Sharing a Secret in Plain Sight. Gregory Quenell

Similar documents
L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Public-key Cryptography and elliptic curves

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Public-Key Cryptosystems CHAPTER 4

Public-key Cryptography and elliptic curves

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

The Elliptic Curve in https

Lecture 28: Public-key Cryptography. Public-key Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Cryptography. Lecture 8

CRYPTOGRAPHY AND NUMBER THEORY

Lecture 7: ElGamal and Discrete Logarithms

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture Notes, Week 6

8 Elliptic Curve Cryptography

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Cryptography IV: Asymmetric Ciphers

Great Theoretical Ideas in Computer Science

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Lecture 11: Key Agreement

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

RSA. Ramki Thurimella

Cryptography. P. Danziger. Transmit...Bob...

Public Key Cryptography

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Elliptic Curve Cryptography

arxiv: v3 [cs.cr] 15 Jun 2017

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Other Public-Key Cryptosystems

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Methods of Public-Key Cryptography. Émilie Wheeler

KEY EXCHANGE PROTOCOL WITH GAUSSIAN INTEGER MATRICES

14 Diffie-Hellman Key Agreement

Asymmetric Encryption

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Public Key Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Introduction to Modern Cryptography. Benny Chor

Public Key Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

International Electronic Journal of Pure and Applied Mathematics IEJPAM, Volume 9, No. 1 (2015)

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Notes for Lecture 17

RSA RSA public key cryptosystem

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

and Other Fun Stuff James L. Massey

1 Number Theory Basics

6.080/6.089 GITCS Apr 15, Lecture 17

Carmen s Core Concepts (Math 135)

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Lecture 17: Constructions of Public-Key Encryption

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Lecture V : Public Key Cryptography

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

Question: Total Points: Score:

Using semidirect product of (semi)groups in public key cryptography

8.1 Principles of Public-Key Cryptosystems

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Chapter 8 Public-key Cryptography and Digital Signatures

Public key exchange using semidirect product of (semi)groups

Computational Number Theory. Adam O Neill Based on

Cryptographical Security in the Quantum Random Oracle Model

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Simple Math: Cryptography

On the Big Gap Between p and q in DSA

Arithmétique et Cryptographie Asymétrique

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

9 Knapsack Cryptography

Quantum Cryptography

CPSC 467: Cryptography and Computer Security

Public Key Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Transcription:

Sharing a Secret in Plain Sight Gregory Quenell 1

The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2

The Setting: Alice and Bob want to have a private conversation using email or texting. The Problem: These media are insecure. intercepting wifi packets. Anyone can listen in by Eve Alice Bob 3

The Solution: Encryption. In a symmetric-key or shared-key encryption scheme, Bob and Alice share a secret key ( KEY ) that Eve doesn t know. Alice feeds KEY and her message into an Encryptor, which locks the message so that Eve can t read it. Bob uses his copy of KEY in the Decryptor to unlock and read the message. gbm(,xft?? Hi, Bob! KEY Encryptor KEY Decryptor Hi, Bob! 4

A New Problem: How can Alice and Bob agree on a shared key, while keeping it a secret from Eve? 5

A New Problem: How can Alice and Bob agree on a shared key, while keeping it a secret from Eve? One possibility: Alice and Bob meet face-to-face, someplace where Eve can t hear them. 6

A New Problem: How can Alice and Bob agree on a shared key, while keeping it a secret from Eve? One possibility: Alice and Bob meet face-to-face, someplace where Eve can t hear them. But... They may not be able to do that. And anyway, if they could meet face-to-face, they could just have their private conversation then. 7

A New Problem: How can Alice and Bob agree on a shared key, while keeping it a secret from Eve? One possibility: Alice and Bob meet face-to-face, someplace where Eve can t hear them. But... They may not be able to do that. And anyway, if they could meet face-to-face, they could just have their private conversation then. More realistically: Can Alice and Bob use the insecure channel, where Eve can intercept everything, to come up with a key that they both know, and keep it a secret from Eve? 8

A New Problem: How can Alice and Bob agree on a shared key, while keeping it a secret from Eve? One possibility: Alice and Bob meet face-to-face, someplace where Eve can t hear them. But... They may not be able to do that. And anyway, if they could meet face-to-face, they could just have their private conversation then. More realistically: Can Alice and Bob use the insecure channel, where Eve can intercept everything, to come up with a key that they both know, and keep it a secret from Eve? Surprisingly, the answer is yes. 9

The Diffie-Hellman Key Exchange Protocol... allows two people who have no prior knowledge of one another to establish a shared secret key while communicating over an insecure channel. The Diffie-Hellman protocol was first described in a 1976 paper by Whitfield Diffie and Martin Hellman. Similar systems had previously been described by American cryptographer Ralph Merkle, and in classified research at the Government Communications Headquarters (GCHQ) in England. 10

Exponentiation in the ring Z p For g Z p and a positive integer k, we can compute g k Z p by repeatedly multiplying and reducing modulo p. Example: 3 k in Z 7. 3 1 = 3 3 (mod 7) 3 2 = 3 3 = 9 2 (mod 7) 3 3 = 3 3 2 = 3 2 = 6 6 (mod 7) 3 4 = 3 3 3 = 3 6 = 18 4 (mod 7) 3 5 = 3 3 4 = 3 4 = 12 5 (mod 7) 3 6 = 3 3 5 = 3 5 = 15 1 (mod 7) 3 7. = 3 3 6 = 3 1 =. 3 3 (mod 7). The powers of 3 in the system Z 7 look like this: n 0 1 2 3 4 5 6 7 8 3 n 1 3 2 6 4 5 1 3 2 11

Exponentiation in the ring Z p There s a much faster method, called the square-and-multiply method. Example: 2 68 in Z 101. 2 2 = 4 4 (mod 101) 2 4 = (2 2 ) 2 = 4 2 = 16 16 (mod 101) 2 8 = (2 4 ) 2 = 16 2 = 256 54 (mod 101) 2 16 = (2 8 ) 2 = 54 2 = 2916 88 (mod 101) 2 32 = (2 16 ) 2 = 88 2 = 7744 68 (mod 101) 2 64 = (2 32 ) 2 = 68 2 = 4624 79 (mod 101) 12

Exponentiation in the ring Z p There s a much faster method, called the square-and-multiply method. Example: 2 68 in Z 101. 2 2 = 4 4 (mod 101) 2 4 = (2 2 ) 2 = 4 2 = 16 16 (mod 101) 2 8 = (2 4 ) 2 = 16 2 = 256 54 (mod 101) 2 16 = (2 8 ) 2 = 54 2 = 2916 88 (mod 101) 2 32 = (2 16 ) 2 = 88 2 = 7744 68 (mod 101) 2 64 = (2 32 ) 2 = 68 2 = 4624 79 (mod 101) Now 2 68 = 2 64+4 = 2 64 2 4, so we get 2 68 = (2 64 ) (2 4 ) = 79 16 = 1264 52 (mod 101). 13

Exponentiation in the ring Z p There s a much faster method, called the square-and-multiply method. Example: 2 68 in Z 101. 2 2 = 4 4 (mod 101) 2 4 = (2 2 ) 2 = 4 2 = 16 16 (mod 101) 2 8 = (2 4 ) 2 = 16 2 = 256 54 (mod 101) 2 16 = (2 8 ) 2 = 54 2 = 2916 88 (mod 101) 2 32 = (2 16 ) 2 = 88 2 = 7744 68 (mod 101) 2 64 = (2 32 ) 2 = 68 2 = 4624 79 (mod 101) Now 2 68 = 2 64+4 = 2 64 2 4, so we get 2 68 = (2 64 ) (2 4 ) = 79 16 = 1264 52 (mod 101). Cost: seven multiplications (with reductions modulo 101). 14

Alice and Bob Alice selects a prime p and a base g, and sends these to Bob. Eve listens in; she now knows the values of p and g. Aha! p = 6827 g = 66 p = 6827 g = 66 Okay, p = 6827 g = 66 15

Alice and Bob (p = 6827; g = 66) Alice chooses a secret exponent a, and doesn t tell anyone. Bob chooses a secret exponent b, and doesn t tell anyone.?? a = 14 b = 39 16

Alice and Bob (p = 6827; g = 66) Alice uses square-and-multiply to compute A = g a. Bob uses square-and-multiply to compute B = g b.?? a = 14 A = 66 14 A = 4851 b = 39 B = 66 39 B = 246 17

Alice and Bob (p = 6827; g = 66) Alice sends A to Bob, and Bob sends B to Alice. Eve now knows the values of g, A = g a, and B = g b. Aha! A = 4851 B = 246 Hmm... a = 14 A = 66 14 A = 4851 A = 4851 B = 246 b = 39 B = 66 39 B = 246 18

Alice and Bob (p = 6827; g = 66) Bob now computes A b, which is equal to (g a ) b. Alice now computes B a, which is equal to (g b ) a. By the laws of exponents, (g a ) b = g ab = (g b ) a, so Bob and Alice have the same number.?? Key = B a = 246 14 = 1894 Key = A b = 4851 39 = 1894 19

Alice and Bob (p = 6827; g = 66) Alice and Bob, each using square-and-multiply twice, have independently calculated g ab. Eve, by listening in, has learned g, g a and g b, but has no good way to calculate g ab from this information. g a = 4851 g b = 246 g ab =?? Key = 1894 Key = 1894 20

Security The secrecy of the shared key g ab relies on the Computational Diffie-Hellman Assumption CDH: Let g be a generator of a cyclic group G. Given generic elements g a and g b, Eve has no efficient algorithm for finding g ab : (g a, g b ) X g ab 21

Security The secrecy of the shared key g ab relies on the Computational Diffie-Hellman Assumption CDH: Let g be a generator of a cyclic group G. Given generic elements g a and g b, Eve has no efficient algorithm for finding g ab : (g a, g b ) X g ab Proof: There is none. It s an assumption. (And it depends on G.) 22

Security The secrecy of the shared key g ab relies on the Computational Diffie-Hellman Assumption CDH: Let g be a generator of a cyclic group G. Given generic elements g a and g b, Eve has no efficient algorithm for finding g ab : (g a, g b ) X g ab Proof: There is none. It s an assumption. (And it depends on G.) Belief: For certain cyclic groups, Eve s best approach is to find either a or b, the discrete logarithms of g a and g b. DLP (the Discrete Logarithm Problem): Let g be a generator of a cyclic group G. Given a generic element g a, find a. 23

Security Further belief: For certain cryptographic groups, the fastest DLP algorithms require somewhat more than G arithmetic operations. 24

Security Further belief: For certain cryptographic groups, the fastest DLP algorithms require somewhat more than G arithmetic operations. Actual fact: The square-and-multiply algorithm for finding (g a ) b or (g b ) a requires at most 2 log 2 G operations. 25

Security Further belief: For certain cryptographic groups, the fastest DLP algorithms require somewhat more than G arithmetic operations. Actual fact: The square-and-multiply algorithm for finding (g a ) b or (g b ) a requires at most 2 log 2 G operations. Result: In our toy example, G = 6826, so Bob and Alice can find their shared key g ab using no more than 2 log 2 6826 26 multiplications. In order to find a and break in, Eve s best algorithm would require at least 6826 83 multiplications. 26

Security Further belief: For certain cryptographic groups, the fastest DLP algorithms require somewhat more than G arithmetic operations. Actual fact: The square-and-multiply algorithm for finding (g a ) b or (g b ) a requires at most 2 log 2 G operations. Result: In our toy example, G = 6826, so Bob and Alice can find their shared key g ab using no more than 2 log 2 6826 26 multiplications. In order to find a and break in, Eve s best algorithm would require at least 6826 83 multiplications. In the toy example, Eve s task is trivial. There is no secrecy here. However... 27

Security Time at 10 9 /second G G log2 G Alice/Bob Eve 10 5 300 17 4.6 µs 87 µs 10 15 3 10 7 33 120 µs 78 sec 10 25 3 10 12 83 570 µs 250 days 10 35 3 10 17 116 1.6 ms 1.4 10 5 yr 10 45 3 10 22 149 3.3 ms 2.2 10 10 yr 10 50 10 25 166 4.6 ms 8.7 10 12 yr 28

Security Time at 10 9 /second G G log2 G Alice/Bob Eve 10 5 300 17 4.6 µs 87 µs 10 15 3 10 7 33 120 µs 78 sec 10 25 3 10 12 83 570 µs 250 days 10 35 3 10 17 116 1.6 ms 1.4 10 5 yr 10 45 3 10 22 149 3.3 ms 2.2 10 10 yr 10 50 10 25 166 4.6 ms 8.7 10 12 yr Moral: When G 10 50, we get pretty good security. 29

Security Time at 10 9 /second G G log2 G Alice/Bob Eve 10 5 300 17 4.6 µs 87 µs 10 15 3 10 7 33 120 µs 78 sec 10 25 3 10 12 83 570 µs 250 days 10 35 3 10 17 116 1.6 ms 1.4 10 5 yr 10 45 3 10 22 149 3.3 ms 2.2 10 10 yr 10 50 10 25 166 4.6 ms 8.7 10 12 yr Moral: When G 10 50, we get pretty good security. ( NIST recommends that G should be at least 10 68, and that G ) should be hidden inside a bigger group with order at least 10 616. 30

References Dan Boneh and Victor Shoup, A Graduate Course in Applied Cryptography, prepublication version 0.4, 2017. Whitfield Diffie and Martin E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, IT-22, November 1976. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, second edition, CRC Press, 2015. Neal Koblitz, A Course in Number Theory and Cryptography, second edition, Springer-Verlag, 2006. Douglas R. Stinson, Cryptography: Theory and Practice, second edition, CRC Press, 2002. 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback