Cryptography Public-Key Cryptography Uwe Egly Vienna University of - - PowerPoint PPT Presentation

Cryptography Public-Key Cryptography

Uwe Egly

Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group

1 / 18

Overview

◮ Problem of symmetric procedures: Exchange of secret key ◮ Solution: public-key procedures (PKPs):

Use a public key and a secret key

◮ Developed by Diffie, Hellman and Merkle in the mid-70s ◮ Receiver publishes his/her public key (e.g., on the hp) ◮ Potential sender uses the public key for encryption ◮ Receiver uses his/her secret key for decryption ◮ Disadvantage of PKPs: much slower than symmetric ones ◮ Solution: Hybrid procedures

• 1. Asymmetric procedure for the key exchange phase
• 2. Fast symmetric en-/decryption with a random session key

2 / 18

Diffie-Hellman Key-Exchange Protocol (DHKEP)

◮ Alice (A) and Bob (B) have not exchanged keys so far ◮ They want to establish a shared secret by exchanging

messages over insecure channels

◮ They agree on two public parameters, a large prime p

(resulting Zp) and a generator α for Z∗

p (the multiplicative group)

◮ Z∗

p = {α0, α1, α2, . . . , αp−2} = {1, α, α2, . . . , αp−2}

◮ Protocol (x, y below are chosen from {0, . . . , p − 2})

◮ A chooses x and computes X = αx mod p ◮ A sends X to B and keeps x secret ◮ B chooses y and computes Y = αy mod p ◮ B sends Y to A and keeps y secret ◮ A computes Y x and B computes X y

◮ Now A and B have their secret key k because

Y x ≡ αyx ≡ αxy ≡ X y ≡ k mod p

3 / 18

The Discrete Logarithm Problem (DLP)

◮ DL: group-theoretic analogues of ordinary logarithms

Given a prime p, a generator α of F ∗

p and an element c ∈ F ∗ p,

find the unique integer e with 0 ≤ e ≤ p − 2 such that c ≡ αe mod p

◮ If we can solve DLP fast, we can break the DHKEP ◮ No efficient algorithm to solve the DLP is known at the

moment

◮ Known algorithms are inspired by factorization algorithms

for which also no efficient algorithm is known

4 / 18

(Total) Functions (Reminder)

◮ Defined using two sets X and Y and a rule f ◮ f associates to each element of X exactly 1 element in Y

(total on X and unique: ∀xyz

• f(x) = y ∧ f(x) = z → y = z)
• ◮ Notation: f : X → Y

◮ X is called the domain, Y the codomain of f ◮ Image of x ∈ X is y with y = f(x) ◮ Preimage of y ∈ Y is an element x ∈ X with f(x) = y ◮ Image von f: Im(f) = {y | ∃x ∈ X with f(x) = y}

5 / 18

Properties of Functions

◮ f : X → Y is injective (one-to-one)

Every y ∈ Y is image of at most one x ∈ X

◮ f : X → Y is surjective (onto) if Im(f) = Y ◮ f is bijective (one-to-one and onto),

(i.e., f is injective and surjective like permutations)

◮ Inverse function g = f −1 of a bijection f : X → Y:

◮ Bijection g : Y → X ◮ For all y ∈ Y, define g(y) = x with x ∈ X and f(x) = y

◮ Already used: f for encryption, f −1 for decryption

6 / 18

One-Way Function

◮ f : X → Y is a one-way function, if both conditions hold:

• 1. f(x) is easy to commutate for all x ∈ X
• 2. for a randomly chosen y ∈ Im(f), it is computational

infeasible to find x ∈ X such that f(x) = y

◮ f easy to compute, but it is infeasible to compute f −1 ◮ Exa: f : X → Y with X = {1, . . . , 16} and f(x) = 3x mod 17

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 f(x) 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1

◮ f(x) is easy to compute, it is hard to find x with f(x) = 7

(Especially if the modulus is a big prime)

7 / 18

Trapdoor One-Way Function

◮ f : X → Y is a trapdoor one-way function, if

• 1. f is a one-way function and
• 2. with some additional information (trapdoor info), computing

the inverse is easy

◮ Exa: Given to primes, p, q, p = q, and let n = pq.

◮ Let f(x) ≡ x3 mod n and suppose 3d ≡ 1 mod φ(n) ◮ d is the trapdoor information supporting an efficient

computation of the f −1

◮ Computing f is easy, but computing (from known n and f)

f −1(x3) ≡ f −1(f(x)) ≡ x3d ≡ x mod n is believed to be very hard without the trapdoor info d (The argumentation works also for other exponents)

8 / 18

Trapdoor One-Way Function (cont’d)

◮ How do we justify x3d ≡ x mod n? ◮ With Euler’s generalization of Fermat’s Little Theorem

◮ If n ∈ N and m ∈ Z, such that gcd(m, n) = 1, then

mφ(n) ≡ 1 mod n

◮ Since 3d ≡ 1 mod φ(n) by assumption, it holds that

∃k (3d = k · φ(n) + 1)

◮ But then, x3d = xk·φ(n)+1 = xφ(n) · . . . · xφ(n)

• k times

·x and

◮ x3d ≡ xφ(n) · . . . · xφ(n)

• k times

·x ≡ 1 · . . . · 1

• k times

·x ≡ x mod n

9 / 18

An Example Computation

◮ Take f from above, i.e., f(x) ≡ x3 mod n ◮ Choose p = 5, q = 11 and compute n = 55 and φ(n) = 40 ◮ Compute the trapdoor info d, i.e., solve 3d ≡ 1 mod φ(n)

(The solution is d = 27, since 3 · 27 ≡ 1 mod 40)

◮ Compute f(12) ≡ 1728 ≡ 23 mod 55 ◮ Using the trapdoor information d, we compute

f −1(23) ≡ f −1(f(x)) ≡ x3·27 ≡ (x3)27 mod 55 Therefore, f −1(23) ≡ 2327 ≡ 12 mod 55 as expected

◮ When we can factorize n fast, d can be efficiently obtained

10/ 18

Extended Euclidian Algorithm (for Z)

◮ An interative version of the algorithm from HAC

Algorithm 1: extEuclid(a, b)

Input: Two non-negative integers a,b with a ≥ b Result: d = gcd(a, b) and integers x, y satisfying ax + by = d begin if b = 0 then return (a,1,0); x2 = 1, x1 = 0, y2 = 0, y1 = 1; while b > 0 do q = a div b; r = a − qb; x = x2 − qx1; y = y2 − qy1; a = b; b = r; x2 = x1; x1 = x; y2 = y1; y1 = y; return (a,x2,y2); end

◮ Algorithm has a running time of O(ld(a)2) bit operations

11/ 18

Extended Euclidian Algorithm (for Z)

◮ A recursive version of the algorithm in Ruby

def extended_gcd(b,m) q,r = b.divmod m if r == 0 temp = [0,1] return temp else temp = extended_gcd(m, r) temp2 = [temp[1], temp[0]-temp[1] * q] return temp2 end end

12/ 18

Computing Modular Inverses in Zn

Algorithm 2: modularInverseZn(a, n)

Input: n is the modulus and a ∈ Zn Result: a−1 mod n, provided it exists begin Use extEuclid(a,n) to find integers x, y s.t. ax + ny = d = gcd(a, n); if d > 1 then return a−1 mod n does not exist; else x1 = x mod n; if x1 < 0 then return x1 + n; else return x1; end

13/ 18

RSA Overview

◮ Published by R. Rivest, A. Shamir and L. Adleman 1978 ◮ An equivalent system obtained by Ellis, Cocks, Williamson

at GCHQ but kept secret til 1997 (Ellis’ report is from 1973)

◮ Usage: Encryption and decryption, digital signature ◮ Security of RSA not proven ◮ It is based on the factorization problem for integers ◮ Factorization problem not “provably infeasible”, but . . . ◮ . . . no polynomial algorithm known at the moment ◮ RSA challenge: RSA-640 (Nov. 2005, Bonn University)

14/ 18

Key Generation for RSA

• 1. Choose random primes p, q of approx. same size (p = q)
• 2. Compute n = pq and φ(pq) = (p − 1)(q − 1) (simply call it φ)
• 3. Choose e ∈ N with 1 < e < φ such that gcd(e, φ) = 1

= ⇒ e is odd, since φ is even and gcd(e, φ) = 1

• 4. Compute unique d with 1 < d < φ such that ed ≡ 1 mod φ

(We compute the modular inverse of e in Zφ(pq))

• 5. Recall: e−1 exists because of gcd(e, φ) = 1
• 6. Public key (n, e), private (secret) key d

n is the RSA-Modul e/d is the encryption/decryption exponent

15/ 18

Encryption of Message Blocks in RSA

◮ Interpret plaintext block as an integer m with 0 ≤ m < n ◮ Plaintexts are all numbers from P = {0, 1, . . . , n − 1}

◮ Encryption of the plaintext m by c = me mod n ◮ Public key is sufficient for encryption ◮ me mod n is computed efficiently with fast exponentiation

◮ Example: p = 11, q = 23, n = 253, e = 3

◮ Plaintexts are: {0, 1, . . . , 252} ◮ Encryption of m = 165: 1653 mod 253 = 110 16/ 18

Decryption of Ciphertext Blocks in RSA

◮ p = 11, q = 23, n = 253, e = 3, φ = (p − 1)(q − 1) = 220 ◮ Compute d with 1 < d < φ with ed ≡ 1 mod φ

d = 147, because 3 · 147 = 441 = 2 · 220 + 1

◮ Decryption of the ciphertext c = 110 by cd mod n

I.e., compute 110147 mod 253

1102 mod 253 = 209 1104 mod 253 = 165 1108 mod 253 = 154 11016 mod 253 = 187 11032 mod 253 = 55 11064 mod 253 = 242 110128 mod 253 = 121

◮ Compose d from the powers of 2 (guided by the binary

representation): 147 = 128 + 16 + 2 + 1

◮ Decrypt c = 110: (121 · 187 · 209 · 110) mod 253 = 165

17/ 18

Good Choices for p, q and e

◮ Choose p and q of approximately the same size

= ⇒ no small factors p or q

◮ Choose p and q at random and equally distributed

(but not too close: 0.5 < | log2(p) − log2(q)| < 30 (GISA))

◮ Choose e such that encryption is efficient and secure ◮ Usual values for e: 3, 17, 65 537 = 216 + 1

(often: choose e with max{p, q} < e < φ(n) − 1)

◮ e = 3 is efficient (1 square operation and 1 mult modulo n) ◮ Exa: n = 253, e = 3, m = 165

Compute m2 mod n = 154, then compute m3 mod n = = ((m2 mod n) · m) mod n = 154 · 165 mod 253 = 110

18/ 18