15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1
Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory – Groups Public-Key Algorithms: RSA, ElGamal, Diffie-Hellman 15-853 Page 2
Groups A Group (G,*,I) is a set G with operator * such that: 1. Closure . For all a,b G, a * b G 2. Associativity. For all a,b,c G, a*(b*c) = (a*b)*c 3. Identity. There exists I G, such that for all a G, a*I=I*a=a 4. Inverse. For every a G, there exist a unique element b G, such that a*b=b*a=I An Abelian or Commutative Group is a Group with the additional condition 5. Commutativity. For all a,b G, a*b=b*a 15-853 Page 3
Examples of groups – Integers, Reals or Rationals with Addition – The nonzero Reals or Rationals with Multiplication – Non-singular n x n real matrices with Matrix Multiplication – Permutations over n elements with composition [0 → 1, 1 → 2, 2 → 0] o [0 → 1, 1 → 0, 2 → 2] = [0 → 0, 1 → 2, 2 → 1] We will only be concerned with finite groups , I.e., ones with a finite number of elements. 15-853 Page 4
Key properties of finite groups Notation: a j a * a * a * … j times Definition : the order of g G is the smallest positive integer m such that g m = I Definition: a group G is cyclic if there is a g G such that order(g) = |G| Definition: an element g G of order |G| is called a generator or primitive element of G. 15-853 Page 5
Groups based on modular arithmetic The group of positive integers modulo a prime p * {1, 2, 3, …, p -1} Z p * p multiplication modulo p * , * p ) Denoted as: (Z p Required properties 1. Closure. Yes. 2. Associativity. Yes. 3. Identity. 1. 4. Inverse. Yes. * = {1,2,3,4,5,6} Example: Z 7 1 -1 = 1, 2 -1 = 4, 3 -1 = 5, 6 -1 = 6 15-853 Page 6
Other properties * | = (p-1) |Z p By Fermat ’ s little theorem: a (p-1) = 1 (mod p) * Example of Z 7 x 2 x 3 x 4 x 5 x 6 x 1 1 1 1 1 1 2 4 1 2 4 1 3 2 6 4 5 1 Generators 4 2 1 4 2 1 5 4 6 2 3 1 6 1 6 1 6 1 For all p the group is cyclic. 15-853 Page 7
What if n is not a prime? The group of positive integers modulo a non-prime n Z n {1, 2, 3, …, n -1}, n not prime * p multiplication modulo n Required properties? 1. Closure. ? 2. Associativity. ? 3. Identity. ? 4. Inverse. ? How do we fix this? 15-853 Page 8
Groups based on modular arithmetic The multiplicative group modulo n * {m : 1 ≤ m < n, gcd(n,m) = 1} Z n * multiplication modulo n * , * n ) Denoted as (Z n Required properties : • Closure. Yes. • Associativity. Yes. • Identity. 1. • Inverse. Yes. * = {1,2,4,7,8,11,13,14} Example: Z 15 1 -1 = 1, 2 -1 = 8, 4 -1 = 4, 7 -1 = 13, 11 -1 = 11, 14 -1 = 14 15-853 Page 9
The Euler Phi Function = = − * ( ) ( 1 1 / ) n n p n | p n If n is a product of two primes p and q, then = − − = − − ( ) ( 1 1 / )( 1 1 / ) ( 1 )( 1 ) n pq p q p q Fermat-Euler Theorem: = ( ) * n 1 (mod ) for a n a n Or for n = pq − − = ( 1 )( 1 ) * p q 1 (mod ) for a n a pq This will be very important in RSA! 15-853 Page 10
Generators * : {1, 3, 7, 9} Example of Z 10 x 2 x 3 x 4 x 1 1 1 1 3 9 7 1 Generators 7 9 3 1 9 1 9 1 For n = (2, 4, p e , 2p e ), p an odd prime, Z n is cyclic 15-853 Page 11
Operations we will need Multiplication : a*b (mod n) – Can be done in O(log 2 n) bit operations, or better Power : a k (mod n) – The power method O(log n) steps, O(log 3 n) bit ops fun pow(a,k) = if (k = 0) then 1 else if (k mod 2 = 1) then a * (pow(a,k/2)) 2 else (pow(a, k/2)) 2 Inverse : a -1 (mod n) – Euclids algorithm O(log n) steps, O(log 3 n) bit ops 15-853 Page 12
Discrete Logarithms * , then for all y there is a unique x If g is a generator of Z n (mod (n)) such that – y = g x mod n This is called the discrete logarithm of y and we use the notation – x = log g (y) In general finding the discrete logarithm is conjectured to be hard…as hard as factoring. 15-853 Page 13
Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory: Groups Public-Key Algorithms: • Diffie-Hellman Key Exchange • RSA • ElGamal 15-853 Page 14
Diffie-Hellman Key Exchange Can A and B agree on a secret through a public channel? A group (G,*) and a generator g are made public. – Alice picks a, and sends g a to Bob – Bob picks b and sends g b to Alice – The shared key is g ab The shared key is easy for Alice or Bob to compute, but (we believe) it’s hard for Eve to compute g ab from (g, g a , g b ). If Discrete Log is easy, this protocol is broken. What could go wrong with this protocol? 15-853 Page 15
Person-in-the-middle attack g a g c Alice Mallory Bob g d g b Key 1 = g ad Key 1 = g cb Mallory could impersonate Alice or Bob! This is a problem in general, but later we will see how it’s solved in practice for public key crypto. 15-853 Page 16
Public Key Cryptosystems Introduced by Diffie and Hellman in 1976. Plaintext Public Key systems K 1 = public key E k (M) = C Encryption K 1 K 2 = private key Cyphertext Digital signatures Decryption D k (C) = M K 2 K 1 = private key K 2 = public key Original Plaintext Typically used as part of a more complicated protocol. 15-853 Page 17
ElGamal Requires discrete log to be hard. Invented in 1985 Digital signature and Key-exchange variants – Digital signature is AES standard – Public Key used by TRW (avoided RSA patent) Works over various groups – Z p , – Multiplicative group GF(p n ), – Elliptic Curves 15-853 Page 18
ElGamal Public-key Cryptosystem Encode : (G,*) is a group Pick random r Z |G| • a generator for G E(m) = (y 1 , y 2 ) • a Z |G| = ( r , m * r ) • = a Decode : G is selected so that it is a ) -1 D(y) = y 2 * (y 1 hard to solve the = (m * r )* ( ra ) -1 discrete log problem. = m * r * ( r ) -1 Public Key : ( , ) and some = m description of G You need to know a to easily decode y! Private Key : a 15-853 Page 19
ElGamal: Example Encode : 7 * G = Z 11 • = 2 Pick random k = 4 E(m) = (2 4 , 7 * 3 4 ) • a = 8 = (5, 6) • = 2 8 (mod 11) = 3 Decode : (5, 6) D(y) = 6* (5 8 ) -1 = 6 * 4 -1 = 6 * 3 (mod 11) = 7 * Public Key : (2, 3), Z 11 Private Key : a = 8 15-853 Page 20
RSA Public-key Cryptosystem Public Key : (e,n) What we need: Private Key : d • p and q, primes of approximately the same size Encode : m Z n • n = pq (n) = (p-1)(q-1) E(m) = m e mod n • e Z (n) * • d = e -1 mod (n) Decode : D(c) = c d mod n 15-853 Page 21
RSA continued Why it works: D(c) = c d mod n = m ed mod n = m ed mod (n) mod n (Fermat-Euler Theorem) (ed = 1 mod (n)) = m mod n Works for all m ∈ Z n , even if m Z n * . 15-853 Page 22
RSA computations To generate the keys , we need to – Find two primes p and q . Generate candidates and use primality testing to filter them. – Find e -1 mod (p-1)(q-1). Use Euclid ’ s algorithm. Takes time log 2 (n) To encode and decode – Take m e or c d . Use the power method. Takes time log(e) log 2 (n) and log(d) log 2 (n) . In practice e is selected to be small so that encoding is fast. 15-853 Page 23
Security of RSA Note : RSA is still commonly used In practice. However, nowadays, Elliptic Curve Crypto is generally considered to be more secure and a better choice for public key encryption. Possible security holes : – Need to use “ safe ” primes p and q. In particular p-1 and q-1 should have large prime factors. – p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n). – e cannot be too small – Don ’ t use same n for different e ’ s. – You should always “ pad ” 15-853 Page 24
RSA Performance Performance: (600Mhz PIII) (from: ssh toolkit): Algorithm Bits/key Mbits/sec 1024 .35sec/key RSA Keygen 2048 2.83sec/key 1024 1786/sec 3.5 RSA Encrypt 2048 672/sec 1.2 1024 74/sec .074 RSA Decrypt 2048 12/sec .024 ElGamal Enc. 1024 31/sec .031 ElGamal Dec. 1024 61/sec .061 Rijndael 128 180 Typically public key encryption is used to communicate a private key, and then private key encryption is used. 15-853 Page 25
Person-in-the-Middle attack Alice Mallory Bob In order to avoid this attack, we need some way to verify that Bob’s or Alice’s public key really belongs to them. This is solved in practice via Certificates or a Web-of-Trust. 15-853 Page 26 Image by kku CC BY-SA 4.0
Recommend
More recommend
