Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 - - PowerPoint PPT Presentation

1

Lecture 7

Public Key Cryptography (Diffie-Hellman and RSA)

• Asymmetric cryptography
• Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-

Adleman)

• Two keys: private (SK), public (PK)

– Encryption: with public key; – Decryption: with private key – Digital Signatures: Signing by private key; Verification by public key. i.e., “encrypt” message digest/hash -- h(m) -- with private key

• Authorship (authentication)
• Integrity: Similar to MAC
• Non-repudiation: can’t do with secret key cryptography
• Much slower than conventional cryptography
• Often used together with conventional cryptography, e.g., to encrypt session keys

2

Public Key Cryptography

Public Key Cryptography

3

plaintext message, m ciphertext encryption algorithm decryption algorithm

Bob’s public key

plaintext message PK (m)

B

PK

B

Bob’s private key

SK

B

m = SK (PK (m))

B B

4

Key Pre-distribution: Diffie-Hellman

“New Directions in Cryptography” 1976 * p

System wide parameters : p large prime, a generator in Z − − − Alice's secret: v, public: mod Bob's secret: w, public: mod

v a w b

y a p y a p = =

Alice has: mod Bob has: mod ( ) mod ( ) mod

w b v a v ab b w ba a

y a p y a p K y p K y p = = = = =

5

Public Key Pre-distribution: Diffie-Hellman

Secure communication with Kab

Alice computes Kab Bob computes Kab = Kba Eve knows: p, a, ya and yb

6

Public Key Pre-distribution: Diffie-Hellman

*

Diffie Hellman Problem: : mod mod : mod Discrete Log Problem: : mod :

p v w a b vw v a

p large prime, a generator in Z Given y a p and y a p FIND a p Given y a p FIND v − − − = = =

7

Public Key Pre-distribution: Diffie-Hellman

Decision DH Problem: mod , mod : mod

v w a b vw ab

p large prime, a generator Given : y a p y a p Distinguish K a p from a random number! − − = = =

• DH Assumption: DH problem is HARD (not P)
• DL Assumption: DL problem is HARD (not P)
• DDH Assumption: solving DDH problem is HARD (not P)

8

Interactive (Public) Key Exchange: Diffie-Hellman

Eve is passive …

p a y

v a

mod =

Secure communication with Kab Choose random v

p a y

w b

mod =

Choose random w, Compute

p y K

w a ba

mod ) ( =

Compute

( ) mod

v ab b

K y p =

9

The Man-in-the-Middle (MitM) Attack

(assume Eve is an active adversary!)

p a y

v a

mod =

Secure communication with Kab Choose random v

p a y

w b

mod =

Choose random w, Compute

p y K

w a ba

mod ) ( =

Compute

( ) mod

v ab b

K y p =

10

RSA (1976-8)

Let n = pq where p,q − large primes e,d ∈R Zn and ed ≡ 1 mod Φ(n) where : Φ(n) = (p −1)(q −1) = pq − p − q −1 Secrets : p,q,d Publics : n,e Encryption : message = m < n E(x) = y = me mod n Decryption : ciphertext = y D( y) = x' = yd mod n

11

Why does it all work?

x ∈ Zn

*

xed = x1modΦ(n) mod n = xc*Φ(n)+1 mod n = x But, recall that: gΦ(n) =1 mod n (Lagrange)

12

How does it all work?

Example: p=17 q=13 n=221 (p-1)(q-1)=192=34*2 pick e=5, d=77 Can we pick 16? 9? 27? 185? x=5, E(x)=3125 mod 221 = 31 D(y)=3177= 6.83676142775442000196395599558e+114 mod 221 = 5 Example: p=5 q=7 n=35 (p-1)(q-1)=24=3*23 pick e=11, d=11 x=2, E(x)=2048 mod 35 =18=y y=18, D(y)=6.426841007923e+13 mod 35 = 2

13

Why is it Secure?

Why: n has unique factors p, q Given p and q, computing (p-1)(q-1) is easy: Use extended Euclidian! Conjecture: breaking RSA is polynomially equivalent to factoring n. Recall that n is very, very large!

) ( 1 n mod ed Φ ≡

14

Exponentiation Costs

• Integer multiplication -- O(b2) where b is bitsize of base m
• Modular reduction -- O(b2)
• Thus, modular multiplication -- O(b2)
• Modular exponentiation -- me mod n
• Naïve method: e-1 modular products -- O(b2*e)
• BUT what if e is large, (almost) as large as n?
• Let L= |e| (e.g., L=1024 for 1024-bit RSA exponent)
• We can assume b and L are close
• Square-and-multiply method works in O(b3) time … O(b2*2L)

15

Square-and-Multiply

} } n; temp% m temp { e[i] if n % temp temp temp* { i i 1 l i for 1 temp n sizeof l = = = = − − >= − = = = − − − − − − − − − − − − ; * ) ( ; ; ) ; ; ( ; ); ( n mod m compute : goal

e

• Example 1: e=100
• Example 2: e=10000000
• Example 3: e=11111111

From left to right in e

16

Speeding up RSA Decryption

: C - RSA ciphertext mod( 1) mod( 1) compute: mod mod and solve: mod mod

p q

p q d p d q p q

Let d d p d d q M C p M C q M M p M M q = − = − = = = = ) mod( )] mod ( ) mod ( [

1 1

pq q p p M p q q M M

q p − −

+ =

17

More on RSA

• Modulus n is unique per user à cannot share n
• What happens if Alice and Bob share the same modulus?

– Alice has (e’,d’,n) and Bob – (e”,d”,n) – Alice wants to compute d” (Bob’s private key) – She knows that: e’ * d’= 1 mod phi(n) – So: e’ * d’ = k * phi(n) + 1 and: e’ * d’ - 1 = k * phi(n) – Alice just needs to compute inverse of e” mod X

• where X = e’ * d’ – 1 = k * phi(n)
• let’s call this inverse d’”
• and remember that: d”’ * e” = k’ * k * phi(n) + 1
• can we be sure that: d”’ = d” ?

– Is it possible that e” has no inverse mod X?

• Yes, if e”=phi(n) or gcd(e”,k)>1 but this is very, very UNLIKELY!

– For all decryption purposes, d”’ is EQUIVALENT to d” – Suppose Eve encrypted for Bob: C = (m)e” mod n – Alice computes: Cd”’ mod n = me”d”’ mod n = (m) k’ * k * phi(n) + 1 mod n = m

18

Lecture 8

Public Key Cryptography: Encryption + Signatures

19

El Gamal PK Cryptosystem (83)

m p mb b c k m' p k compute p k compute : Decryption c} {k, ciphertext p mb p my c : compute p b k compute Z r random generate Encryption x : secrets y b p publics Z Z C Z P p b y residue public y exponent private x generator element, primitive base, b prime large p

xr rx x x x xr r r p p p p x

= = = = = = = ∈ × = = ≡ − − − −

− − − −

mod ) ( . 3 mod ) ( . 2 mod . 1 . 4 mod mod . 3 mod : . 2 . 1 : , , : mod ;

1 1 1 * * *

20

El Gamal (Example)

11mod13 24 12 * 2 12 mod13 1 12 12 mod13 9 10 : Decryption {10,2} ciphertext 2 mod13 10 5 * 11 c 10 mod13 10 2 k 10 r 11 m : Encryption 5 mod13 9 2 y 9 x 2 b 13 p ≡ = = − = = = = = = = = = = = = =

21

Digital Signatures

I did not have intimate relations with that woman,…,

• Ms. Lewinsky
• Integrity
• Authentication
• Non-Repudiation
• Time-Stamping
• Causality
• Authorization

If you like your current health insurance plan, you can keep it!

22

Digital Signatures

A signature scheme: (P,A,K,Sign,Verify) P - plaintext (msgs) A - signatures K - keys Sign - signing function: (P*K)->A Verify - verification function: (P*A*K) à {0,1}

Usually message hash

23

RSA Signature Scheme

??? ) ( : ) , ( :

• n

Verificati : ) ( : Signing , : , , : mod 1 and mod and primes (large) two are q p where pq n Let

1 * ) ( e d n

y m m y Verify y signature n mod m y m Sign m message e n Publics d q p Secrets 1) 1)(q (p (n) Φ(n) ed Φ(n) d e Z e = = = =

• =

F º = Î ¹ =

• F

Use the fact that, in RSA, encryption reverses “decryption”

24

RSA Signature Scheme (contd)

• The Good:
• Verification can be cheap (like RSA encryption)
• Mechanically same as RSA decryption function
• Security based on RSA encryption
• Signing is harder but #verify-s > 1 …
• Deterministic
• The Bad:
• Recall that RSA is malleable: signatures can be “massaged”
• Phony “random” signatures
• compute Y=RSA(e,X)=Xe mod n
• X is a signature of Y because Yd=X mod n
• The Ugly:
• Signing requires integrity!
• How to sign multiple blocks?
• Deterministic – needs additional randomization!

25

El Gamal Signature Scheme

m xb m xb r xk r m r xb c k m c k r p p p p x

b b b b k y that notice p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : secrets y b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

r r r

= = = = = − − = = ∈ × = = ≡ − − − −

− + − − − ) / / ( 1 1 * * *

) ( : ??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : mod ;

26

El Gamal PK Cryptosystem

m p mb b c k m' p k compute p k compute : Decryption c} {k, ciphertext p mb p my c : compute p b k compute Z r random generate Encryption x : secrets y b p publics Z Z C Z P p b y residue public y exponent private x generator element, primitive base, b prime large p

xr rx x x x xr r r p p p p x

= = = = = = = ∈ × = = ≡ − − − −

− − − −

mod ) ( . 3 mod ) ( . 2 mod . 1 . 4 mod mod . 3 mod : . 2 . 1 : , , : mod ;

1 1 1 * * * *

m xb m xb r xk r m r xb c k m c k r p p p p x

b b b b k y that notice p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : secrets y b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

r r r

= = = = = − − = = ∈ × = = ≡ − − − −

− + − − − ) / / ( 1 1 * * * *

) ( : ??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : mod ;

El Gamal Signature Scheme

27

El Gamal Signature Scheme (contd) The good:

• Signing is cheap(er)
• Designed as a signature function
• Non-deterministic (randomized)

The bad:

• Need GOOD source of random numbers
• Randomizers cannot be revealed (trace)
• Randomizers cannot be reused

28

The Digital Signature Standard (DSS)

• Why DSS?
• RSA issues: patents, malleability, etc.
• A variant of El Gamal
• Originally for |p|=512 bits, now up to 1024
• Optimized for signature size (320- vs. 1024-bit)
• Signing - 1 exp, verification - 2 exps
• No attacks thus far

29

DSS (contd)

??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : , mod ;

1 1 * * * *

p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : ets y secr b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

m c k r p p p p x

= = − − = = ∈ × = = ≡ − − − −

− −

p − 512 − bit prime q − 160 − bit prime, (p − 1)%q = 0 b − base, bq ≡1mod p (b = δ ( p−1)/q) x − private exponent y − public residue; y ≡ bx mod p P = Z p

*, A = Zq × Zq

publics : p, q, b, y secrets : x Signing :

• 1. generate random r ∈ Z *

q−1

• 2. compute : k = (br mod p)mod q
• 3. compute : c = (m + xk)r−1 mod q
• 4. signature = {k,c}

Verifying : (bmc−1k kc−1 mod p)mod q = bk mod p ??? notice that : bmc−1ykc−1 = bmr/(m+xbr )(bx )(brr/(m+xbr ) = b(mr+xbrr)/(m+xbr ) = br

30

Identification

• Public key cryptography can be also used for

IDENTIFICATION

• Identification is an interactive protocol whereby one

party: “prover” (who claims to be, say, Alice) convinces the other party: “verifier” (Bob) that she is indeed Alice

• Identification can be accomplished with public key

digital signatures

• However, signatures reveal information …
• Also, signatures are “transferable”, i.e., anyone can

verify them

31

The Cave Analogy of Zero-Knowledge

Point B Point A: entry Locked door

• n both sides

(P)rover

Claims to have the key

V cannot follow P into the cave

(V)erifier

Claustrophobic and afraid of the dark

32

:

The Protocol

1) V asks someone he trusts to check that the door is locked on both sides. 2) P goes into the maze past point B (heading either right or left) 3) V looks into the cave (while standing at point A) 4) V randomly picks right or left 5) V shouts (very loudly!) for P to come out from the picked direction 6) If P doesn’t come out from the picked direction, V knows that P is a liar and protocol terminates REPEAT (2)-(6) n TIMES Point B Point A

The Cave Analogy of Zero-Knowledge

33

Fiat-Shamir Identification Scheme

• In Fiat-Shamir, prover has an RSA modulus n = pq

(factorization is secret).

• Factors themselves are not used in the protocol.
• Unlike RSA, a trusted center can generate a global n,

used by everyone, as long as nobody knows its

• factorization. Trusted center can “forget” the

factorization after computing n.

34

Fiat-Shamir Identification Scheme

• Secret Key: Prover (P) chooses a random value

1 < S < n (to serve as the key) such that gcd(S,n) = 1

• Public Key: P computes I=S2 mod n, publishes (I,n) as his public

key.

• Purpose of the protocol: P has to convince verifier (V) that he

knows the secret S corresponding to the public key (I,n),

– i.e., to prove that he knows a square root of I mod n, without revealing S

• r any portion thereof

35

Fiat-Shamir Prover (Alice) Verifier (Bob) n, I, S n

pick random R; set x=R2 mod n

I, x query = 0 1 R R * S mod n

Check that: R2 = x mod n (RS)2 = xI mod n

36

Fiat-Shamir Identification Scheme

V wants to authenticate identity of P, who claims to have a public key I. Thus, V asks P to convince him that P knows the secret key S corresponding to I . 1. P chooses at random 1 < R < n and computes: X = R2 mod n 2. P sends X to V 3. V randomly requests from P one of two things (0 or 1):

(a) R

• r

(b) RS mod n

4. P sends requested information

37

Fiat-Shamir ZK Identification Scheme

• 5. V checks the correct answer:

a) R2 ?= X (mod n)

• r

b) (R*S)2 ?= X*I (mod n)

• 6. If verification fails, V concludes that P does

not know S

• 7. Protocol is repeated t (usually 20, 30, or log n)

times, and, if each one succeeds, V concludes that P is the claimed party.

38

What if Prover knows the challenge ahead of time: Case 0

n, I (doesn’t know S) n

pick random R; set x=R2 mod n

I, x query = 0 R

Check that: R2 = x mod n

39

What if Prover knows the challenge ahead of time: Case 1

n, I (doesn’t know S) n

pick random R; set x=R2*I mod n

I, x=R2*I query = 1 R*I mod n (Instead of: R*S mod n)

Check that: (R*I)2 = x*I mod n

40

Fiat-Shamir Identification Scheme

CLAIM: Protocol does not reveal ANY information about S or Protocol is ZERO-KNOWLEDGE Proof: We show that no information on S is revealed:

• Clearly, when P sends X or R, he does not reveal any information on S.
• When P sends RS mod n:

– RS mod n is random, since R is random and gcd(S, n) = 1. – If adversary can compute any information on S from

I, n, X and RS mod n

he can also compute the same information on S from I and n, since he can choose a random T = R’S mod n and compute:

X’ = T2I-1 = (R’)2S2I-1 = (R’)2

41

Security

Clearly, if P knows S, then V is convinced of his identity. If P does not know S, he can either:

1. know R, but not RS mod n. Since he is choosing R, he cannot multiply it by the unknown value S

• r

2. choose RS mod n, and thus can answer the second question: RS mod n. But, in this case, he cannot answer the

first question R, since he needs to divide by the unknown S.

42

Security

• In any case, adversary cannot answer both questions, since otherwise

he can compute S as the ratio between the two answers.

• But, we assumed that computing S is hard, equivalent to factoring n.
• Since P does not know in advance (when choosing R or RS mod n)

which question that V will ask, he cannot foresee the required choice. He can succeed in guessing V’s question with probability 1/2 for each question.

• The probability that V fails to catch P in all runs is thus: 2-t (e.g., 1 in

1,000,000,000 for t=20)