwise, Eve would need to solve a Discrete Logarithm Problem. There is no known algorithm to accomplish this in a reasonable amount of time.

Diffie-Hellman Key Exchange Example: Suppose Alice and Bob agree to use p = 47 and g = 5. Setup Alice chooses a number between 0 and 46, say a = 18. Bob chooses a number between 0 and 46, say b = 22. Exchange Alice publishes ga (mod p), i.e. u = 518 (mod 47) = 2. Bob publishes gb (mod p), i.e. v = 522 (mod 47) = 28.

Diffie-Hellman Key Exchange Private Computation: If Alice wants to know the secret key k, she takes Bob s public number, v = 28, and raises it to her private number, a = 18 (taking the result mod 47). This gives her: 2818 (mod 47) = 24. If Bob wants to know the secret key, he takes Alice s public number, u = 2, and raises it to his private number, b = 22 (taking the result mod 47). This gives him: 222 (mod 47) = 24. Thus, Alice and Bob have agreed upon a secret key, k = 24.

El-Gammal Public Key Cryptosystem The El-Gammal PKC was designed by Taher El-Gammal in 1985. It came after the RSA, but because of its underlying structure that utilizes the DLP, we present it first. Differing from the objective of a key exchange mechanism, a cryptosystem has the objective to encrypt messages.

Public Parameter Creation A trusted third party chooses and publishes a large prime p and a primitive root g modulo p. Key Creation Alice Bob Choose a private key 1 a p-1. Compute A = g a (mod p). Publish the public key A. Encryption Decryption Choose plaintext m. Choose random ephemeral key k. Use Along s public key A to compute: i. c 1 = g k (mod p) ii. c 2 = ma k (mod p) 4. Send ciphertext (c 1, c 2 ) to Along. Compute (c 1a ) -1 c 2 (mod p)=m.

El-Gammal Public Key Cryptosystem Proof: (Proof of correctness) a c 1 1 c 2 g ka 1 ma k g ka 1 mg ak m mod p. Example 4.1.1 Create your own example.

El-Gammal Public Key Cryptosystem Plaintext x is masked by a random factor, g αk mod p. DH problem: Given g α, g k mod p, what is g αk mod p? p, g can be common. Then g k mod p can be computed in advance. Same k should not be used repeatedly. Performance: encryption: two exponentiations decryption: one exponentiation, one inversion Size: Ciphertext twice as large as plaintext.

Cryptanalysis on DHKE In general Eve has the following objective in order to break into a DHKE protocol: obtain Alice s random secret exponent or Bob s random secret exponent solving the DLP, but no sufficient algorithm solve it in feasible time. Is that the only way where Eve can break into the system?

Cryptanalysis on DHKE Definition 4.7.1(Diffie Hellman Problem) Let p be a prime number and g an integer. The Diffie Hellman Problem (DHP) is the problem of computing the value g ab mod p from the known values g a mod p and g b mod p.

Cryptanalysis on DHKE Remark 4.7.1 It is clear that DHP is NOT MUCH HARDER THAN DLP (DHP p DLP). That is, if you solve DLP you solve DHP. BUT if Eve has an algorithm that solves DHP, Eve does not need to solve DLP. This means, there MAYBE a way to solve DHP without solving DLP. Unless if you can prove that DHP p DLP, it is only then Eve will have no other option to break DHKE other than solving the DLP. (DO YOU UNDERSTAND???)

Man in the middle attack on DHKE The MITM attack upon the DHKE is conducted as follows: Eve observes a key exchange between Alice and Bob. Eve intercepts Bob public value, B g b mod p. Eve masquerades as Alice and returns to Bob her public value, E g e mod p. Eve masquerades as Bob and returns to Alice her public value, E g e mod p. Then both Eve and Alice have the same shared key EA = g ae mod p and Eve and Bob have the same shared key EB = g be mod p Then upon intercepting intended from Bob to Alice, Eve can now read/modify. After reading, Eve can either modify or relay the cipher back to Alice encrypted with EA. Alice can decrypt by using Eve s public (to generate AE = g ea mod p ).

RSA Cryptosystem Definition 4.3.1 (Euler s φ function) defined as the number of positive integers less than and relatively prime to n Let φ N be the number of integers 1 a N such that gcd a, N = 1 Example 4.3.1 φ 10 = 4. The integers are 1,3,7,9 Proposition 4.3.1 Let p and q be 2 distinct primes and N = pq. Then, φ N = p 1 q 1 Proof: (Assignment) Remark 4.3.1 The function φ N counts the number of numbers that are relatively prime to N.

RSA Cryptosystem Theorem 4.3.2 (Euler s theorem) If gcd a, N = 1, then aφ N 1 mod N, where is Euler s totient function. Proof: Example 4.3.2 Compute 2 43210 mod 101. Solution: 101 is prime. From Fermat s little theorem 2 100 1 mod 101. Therefore, 2 43210 2 100 432 2 10 1 432 2 10 1024 14 mod 101.

RSA Cryptosystem Remark 4.3.2 It is obvious that FLT helps to reduce the number of exponentiations involved. Exercises 4.3.1 1. Divide 2 10203 by 101. What is the remainder? 2. Suppose you write a message as a number m mod 31. Encrypt m as m 7 mod 31. How would you decrypt? Assignment Hint: Decryption is done by raising the ciphertext to a power mod 31. Fermat s little theorem will be useful.

The RSA Algorithm Key Generation INPUT: The size n of the prime numbers. OUTPUT: A public key tuple N, e and a private key tuple p, q, d. 1. Generate two random and distinct n-bit strong primes p, q. 2. Compute N = pq and φ N = p 1 q 1. 3. Choose random e such that gcd e, φ N = 1. 4. Compute integer d such that ed 1 mod φ N. 5. Return the public key tuple N, e and a private key pair p, q, d.

The RSA Algorithm Encryption INPUT: The public key pair N, e and the message M Z N. OUTPUT: The ciphertext C. Compute C M e mod N Decryption INPUT: The private key d and the message ciphertext C. OUTPUT: The message M. Compute M C d mod N Proof: (Proof of correctness)

The RSA Algorithm Example: Perform encryption and decryption using the RSA algorithm for the following: 1. p = 17; q = 11, e = 7;M = 88 2. p = 11; q = 13, e = 11;M = 7 3. p = 17; q = 31, e = 7;M = 2 In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key is e = 5, n = 35.What is the plaintext M?

RSA Cryptosystem Remark 4.3.3 1. What is difficult for the adversary to do in order to break RSA? 2. Are the problems that the adversary need to overcome solvable in polynomial time? 3. Do you have an idea how to break RSA? Remark 4.3.4 The RSA PKC relies on the difficulty of solving equations of the form x e c mod N (or c x e mod N ) where the quantities e, c and N are known. The security of RSA relies on the assumption that it is difficult to compute the e th roots modulo N. This problem is also known as the RSA problem.

RSA Cryptosystem Proposition 4.3.3 Solving RSA problem p Factoring N = pq. Proof: If N = pq is factored then d can be computed via de 1 mod φ N RSA problem will be solved.. Then Remark 4.3.5 It is still unknown whether if one solves the RSA problem, one is able to factor N = pq.

RSA Cryptosystem Proposition 4.3.2 Let p and q be distinct primes and let e 1 be an integer that satisfies the condition gcd e, p 1 q 1 = 1. We know there exists a multiplicative inverse d of e such that de 1 mod p 1 q 1. Then the congruence relation x e c mod pq has the unique solution x c d mod pq. Remark 4.3.6 What happens when if N is just a prime? We will now discuss that if N is just a prime (not a product of primes) it is comparatively easy to compute e th roots modulo N.

RSA Cryptosystem Proposition 4.3.3 Let p be a prime and let e 1 be an integer that satisfies the condition gcd e, p 1 = 1. We know there exists an inverse d such that de 1 mod p 1. Then the congruence relation x e c mod p has the solution x c d mod p. Proof: From de 1 mod p 1 there exists k Z such that we have de = 1 + k p 1. Now, c d e c de c 1+k p 1 c c p 1 k c 1 k c mod p. This completes the proof that c d is the e th root modulo p of c.

RSA Cryptosystem Example 4.3.3 Solving x 1583 4714 mod 7919. Observe that 7919 is a prime. Now, let us find d in order to solve d1583 1 mod 7918.We get (via Extended Euclidean Algorithm) d 5277 mod 7918. Hence, x 4714 5277 6059 mod 7919 is the solution.

RSA Cryptosystem Example 4.3.4 Solve the congruence relation x 9843 134872 mod 30069476293. Observe that the modulus 30069476293 is not a prime since from our earlier lectures (section 2.6) we can see that 2 30069476293 1 18152503626 1 mod 30069476293 It happens that 30069476293 is a product of 2 prime numbers. But since we do not know the prime factors, we cannot use Proposition 4.3.2 to help us!!!

RSA Cryptosystem ASSIGNMENT Alice publishes his Public key N= 2038667 and exponent e = 103. 1. Bob wants to send to Alice the message m=8923283. Determine the ciphertext. 2. Determine Alice s private key d. 3. Alice receives a ciphertext c=317730 from Bob. Decrypt the ciphertext. (Just provide the numbers)

Rabin Cryptosystem Introduced on 1979 by Rabin. The Rabin cryptosystem utilizes the square root modulo problem. Its an optimal implementation of RSA with the encryption exponent e = 2. The scheme utilizes the CR for decryption. The situation of a 4-to-1 mapping during decryption has deterred it from being utilized.

Rabin Cryptosystem Key Generation INPUT: The size n of the prime numbers. OUTPUT: A public key N = pq and a private key pair p, q. Generate two random and distinct n-bit strong primes p, q satisfying p 3 mod 4 and 2 n < p < 2 n+1, q 3 mod 4 and 2 n < q < 2 n+1. Compute N = pq.

Rabin Cryptosystem Encryption INPUT: The public key N = pq and the message M Z N. OUTPUT: The ciphertext C. Compute C M 2 mod N Decryption INPUT: The private key p, q and the ciphertext C. OUTPUT: The message M. Compute the square roots of C via CRT since we have the factors of N.

Rabin Cryptosystem Let m = 32 1) The key: K = {n, p, q} = {77, 7, 11} 2) The encryption function is applied: e k (m) = m 2 mod n = e k (32) = 32 2 mod 77 = 23 = c Now, the ciphertext c = 23 can be sent. 3) The decryption algorithm is applied: m p = c (p+1)/4 mod p = 23 (7+1)/4 mod 7 = 4 m q = c (q+1)/4 mod q = 23 (11+1)/4 mod 11 = 1

Rabin Cryptosystem The Rabin Cryptosystem: example (2) First, we compute b1 y b2 : N/7 b 1 1 mod 7 b 1 = 2 N/11 b 2 1 mod 11 b 2 = 8 x 4 mod 7 and x 1 mod 11 : x = a 1 b 1 (M/m 1 ) + a 2 b 2 (M/m 2 ) = 4 x 2 x 11 + 1 x 8 x 7 x 144 = 67 mod 77 x = 67 x 3 mod 7 and x 1 mod 11 : x = a 1 b 1 (M/m 1 ) + a 2 b 2 (M/m 2 ) = 11 x 2 x 3 + 7 x 8 x 1 x 122 = 45 mod 77 x = 45 For symmetry: 77 67 = 10 x = 10 77 45 = 32 x = 32

Rabin Cryptosystem Remark 4.4.1 The Rabin cryptosystem is known to have decryption failure due to its 4-1 mapping. strategies to overcome this feature of the Rabin cryptosystem. Redundancy in the message [Menezes et.al., 1996]. This scheme has a probability 1 decryption failure of approximately 2l 1 where l is the least significant binary string of the message. Extra bits [Kurosawa et. al, 2001]. One will send 2 extra bits of information to specify the square root. The encryption process requires the computation of the Jacobi symbol. This results in a computational overhead which is much more than just computing a single square modulo N. Williams technique [Williams, 1980]. The encryption process requires the encryptor to compute a Jacobi symbol. Hence, losing the performance advantage of Rabin over RSA (as in point no.2).

Rabin-RZ Cryptosystem Key Generation INPUT: The size n of the prime numbers. OUTPUT: A public key N = p 2 q and a private key pair p, q. Generate two random and distinct n-bit strong primes p, q satisfying p 3 mod 4 and 2 n < p < 2 n 1, q 3 mod 4 and 2 n < q < 2 n 1. Compute N = p 2 q.

Rabin-RZ Cryptosystem Encryption INPUT: The public key N = p 2 q and the message M Z N. OUTPUT: The ciphertext C. Compute C M 2 mod N Decryption INPUT: The private key p, q and the ciphertext C. OUTPUT: The message M. M 2 C mod pq, Compute the square roots of C via CRT. Check k = C m2 p 2 q, if k then m is the unique solution

Rabin-RZ Cryptosystem Proof of correctness PoC: C m 2 mod N C = m 2 + k p 2 q k = C m i 2 p 2 q, where i=1 to 4 Check for k ϵ Z, so there is one solution {(k i, m i )} to solve.

Rabin-RZ Cryptosystem Bivariate function hard problem: Proposition: Let F(x 1, x 2,..., x n ) be a multivariate one-way function that maps F Z n Z+(2 n 1,2 n 1 ). Let F1 and F2 be such functions (either identical or non-identical) such that A 1 = F 1 (x 1, x 2,..., x n ), A 2 =F 2 (y 1, y 2,..., y n ) and gcd(a 1,A 2 )=1. Let u, v Z + (2 m 1,2 m 1). Let G(u,v)=A1u+A2v If at minimum m n 1 = k, where 2 k is exponentially large for any probabilistic polynomial time (PPT) adversary to sieve through all possible answers, it is infeasible to determine (u,v) over Z from G(u,v). Furthermore, (u,v)is unique for G(u,v) with high probability.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback