Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 - - PDF document

1

1

Lecture 8

Public Key Cryptography (Diffie-Hellman and RSA)

• Asymmetric cryptography
• Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-

Adleman)

• Two keys: private (SK), public (PK)

– Encryption: with public key; – Decryption: with private key – Digital Signatures: Signing by private key; Verification by public key. i.e., “encrypt” message digest/hash -- h(m) -- with private key

• Authorship (authentication)
• Integrity: Similar to MAC
• Non-repudiation: can’t do with secret key cryptography
• Much slower than conventional cryptography
• Often used together with conventional cryptography, e.g., to encrypt session keys

2

Public Key Cryptography

2

Public Key Cryptography

3

plaintext message, m ciphertext encryption algorithm decryption algorithm

Bob’s public key

plaintext message PK (m)

B

PK

B

Bob’s private key

SK

B

m = SK (PK (m))

B B

4

Key Pre-distribution: Diffie-Hellman

“New Directions in Cryptography” 1976 * p

System wide parameters : p large prime, a generator in Z

• Alice's secret: v, public:

mod Bob's secret: w, public: mod

v a w b

y a p y a p = =

Alice has: mod Bob has: mod ( ) mod ( ) mod

w b v a v ab b w ba a

y a p y a p K y p K y p = = = = =

3

5

Public Key Pre-distribution: Diffie-Hellman

Secure communication with Kab

Alice computes Kab Bob computes Kab = Kba Eve knows: p, a, ya and yb

6

Public Key Pre-distribution: Diffie-Hellman

*

Diffie Hellman Problem: : mod mod : mod Discrete Log Problem: : mod :

p v w a b vw v a

p large prime, a generator in Z Given y a p and y a p FIND a p Given y a p FIND v

• =

= =

4

7

Public Key Pre-distribution: Diffie-Hellman

Decision DH Problem: mod , mod : mod

v w a b vw ab

p large prime, a generator Given : y a p y a p Distinguish K a p from a random number!

• =

= =

• DH Assumption: DH problem is HARD (not P)
• DL Assumption: DL problem is HARD (not P)
• DDH Assumption: solving DDH problem is HARD (not P)

8

Interactive (Public) Key Exchange: Diffie-Hellman

Eve is passive …

p a y

v a

mod =

Secure communication with Kab Choose random v

p a y

w b

mod =

Choose random w, Compute

p y K

w a ba

mod ) ( =

Compute

( ) mod

v ab b

K y p =

5

9

The Man-in-the-Middle (MitM) Attack

(assume Eve is an active adversary!)

p a y

v a

mod =

Secure communication with Kab Choose random v

p a y

w b

mod =

Choose random w, Compute

p y K

w a ba

mod ) ( =

Compute

( ) mod

v ab b

K y p =

10

RSA (1976-8)

Let n = pq where p,q - large primes e,d ÎR Zn and ed º 1 mod F(n) where : F(n) = (p -1)(q -1) = pq - p - q -1 Secrets : p,q,d Publics : n,e Encryption : message = m < n E(x) = y = me mod n Decryption : ciphertext = y D( y) = x' = yd mod n

6

11

Why does it all work?

x Î Zn

*

xed = x1modF(n) mod n = xc*F(n)+1 mod n = x But, recall that: gF(n) =1 mod n (Lagrange)

12

How does it all work?

Example: p=17 q=13 n=221 (p-1)(q-1)=192=34*2 pick e=5, d=77 Can we pick 16? 9? 27? 185? x=5, E(x)=3125 mod 221 = 31 D(y)=3177= 6.83676142775442000196395599558e+114 mod 221 = 5 Example: p=5 q=7 n=35 (p-1)(q-1)=24=3*23 pick e=11, d=11 x=2, E(x)=2048 mod 35 =18=y y=18, D(y)=6.426841007923e+13 mod 35 = 2

7

13

Why is it Secure?

Why: n has unique factors p, q Given p and q, computing (p-1)(q-1) is easy: Use extended Euclidian! Conjecture: breaking RSA is polynomially equivalent to factoring n Recall that n is very, very large!

) ( 1 n mod ed F º

14

Exponentiation Costs

• Integer multiplication -- O(b2) where b is bit-size of the base
• Modular reduction -- O(b2)
• Thus, modular multiplication -- O(b2)
• Modular exponentiation (as in RSA) -- me mod n
• Naïve method: e-1 modular products -- O(b2*e)
• BUT what if e is large, (almost) as large as n?
• Let L= |e| (e.g., l=1024 for 1024-bit RSA exponent)
• We can assume b and l are very close, almost the same
• Square-and-multiply method works in O(b3) time … O(b2*2l)

8

15

Square-and-Multiply

} } n; temp% m temp { e[i] if n % temp temp temp* { i i 1 l i for 1 temp n sizeof l = = = =

• >=
• =

= =

• ;

* ) ( ; ; ) ; ; ( ; ); ( n mod m compute : goal

e

• Example 1: e=100
• Example 2: e=10000000
• Example 3: e=11111111

From left to right in e

16

Speeding up RSA Decryption

: C - RSA ciphertext mod( 1) mod( 1) compute: mod mod and solve: mod mod

p q

p q d p d q p q

Let d d p d d q M C p M C q M M p M M q =

• =
• =

= = = ) mod( )] mod ( ) mod ( [

1 1

pq q p p M p q q M M

q p

• +

=

9

17

More on RSA

• Modulus n is unique per user 

– 2 or more parties cannot share the same n

• What happens if Alice and Bob share the same modulus?

– Alice has (e’,d’,n) and Bob – (e”,d”,n) – Alice wants to compute d” (Bob’s private key) – She knows that: e’ * d’= 1 mod phi(n) – So: e’ * d’ = k * phi(n) + 1 and: e’ * d’ - 1 = k * phi(n) – Alice just needs to compute inverse of e” mod X

• where X = e’ * d’ – 1 = k * phi(n)
• let’s call this inverse d’”
• and remember that: d”’ * e” = k’ * k * phi(n) + 1
• can we be sure that: d”’ = d” ?

– Is it possible that e” has no inverse mod X?

• Yes, if e”=phi(n) or gcd(e”,k)>1 but this is very, very UNLIKELY!

– For all decryption purposes, d”’ is EQUIVALENT to d” – Suppose Eve encrypted for Bob: C = (m)e” mod n – Alice computes: Cd”’ mod n = me”d”’ mod n = (m) k’ * k * phi(n) + 1 mod n = m

18

Lecture 9

Public Key Cryptography: Encryption + Signatures

10

19

El Gamal PK Cryptosystem (`83)

m p mb b c k m' p k compute p k compute : Decryption c} {k, ciphertext p mb p my c : compute p b k compute Z r random generate Encryption x : secrets y b p publics Z Z C Z P p b y residue public y exponent private x generator element, primitive base, b prime large p

xr rx x x x xr r r p p p p x

= = = = = = = Î ´ = = º

• mod

) ( . 3 mod ) ( . 2 mod . 1 . 4 mod mod . 3 mod : . 2 . 1 : , , : mod ;

1 1 1 * * * 20

El Gamal (Example)

p = 13 b = 2 x = 9 y = 29mod13 = 5 Encryption: m = 11 r = 10 k = 210mod13 = 10 c = 11*510mod13 = 2 ciphertext ={10,2} Decryption: 109mod13 = 12 12-1mod13 = 12 2*12 = 24 º 11mod13

11

21

Digital Signatures

• Integrity
• Authentication
• Non-Repudiation
• Time-Stamping
• Causality
• Authorization

If you like your current health insurance plan, you can keep it! 22

Digital Signatures

A signature scheme: (P,A,K,Sign,Verify) P - plaintext (msgs) A - signatures K - keys Sign - signing function: (P*K)->A Verify - verification function: (P*A*K)  {0,1}

Usually message hash

12

23

RSA Signature Scheme

??? ) ( : ) , ( :

• n

Verificati : ) ( : Signing , : , , : mod 1 and mod and primes (large) two are q p where pq n Let

1 * ) ( e d n

y m m y Verify y signature n mod m y m Sign m message e n Publics d q p Secrets 1) 1)(q (p (n) Φ(n) ed Φ(n) d e Z e = = = =

• =

F º = Î  =

• F

Use the fact that, in RSA, encryption reverses “decryption”

24

RSA Signature Scheme (contd)

• The Good:
• Verification can be cheap (like RSA encryption)
• Mechanically same as RSA decryption function
• Security based on RSA encryption
• Signing is harder but #verify-s > 1 …
• Deterministic
• The Bad:
• Recall that RSA is malleable: signatures can be “massaged”
• Phony “random” signatures
• compute Y=RSA(e,X)=Xe mod n
• X is a signature of Y because Yd=X mod n
• The Ugly:
• Signing requires integrity!
• How to sign multiple blocks?
• Deterministic – needs additional randomization!

13

25

El Gamal Signature Scheme

m xb m xb r xk r m r xb c k m c k r p p p p x

b b b b k y that notice p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : secrets y b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

r r r

= = = = =

• =

= Î ´ = = º

• +
• )

/ / ( 1 1 * * *

) ( : ??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : mod ;

26

El Gamal PK Cryptosystem

m p mb b c k m' p k compute p k compute : Decryption c} {k, ciphertext p mb p my c : compute p b k compute Z r random generate Encryption x : secrets y b p publics Z Z C Z P p b y residue public y exponent private x generator element, primitive base, b prime large p

xr rx x x x xr r r p p p p x

= = = = = = = Î ´ = = º

• mod

) ( . 3 mod ) ( . 2 mod . 1 . 4 mod mod . 3 mod : . 2 . 1 : , , : mod ;

1 1 1 * * * * m xb m xb r xk r m r xb c k m c k r p p p p x

b b b b k y that notice p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : secrets y b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

r r r

= = = = =

• =

= Î ´ = = º

• +
• )

/ / ( 1 1 * * * *

) ( : ??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : mod ;

El Gamal Signature Scheme

14

27

El Gamal Signature Scheme (contd) The good:

• Signing is cheap(er)
• Designed as a signature function
• Non-deterministic (randomized)

The bad:

• Need GOOD source of random numbers
• Randomizers cannot be revealed (trace)
• Randomizers cannot be reused

28

The Digital Signature Standard (DSS)

• Why DSS?
• RSA issues: patents, malleability, etc.
• A variant of El Gamal
• Originally for |p|=512 bits, now up to 1024
• Optimized for signature size (320- vs. 1024-bit)
• Signing - 1 exp, verification - 2 exps
• No attacks thus far

15

29

DSS (contd)

??? mod mod : . 4 1 mod ) ( . 3 mod : . 2 . 1 : , , : , mod ;

1 1 * * * *

p b p k y Verifying c} {k, e signatur p r xk m c : compute p b k compute Z r random generate Signing x : ets y secr b p publics Z Z A Z P p b y residue public y exponent private x generator base, b prime large p

m c k r p p p p x

= =

• =

= Î ´ = = º

• p - 512 - bit prime

q - 160 - bit prime, (p - 1)%q = 0 b - base, bq º1mod p (b = d ( p-1)/q) x - private exponent y - public residue; y º bx mod p P = Z p

*, A = Zq ´ Zq

publics : p, q, b, y secrets : x Signing :

• 1. generate random r Î Z *

q-1

• 2. compute : k = (br mod p)mod q
• 3. compute : c = (m + xk)r-1 mod q
• 4. signature = {k,c}

Verifying : (bmc-1k kc-1 mod p)mod q = bk mod p ??? notice that : bmc-1ykc-1 = bmr/(m+xbr )(b x)(brr/(m+xbr ) = b(mr+xbrr)/(m+xbr ) = br

And, now just for kicks...

30

16

31

Merkle’s Puzzles (1974)

} 2 | {

n i

i P < <

j

index

Pick random j, 0 < j < 2

n

Select Pj Break Y j by brute force Obtain {index j, X j,S} Lookup index j Obtain X j

Encrypted communication with Xj

? Is security computational or information theoretic?

for 0 < i < 2n = N Pick random values X i,Yi,| X i |³ 2*|Yi | Pick random indexi,|indexi |= n Form Puzzle P

i ={indexi, X i,S} Yi

where S is a fixed string, e.g., "Alice to Bob"

32

Identification

• Public key cryptography can be also used for

IDENTIFICATION

• Identification is an interactive protocol whereby one

party: “prover” (who claims to be, say, Alice) convinces the other party: “verifier” (Bob) that she is indeed Alice

• Identification can be accomplished with public key

digital signatures

• However, signatures reveal information …
• Also, signatures are “transferable”, i.e., anyone can

verify them

17

33

The Cave Analogy of Zero-Knowledge

Point B Point A: entry Locked door

• n both sides

(P)rover

Claims to have the key but won’t show it

V cannot follow P into the cave

(V)erifier

Claustrophobic and afraid of the dark 34

:

The Protocol

1) V asks someone he trusts to check that the door is locked on both sides. 2) P goes into the maze past point B (heading either right or left) 3) V looks into the cave (while standing at point A) 4) V randomly picks right or left 5) V shouts (very loudly!) for P to come out from the picked direction 6) If P doesn’t come out from the picked direction, V knows that P is a liar and protocol terminates REPEAT steps (2)-(6) k TIMES Point B Point A

The Cave Analogy of Zero-Knowledge

18

35

Fiat-Shamir Identification Scheme

• In Fiat-Shamir, prover has an RSA-like modulus n = pq

where p and q are large primes and factorization of n is secret

• Primes themselves are not used in the protocol
• Unlike RSA, a trusted center can generate a global n,

used by everyone, as long as nobody knows its

• factorization. Trusted center can then “forget” the

factorization after computing n

36

Fiat-Shamir Identification Scheme

• Secret Key: Prover (P) chooses a random value

1 < S < n (to serve as the key) such that gcd(S,n) = 1

• Public Key: P computes I=S2 mod n, publishes (I,n) as his public

key.

• Purpose of the protocol: P has to convince verifier (V) that he

knows the secret S corresponding to the public key (I,n),

– i.e., to prove that he knows a square root of I mod n, without revealing S

• r any portion thereof

19

37

Fiat-Shamir Prover (Alice) Verifier (Bob) n, I, S n

pick random R; set x=R2 mod n

I, x query = 0 1 R R * S mod n

Check that: R2 = x mod n (RS)2 = xI mod n

38

Fiat-Shamir Identification Scheme

V wants to authenticate identity of P, who claims to have a public key I. Thus, V asks P to convince him that P knows the secret key S corresponding to I . 1. P chooses at random 1 < R < n and computes: X = R2 mod n 2. P sends X to V 3. V randomly requests from P one of two things (0 or 1):

(a) R

• r

(b) RS mod n

4. P sends requested information

20

39

Fiat-Shamir ZK Identification Scheme

• 5. V checks the correct answer:

a) R2 ?= X (mod n)

• r

b) (R*S)2 ?= X*I (mod n)

• 6. If verification fails, V concludes that P does

not know S

• 7. Protocol is repeated t (usually 20, 30, or log n)

times, and, if each one succeeds, V concludes that P is the claimed party.

40

What if Prover knows the challenge ahead of time: Case 0

n, I (doesn’t know S) n

pick random R; set x=R2 mod n

I, x query = 0 R

Check that: R2 = x mod n

21

41

What if Prover knows the challenge ahead of time: Case 1

n, I (doesn’t know S) n

pick random R; set x=R2*I mod n

I, x=R2*I query = 1 R*I mod n (Instead of: R*S mod n)

Check that: (R*I)2 = x*I mod n

42

Fiat-Shamir Identification Scheme

CLAIM: Protocol does not reveal ANY information about S,

• r

The Fiat-Shamir protocol is ZERO-KNOWLEDGE Proof: We show that no information on S is revealed:

• Clearly, when P sends X or R, it does not reveal any information about S
• When P sends RS mod n:

– RS mod n is random, since R is random and gcd(S, n) = 1. – If adversary can compute any information about S from

I, n, X and RS mod n

it can also compute the same information on S from I and n, since it can choose a random T = R’S mod n and compute:

X’ = T2I-1 = (R’)2S2I-1 = (R’)2

22

43

Security

Clearly, if P knows S, then V is convinced of P’s identity If P does not know S, it can either: 1. know R, but not RS mod n. Since P is choosing R, it cannot multiply it by the unknown value S

• r

2. choose RS mod n, and thus can answer the second question: RS mod n. But, in this case, P cannot answer the first question R, since to do so, needs to divide by unknown S

44

Security

• In any case, adversary cannot answer both questions, since otherwise

he can compute S as the ratio between the two answers.

• But, we assumed that computing S is hard, equivalent to factoring n.
• Since P does not know in advance (when choosing R or RS mod n)

which question that V will ask, he cannot foresee the required choice. He can succeed in guessing V’s question with probability 1/2 for each question.

• The probability that V fails to catch P in all runs is thus: 2-t

– e.g., 1 in 1,000,000,000 for t=20