15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 - - PowerPoint PPT Presentation

15 853 algorithms in the real world
SMART_READER_LITE
LIVE PREVIEW

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 - - PowerPoint PPT Presentation

Aug 23, 2022 258 likes •528 views

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory Groups Public-Key Algorithms: RSA, ElGamal,

slide-1
SLIDE 1

15-853 Page 1

15-853:Algorithms in the Real World

Cryptography #2

slide-2
SLIDE 2

15-853 Page 2

Cryptography Outline

Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory – Groups Public-Key Algorithms: RSA, ElGamal, Diffie-Hellman

slide-3
SLIDE 3

15-853 Page 3

Groups

A Group (G,*,I) is a set G with operator * such that:

  • 1. Closure. For all a,b  G, a * b  G
  • 2. Associativity. For all a,b,c  G, a*(b*c) = (a*b)*c
  • 3. Identity. There exists I  G, such that for all

a  G, a*I=I*a=a

  • 4. Inverse. For every a  G, there exist a unique element b

 G, such that a*b=b*a=I An Abelian or Commutative Group is a Group with the additional condition

  • 5. Commutativity. For all a,b  G, a*b=b*a
slide-4
SLIDE 4

15-853 Page 4

Examples of groups

– Integers, Reals or Rationals with Addition – The nonzero Reals or Rationals with Multiplication – Non-singular n x n real matrices with Matrix Multiplication – Permutations over n elements with composition

[0→1, 1→2, 2→0] o [0→1, 1→0, 2→2] = [0→0, 1→2, 2→1]

We will only be concerned with finite groups, I.e., ones with a finite number of elements.

slide-5
SLIDE 5

15-853 Page 5

Key properties of finite groups

Notation: aj  a * a * a * … j times Definition: the order of g  G is the smallest positive integer m such that gm = I Definition: a group G is cyclic if there is a g  G such that

  • rder(g) = |G|

Definition: an element g  G of order |G| is called a generator or primitive element of G.

slide-6
SLIDE 6

15-853 Page 6

Groups based on modular arithmetic

The group of positive integers modulo a prime p Zp

*  {1, 2, 3, …, p-1}

*p  multiplication modulo p Denoted as: (Zp

*, *p)

Required properties

  • 1. Closure. Yes.
  • 2. Associativity. Yes.
  • 3. Identity. 1.
  • 4. Inverse. Yes.

Example: Z7

*= {1,2,3,4,5,6}

1-1 = 1, 2-1 = 4, 3-1 = 5, 6-1 = 6

slide-7
SLIDE 7

15-853 Page 7

Other properties

|Zp

*| = (p-1)

By Fermat’s little theorem: a(p-1) = 1 (mod p) Example of Z7

*

x x2 x3 x4 x5 x6 1 1 1 1 1 1 2 4 1 2 4 1 3 2 6 4 5 1 4 2 1 4 2 1 5 4 6 2 3 1 6 1 6 1 6 1

For all p the group is cyclic. Generators

slide-8
SLIDE 8

15-853 Page 8

What if n is not a prime?

The group of positive integers modulo a non-prime n Zn  {1, 2, 3, …, n-1}, n not prime *p  multiplication modulo n Required properties?

  • 1. Closure. ?
  • 2. Associativity. ?
  • 3. Identity. ?
  • 4. Inverse. ?

How do we fix this?

slide-9
SLIDE 9

15-853 Page 9

Groups based on modular arithmetic

The multiplicative group modulo n Zn

*  {m : 1 ≤ m < n, gcd(n,m) = 1}

*  multiplication modulo n Denoted as (Zn

*, *n)

Required properties:

  • Closure. Yes.
  • Associativity. Yes.
  • Identity. 1.
  • Inverse. Yes.

Example: Z15

* = {1,2,4,7,8,11,13,14}

1-1 = 1, 2-1 = 8, 4-1 = 4, 7-1 = 13, 11-1 = 11, 14-1 = 14

slide-10
SLIDE 10

15-853 Page 10

The Euler Phi Function

If n is a product of two primes p and q, then

) / 1 1 ( ) (

| *

p n n

n p n

−  =  = 

) 1 )( 1 ( ) / 1 1 )( / 1 1 ( ) ( − − = − − = q p q p pq n 

Fermat-Euler Theorem:

* ) (

for ) (mod 1

n n

a n a   =

Or for n = pq

* ) 1 )( 1 (

for ) (mod 1

pq q p

a n a   =

− −

This will be very important in RSA!

slide-11
SLIDE 11

15-853 Page 11

Generators

Example of Z10

*: {1, 3, 7, 9}

x x2 x3 x4 1 1 1 1 3 9 7 1 7 9 3 1 9 1 9 1

For n = (2, 4, pe, 2pe), p an odd prime, Zn is cyclic Generators

slide-12
SLIDE 12

15-853 Page 12

Operations we will need

Multiplication: a*b (mod n) – Can be done in O(log2 n) bit operations, or better Power: ak (mod n) – The power method O(log n) steps, O(log3 n) bit ops

fun pow(a,k) = if (k = 0) then 1 else if (k mod 2 = 1) then a * (pow(a,k/2))2 else (pow(a, k/2))2

Inverse: a-1 (mod n) – Euclids algorithm O(log n) steps, O(log3 n) bit ops

slide-13
SLIDE 13

15-853 Page 13

Discrete Logarithms

If g is a generator of Zn

*, then for all y there is a unique x

(mod (n)) such that – y = gx mod n This is called the discrete logarithm of y and we use the notation – x = logg(y) In general finding the discrete logarithm is conjectured to be hard…as hard as factoring.

slide-14
SLIDE 14

15-853 Page 14

Cryptography Outline

Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory: Groups Public-Key Algorithms:

  • Diffie-Hellman Key Exchange
  • RSA
  • ElGamal
slide-15
SLIDE 15

15-853 Page 15

Diffie-Hellman Key Exchange

Can A and B agree on a secret through a public channel? A group (G,*) and a generator g are made public. – Alice picks a, and sends ga to Bob – Bob picks b and sends gb to Alice – The shared key is gab The shared key is easy for Alice or Bob to compute, but (we believe) it’s hard for Eve to compute gab from (g, ga, gb). If Discrete Log is easy, this protocol is broken. What could go wrong with this protocol?

slide-16
SLIDE 16

15-853 Page 16

Person-in-the-middle attack

Alice Bob Mallory ga gb gd gc Key1 = gad Key1 = gcb Mallory could impersonate Alice or Bob! This is a problem in general, but later we will see how it’s solved in practice for public key crypto.

slide-17
SLIDE 17

15-853 Page 17

Public Key Cryptosystems

Introduced by Diffie and Hellman in 1976. Encryption Decryption K1 K2 Cyphertext Ek(M) = C Dk(C) = M Original Plaintext Plaintext Public Key systems K1 = public key K2 = private key Typically used as part of a more complicated protocol. Digital signatures K1 = private key K2 = public key

slide-18
SLIDE 18

15-853 Page 18

ElGamal

Requires discrete log to be hard. Invented in 1985 Digital signature and Key-exchange variants – Digital signature is AES standard – Public Key used by TRW (avoided RSA patent) Works over various groups – Zp, – Multiplicative group GF(pn), – Elliptic Curves

slide-19
SLIDE 19

15-853 Page 19

ElGamal Public-key Cryptosystem

(G,*) is a group

  •  a generator for G
  • a  Z|G|
  •  = a

G is selected so that it is hard to solve the discrete log problem. Public Key: (, ) and some description of G Private Key: a Encode: Pick random r  Z|G| E(m) = (y1, y2) = (r, m * r) Decode: D(y) = y2 * (y1

a)-1

= (m * r)* (ra)-1 = m * r * (r)-1 = m You need to know a to easily decode y!

slide-20
SLIDE 20

15-853 Page 20

ElGamal: Example

G = Z11

*

  •  = 2
  • a = 8
  •  = 28 (mod 11) = 3

Public Key: (2, 3), Z11

*

Private Key: a = 8 Encode: 7 Pick random k = 4 E(m) = (24, 7 * 34) = (5, 6) Decode: (5, 6) D(y) = 6* (58)-1 = 6 * 4-1 = 6 * 3 (mod 11) = 7

slide-21
SLIDE 21

15-853 Page 21

RSA Public-key Cryptosystem

What we need:

  • p and q, primes of

approximately the same size

  • n = pq

(n) = (p-1)(q-1)

  • e  Z (n)

*

  • d = e-1 mod (n)

Public Key: (e,n) Private Key: d Encode: m  Zn E(m) = me mod n Decode: D(c) = cd mod n

slide-22
SLIDE 22

15-853 Page 22

RSA continued

Why it works: D(c) = cd mod n = med mod n = med mod (n) mod n (Fermat-Euler Theorem) = m mod n (ed = 1 mod (n)) Works for all m ∈ Zn , even if m  Zn

*.

slide-23
SLIDE 23

15-853 Page 23

RSA computations

To generate the keys, we need to – Find two primes p and q. Generate candidates and use primality testing to filter them. – Find e-1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log2(n) To encode and decode – Take me or cd. Use the power method. Takes time log(e) log2(n) and log(d) log2(n) . In practice e is selected to be small so that encoding is fast.

slide-24
SLIDE 24

15-853 Page 24

Security of RSA

Note: RSA is still commonly used In practice. However, nowadays, Elliptic Curve Crypto is generally considered to be more secure and a better choice for public key encryption. Possible security holes: – Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors. – p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). – e cannot be too small – Don’t use same n for different e’s. – You should always “pad”

slide-25
SLIDE 25

15-853 Page 25

RSA Performance

Performance: (600Mhz PIII) (from: ssh toolkit):

Algorithm Bits/key Mbits/sec RSA Keygen 1024 .35sec/key 2048 2.83sec/key RSA Encrypt 1024 1786/sec 3.5 2048 672/sec 1.2 RSA Decrypt 1024 74/sec .074 2048 12/sec .024 ElGamal Enc. 1024 31/sec .031 ElGamal Dec. 1024 61/sec .061 Rijndael 128 180

Typically public key encryption is used to communicate a private key, and then private key encryption is used.

slide-26
SLIDE 26

Person-in-the-Middle attack

In order to avoid this attack, we need some way to verify that Bob’s or Alice’s public key really belongs to them. This is solved in practice via Certificates or a Web-of-Trust.

15-853 Page 26

Alice Bob Mallory

Image by kku CC BY-SA 4.0