ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Similar documents
CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Chapter 11 : Private-Key Encryption

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Encryption: ElGamal, RSA, Rabin

ASYMMETRIC ENCRYPTION

Lecture 17: Constructions of Public-Key Encryption

Introduction to Cryptography. Lecture 8

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture 28: Public-key Cryptography. Public-key Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Lecture 22: RSA Encryption. RSA Encryption

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Introduction to Cybersecurity Cryptography (Part 4)

CPSC 467b: Cryptography and Computer Security

1 Number Theory Basics

Cryptography IV: Asymmetric Ciphers

Introduction to Cybersecurity Cryptography (Part 4)

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Introduction to Modern Cryptography. Benny Chor

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture Notes, Week 6

El Gamal A DDH based encryption scheme. Table of contents

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Public-Key Cryptosystems CHAPTER 4

RSA RSA public key cryptosystem

5.4 ElGamal - definition

RSA. Ramki Thurimella

Provable security. Michel Abdalla

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Notes for Lecture 17

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Mathematics of Cryptography

5199/IOC5063 Theory of Cryptology, 2014 Fall

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Chapter 8 Public-key Cryptography and Digital Signatures

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture V : Public Key Cryptography

Lecture 1: Introduction to Public key cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Introduction to Public-Key Cryptosystems:

Lecture 11: Key Agreement

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Introduction to Modern Cryptography. Benny Chor

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

RSA-OAEP and Cramer-Shoup

CIS 551 / TCOM 401 Computer and Network Security

Public-Key Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

The Cramer-Shoup Cryptosystem

Foundations of Network and Computer Security

Advanced Cryptography 1st Semester Public Encryption

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Public Key Cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CPSC 467b: Cryptography and Computer Security

Solutions to homework 2

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Discrete Logarithm Problem

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

CPSC 467: Cryptography and Computer Security

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Advanced Topics in Cryptography

Public Key Cryptography

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Cryptography and Security Midterm Exam

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Lecture Note 3 Date:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Historical cryptography. cryptography encryption main applications: military and diplomacy

General Impossibility of Group Homomorphic Encryption in the Quantum World

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

CPSC 467b: Cryptography and Computer Security

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Great Theoretical Ideas in Computer Science

Lecture 16: Public Key Encryption:II

Introduction to Cryptography. Susan Hohenberger

Discrete Mathematics GCD, LCM, RSA Algorithm

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Theory of Computation Chapter 12: Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Cryptography and Security Final Exam

Digital Signatures. Adam O Neill based on

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

MATH 158 FINAL EXAM 20 DECEMBER 2016

Advanced Cryptography 03/06/2007. Lecture 8

Week : Public Key Cryptosystem and Digital Signatures

Transcription:

ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park

Slides adjusted from: http://dziembowski.net/teaching/biss09/ 2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

The handbook RSA encryption N = pq - RSA modulus e is such that gcd(e, φ(n)) = 1, d is such that ed = 1 (mod φ(n)) Enc (e,n) (m) = m e mod N, and Dec (d,n) (c) = c d mod N.

Problems Enc pk is deterministic, so: if one encrypts twice the same message then the ciphertexts are the same Therefore if the message space M is small, the adversary can check all possible messages: given a ciphertext c do: for every m є M check if Enc pk (m) = c for example if M={yes,no}, then the encryption is not secure. RSA has some algebraic properties.

Algebraic properties of RSA 1. RSA is homorphic: Enc (e,n) (m 0 m 1 ) = (m 0 m 1 ) e = m 0e m 1 e = Enc (e,n ) (m 0 ) Enc (e,n ) (m 1 ) why is it bad? By checking if c 0 c 1 = c the adversary can detect if Dec (d,n) (c 0 ) Dec (d,n) (c 1 ) = Dec d (c)

Question: Is RSA secure? Looks like it has some weaknesses... Plan: 1. Provide a formal security definition. 2. Modify RSA so that it is secure according to this definition.

A mathematical view A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec) of poly-time algorithms, where Gen is a key-generation randomized algorithm that takes as input a security parameter 1 n and outputs a key pair (pk,sk). Enc is an encryption algorithm that takes as input the public key pk and a message m, and outputs a ciphertext c, Dec is an decryption algorithm that takes as input the private key pk and the ciphertext c, and outputs a message m. We will sometimes write Enc pk (m) and Dec sk (c) instead of Enc(pk,m) and Dec(sk,c). Correctness P(Dec sk (Enc pk (m)) m) is negligible in n

A simplified view security parameter 1 n 1. selects random (pk,sk) = Gen(1 n ) 2. chooses a random b = 0,1 pk challenge phase: oracle chooses m 0,m 1 m 0,m 1 c = Enc(pk,m b ) has to guess b

CPA-security Security definition: Alternative name: CPA-secure We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any randomized polynomial time adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is negligible.

Is the handbook RSA secure? the handbook RSA N = pq - RSA modulus e is such that gcd(e,d) = 1, d is such that ed = 1 (mod φ(n)) Enc (N,e) (m) = m e mod N, and Dec (d,n) (c) = c d mod N. In fact: Not secure! No deterministic encryption scheme is secure. How can the adversary win the game? 1. he just chooses any m 0,m 1, 2. computes c 0 =Enc(pk,m 0 ) himself 3. compares the result. Moral: encryption has to be randomized.

Encoding Therefore, before encrypting a message we usually encode it (adding some randomness). This has the following advantages: makes the encryption non-deterministic breaks the algebraic properties of encryption.

How is it done in real-life? PKCS #1: RSA Encryption Standard Version 1.5: public-key: (N,e) let k := length on N in bytes. let D := length of the plaintext requirement: D k - 11. Enc((N,e), m) := x e mod N, where x is equal to: k bytes 00000000 00000001 r 00000000 m (k - D - 3) random non-zero bytes D bytes

Security of the PKCS #1: RSA Encryption Standard Version 1.5. It is believed to be CPA-secure. It has however some weaknesses (it is not chosen-ciphertext secure ). Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding. (we will not refer to that)

Algorithmic Issues The implementation of the RSA cryptosystem requires various algorithms Overall Representation of integers of arbitrarily large size and arithmetic operations on them Encryption Modular power Decryption Modular power Setup Generation of random numbers with a given number of bits (to generate candidates p and q) Primality testing (to check that candidates p and q are prime) Computation of the GCD (to verify that e and f(n) are relatively prime) Computation of the multiplicative inverse (to compute d from e)

Modular Power The repeated squaring algorithm speeds up the computation of a modular power a p mod n Write the exponent p in binary p = p b - 1 p b - 2 p 1 p 0 Start with Q 1 = a p b - 1 mod n Repeatedly compute Q i = ((Q i - 1 ) 2 mod n)a p b - i mod n We obtain Q b = a p mod n The repeated squaring algorithm performs O (log p) arithmetic operations Example 3 18 mod 19 (18 = 10010) Q 1 = 3 1 mod 19 = 3 Q 2 = (3 2 mod 19)3 0 mod 19 = 9 Q 3 = (9 2 mod 19)3 0 mod 19 = 81 mod 19 = 5 Q 4 = (5 2 mod 19)3 1 mod 19 = (25 mod 19)3 mod 19 = 18 mod 19 = 18 Q 5 = (18 2 mod 19)3 0 mod 19 = (324 mod 19) mod 19 = 17 19 + 1 mod 19 = 1 p 5 - i 1 0 0 1 0 2 p 5 - i 3 1 1 3 1 Q i 3 9 5 18 1

Decryption can be done with CRT Why is it more efficient in this way?

How to construct PKE based on the hardness of discrete log? RSA was a trapdoor permutation, so the construction was quite easy... In case of the discrete log, we just have a one-way function. Diffie and Hellman constructed something weaker than PKE: a key exchange protocol (also called key agreement protocol). We ll not describe it. Then, we ll show how to convert it into a PKE.

Key exchange initially they share no secret Alice listens Bob key k key k Eve should have no information about k We will formalize it later. Let s first show the protocol.

The Diffie-Hellman Key exchange G a group, where discrete log is believed to be hard q = G g a generator of G x Z q h 1 = g x y Zq Alice h 2 = g y Bob output: k A =(h 2 ) x equal to: g yx equal! equal to: g xy output: k B =(h 1 ) y

Security of the Diffie-Hellman exchange G,g h 1 = g x h 2 = g y knows Eve g yx? Eve should have no information about g yx

Is it secure? If the discrete log in G is easy then the DH key exchange is not secure. (because the adversary can compute x and y from g x and g y ) If the discrete log in G is hard, then... it may also not be secure

Example: G = Z p * x is even iff h 1 is a QR x Z q h 1 = g x y Zq Alice h 2 = g y Bob g yx? y is even iff h 2 is a QR Therefore: g yx is a QR iff (h 1 is a QR) or (h 2 is a QR) So, Eve can compute some information about g yx (namely: if it is a QR, or not).

How to fix the previous problem? Intuitively: Pick only even numbers in the exponent!

A problem The protocols that we discussed are secure only against a passive adversary (that only eavesdrop). What if the adversary is active? She can launch a man-in-the-middle attack.

Man in the middle attack I am Bob I am Alice Alice Bob key k key k key k key k A very realistic attack! So, is this thing totally useless? No! (it is useful as a building block)

Plan 1. Problems with the handbook RSA encryption 2. Security definitions 3. How to encrypt with RSA? 4. Encryption based on discrete-log 1. first step: Diffie-Hellman key exchange 2. ElGamal encryption 5. Public-key vs. private key encryption

El Gamal encryption El Gamal is another popular public-key encryption scheme. It is based on the Diffie-Hellman key-exchange.

First observation Remember that the one-time pad scheme can be generalized to any group? E.g.: K = M = C = G. Enc(k,m) = m k Dec(k,m) = m k -1 So, if k is the key agreed in the DH key exchange, then Alice can send a message m Є G to Bob encrypting it with k by setting: c := m k

How does it look now? (G,g) H(1 n ) security parameter 1 n x Z q h 1 = g x Alice (G,g,q,h 1 ) h 2 = g y Bob y Z q plaintext m c := m (h 1 ) y output: m := c (h 2 ) -x since (h 2 ) x = (h 1 ) y we get: m = m

The last two messages can be sent together (G,g) H(1 n ) security parameter 1 n x Z q h 1 = g x Alice (G,g,q,h 1 ) (c, h 2 ) := (m (h 1 ) y, g y ) Bob y Z q plaintext m output: m := c (h 2 ) -x

ElGamal encryption private key key generation encryption (G,g) H(1 n ) security parameter 1 n public key x Z q h 1 = g x Alice (G,g,q,h 1 ) (c, h 2 ) := (m (h 1 ) y, g y ) Bob y Z q plaintext m output: m := c (h 2 ) -x ciphertext decryption

El Gamal encryption Let H be such that DDH is hard with respect to H. Gen(1 n ) first runs H to obtain (G,q) and q. Then, it chooses x Z q and computes h := g x. (note: it is randomized by definition) The public key is (G,g,q,h). The private key is (G,g,q,x). Enc((G,g,q,h), m) := (m h y, g y ), where m Є G and y is a random element of G Dec((G,g,q,x), (c 1,c 2 )) := c 1 c 2 -x

Correctness h = g x Enc((G,g,q,h), m) = (m h y, g y ) Dec((G,g,q,x), (c 1,c 2 )) = c 1 c -x 2 = m h y (g y ) -x = m (g x ) y (g y ) -x = m g xy g -yx = m

Public key vs. private key encryption Private-key encryption has a following advantage: it is much more efficient. What we do in practice: Use PKE to exchange secret key. Then use secret key to encrypt data.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback