Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction - - PowerPoint PPT Presentation

CPSC 418/MATH 318 Introduction to Cryptography

El Gamal Signature Scheme, Cryptography in Practice: Random Number Generation, Key Management Renate Scheidler

Department of Mathematics & Statistics Department of Computer Science University of Calgary

Week 11

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 1 / 53

Outline

1

ElGamal Signature Scheme

2

Odds and Ends on Public Key Crypto

3

Cryptography in Real Life

4

Random Number Generation

5

Where are we at?

6

Key Management Key Distribution Centres Public-Key Infrastructures ID-Based Cryptography

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 2 / 53 ElGamal Signature Scheme

The El Gamal Signature Scheme

The El Gamal signature scheme is a variation of the El Gamal PKC (same 1985 paper). Security considerations are the same. A produces her public and private keys as follows:

1 Selects a large prime p and a primitive root g of p. 2 Randomly selects x such that 0 < x < p − 1 and computes y ≡ gx

(mod p). Public key: (p, g, y) Private key: {x} A also fixes a public cryptographic hash function H : {0, 1}∗ → Zp−1.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 3 / 53 ElGamal Signature Scheme

Signing and Verifying

A signs a message M ∈ {0, 1}∗ as follows:

1 Selects a random integer k ∈ Z∗

p−1.

2 Computes r ≡ gk (mod p), 0 ≤ r < p. 3 Solves ks ≡ H(Mr) − xr (mod p − 1) for s ∈ Z∗

p−1

4 A’s signature is the pair (r, s).

B verifies A’s signature (r, s) as follows:

1 Obtains A’s authentic public key (p, g, y). 2 Computes v1 ≡ yrrs (mod p) and v2 ≡ gH(Mr) (mod p). 3 Accepts the signature if and only if r < p and v1 = v2. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 4 / 53

ElGamal Signature Scheme

Proof of Correctness

Proof of correctness.

Note that ks + rx ≡ H(M, r) (mod p − 1). If the signature (r, s) to message M is valid, then v1 ≡ yrrs ≡ (gx)r(gk)s ≡ gxr+ks = gH(Mr) ≡ v2 (mod p) .

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 5 / 53 ElGamal Signature Scheme

Solving General Linear Congruences

For signature generation step 3, we need to solve the congruence ks ≡ H(Mr) − xr (mod p − 1) for s ∈ Z∗

p−1 .

More generally, we want to solve a linear congruence of the form aX ≡ b (mod m) for X ∈ Z∗

m, with m ∈ N, a ∈ Z∗ m and b ∈ Zm.

We already saw how to do this for b = 1; that’s just finding modular inverses. To solve aX ≡ b (mod m) for X, first solve aZ ≡ 1 (mod m) for Z using the Extended Euclidean Algorithm. Then X ≡ bZ (mod m) as aX ≡ a(bZ) ≡ (aZ)b ≡ 1 · b ≡ b (mod m) .

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 6 / 53 ElGamal Signature Scheme

ElGamal Example: Set-Up

Let p = 467, and set g = 2 which is a primitive root modulo 467. Choose the secret key x = 127. Using binary exponentiation, one obtains y ≡ 2127 ≡ 132 (mod 467). So consider an ElGamal user Alice with public key (467, 2, 132) private key {127}.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 7 / 53 ElGamal Signature Scheme

ElGamal Example: Signature Generation

Suppose Alice wishes to sign the message M = “Hi there”. She selects k = 213; note that gcd(213, 466) = 1. Binary exponentiation yields r ≡ 2213 ≡ 29 (mod 467). Suppose our hash function yields H(“Hi there”29) = 100. Alice needs to solve 213s ≡ 100 − 127 · 29 ≡ 145 (mod 466) . First solve 213z ≡ 1 (mod 466) for z using the Extended Euclidean Algorithm, obtaining z ≡ 431 (mod 466). Then s ≡ 145 · 431 ≡ 51 (mod 466). The signature to “Hi there” is (r, s) = (29, 51).

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 8 / 53

ElGamal Signature Scheme

ElGamal Example: Signature Verification

To verify this signature, first note that r = 29 < 467. Then compute v1 ≡ 13229 · 2951 ≡ 189 (mod 467) and v2 ≡ 2100 ≡ 189 (mod 467). So v1 = v2 = 189.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 9 / 53 ElGamal Signature Scheme

Security of ElGamal Signatures

ElGamal is GMR-secure in the ROM assuming that H takes on random values and computing discrete logarithms modulo p is hard. Formally, one shows that the DLP reduces to existential forgery, i.e. that an algorithm for producing existential forgeries can be used to solve the DLP. If H(Mr) is replaced by H(M) in step 3 of the signature generation, then a universal forgery attack is possible. More exactly, if an attacker intercepts a signature (r, s) to a message m, he can forge a signature (R, S) to an arbitrary message M. The resulting R satisfies 0 ≤ R ≤ p(p − 1). This attack can be foiled by verifying that r < p and rejecting signatures where r exceeds p. Better to include r in the hash though.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 10 / 53 ElGamal Signature Scheme

Security of ElGamal Signatures, cont.

The public parameter g must be chosen verifiably at random (eg. publish PRNG, seed, and algorithm used) in order to ensure that g is a primitive root of p If the same value of k is used to sign two messages, k and the private key x can be computed with high probability.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 11 / 53 ElGamal Signature Scheme

Other DLP Based Signature Schemes

Digital Signature Algorithm (DSA) — variation of ElGamal with short signatures, standardized by NIST in 1994 under the name Digital Signature Standard (FIPS 186) Feige-Fiat-Shamir — security based on computing square roots modulo pq Guillou-Quisquater — security based on the RSA problem of computing e-th roots modulo pq A description of DSA can be found on the “handouts” page and in Section 8.4.2 of Stinson-Paterson.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 12 / 53

Odds and Ends on Public Key Crypto

Elliptic Curve Cryptography

Proposed in 1985 independently by N. Koblitz and V. Miller We have elliptic curve versions of Diffie-Hellman, El Gamal encryption, El Gamal signatures/DSA and others (no RSA though) Very strong setting for public key cryptography:

Fast arithmetic (addition of points) Very secure: DLP seems to be much harder than the DLP in Z∗

p

Very small keys (e.g. compared to RSA)

NIST’s Recommendations for security level bit sizes (SP 800-57 part 1): Security level (block cipher) 80 112 128 192 256 Hash function size 160 224 256 384 512 Elliptic curve group size 160 224 256 384 512 RSA modulus 1024 2048 3072 8192 15360 Gray security levels now obsolete, considered too small.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 13 / 53 Odds and Ends on Public Key Crypto

Quantum Resistant Cryptography

AKA post-quantum cryptography All PKCs currently in use can be broken on a quantum computer: Shor’s algorithm (1997) is an efficient quantum algorithm for integer factorization; also extracts discrete logs and elliptic curve discrete logs NIST is currently running a post-quantum crypto competition for public key encryption, key agreement and signature schemes; see http://csrc.nist.gov/groups/ST/post-quantum-crypto Five main underlying mathematical frameworks: Lattices (also used in homomorphic encryption, e.g. cloud computing) Codes Hash functions Isogenies on supersingular elliptic curves Binary multivariate equations (“Oil & Vinegar”)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 14 / 53 Odds and Ends on Public Key Crypto

Quantum Cryptography

Quantum cryptography designs and analyzes cryptographic schemes whose security resides in the laws of quantum mechanics (e.g. Heisenberg’s uncertainty principle), rather than some computationally difficult math problem Can do information theoretically secure cryptographic key agreement (Bennett & Brassard 1984) – current distance records around 400 km Difficult to implement (signal degradation) and susceptible to physical attacks Unknown how to do authentication Stay tuned for more on quantum computing (Shor’s algorithm) and quantum crypto in Janet’s lecture on Wednesday April 15.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 15 / 53 Cryptography in Real Life

Crypto — From Drawing Board to Real Life

End User Administration Cryptographic Primitive Implementation Cryptographic Protocol

Most real-life problems happen at the top three levels. We need to start thinking about practical cryptography!

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 16 / 53

Random Number Generation

Random Numbers in Cryptography

There are many uses of random numbers in cryptography: keys for conventional cryptosystems randomized schemes public key generation key stream for a stream cipher One-time values (nonces) in authentication protocols to prevent replay It is critical that these values be statistically random — independent, uniform distribution unpredictable — cannot infer future sequence on previous values)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 17 / 53 Random Number Generation

How to Obtain Randomness?

The only source of true randomness is the real world. Find a regular but random event and monitor. Examples:

radioactive radiation radio noise (white noise) thermal noise in diodes leaky capacitors mercury discharge tubes, etc.

Need special hardware in general (e.g. radiation counters) Can be slow and cumbersome Problems of bias or uneven distribution — have to compensate or use noisiest bits from each sample). One possibility: pass data through a cryptographically secure hash function.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 18 / 53 Random Number Generation

Pseudo-Randomness

Published collections of random numbers also exist, but they are too limited and well-known for most uses. In practice, one uses pseudo-randomness.

Definition 1 (Pseudorandom Number/Bit Generator (PRNG, PRBG))

An algorithmic technique to create sequences of statistically random numbers/bits, initialized with a random seed.

Thursday October 25, 2001

฀ ฀ ฀ ฀

฀ ฀

฀

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 19 / 53 Random Number Generation

Example

linear congruential generator Xi+1 = aXi + c (mod m) . Advantage: outputs long statistically random sequences Disadvantage: fails unpredictability — it is too easy to reconstruct entire sequence given only a few values

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 20 / 53

Random Number Generation

Cryptographically Secure PRBGs

Definition 2 (Cryptographically secure PRBG (CSPRBG))

Must pass the next-bit test: there is no polynomial time algorithm that,

• n input of the first k bits of an output sequence, can predict the

(k + 1)-st bit with probability significantly greater than 1/2. For all practical purposes, a CSPRBG is unpredictable. Remark: A PRBG is cryptographically secure if and only if it passes the previous bit test: there is no polynomial time algorithm that, on input of k bits of an output sequence can predict the preceding bit with probability significantly greater than 1/2.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 21 / 53 Random Number Generation

More Examples of PRBGs

Simple Examples (see NIST SP-800-90) Idea: output of a strong hash function or block cipher is statistically random Xi = H(Xi−1) where X0 is a random seed. Predictable, but good for distilling random bits from another source (whitening). Xi = EKm(C + 1) where Km is a protected master key and C is a counter of some long period. Seems to be computationally infeasible to predict next Xi if Km is secret. More Complicated Example – Blum-Blum-Schub PRBG Bit parity of {Xi}i≥0 where Xi+1 ≡ X 2

i

(mod n) , X0 ∈ Z∗

n ,

n = pq . Satisfies the next-bit test under the assumption that the QRP is intractable.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 22 / 53 Random Number Generation

Common Mistakes with PRNGs

The security of a PRNG is determined by the entropy of its seed (which is the bit length if the seed is random). So the seed must have sufficient entropy to make the PRNG unpredictable. The following are all real life (bad) examples!

1 Generating a random 512-bit prime using a 32-bit seed for the

random number generator. The entropy of the resulting prime is only 32 bits — easy to exhaustively try all possible seeds.

2 Generating a random 512-bit prime by calling a system PRNG that

produces 32-bit random numbers, padding with 0s to 512 bits, and looking for the smallest prime greater than the number. This approach also has only 32 bits of entropy.

3 Instead of padding with zeros, call the system PRNG once and

concatenate the resulting 32-bit random number 16 times to obtain a 512-bit number. This still has only 32 bits of entropy.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 23 / 53 Random Number Generation

Another Bad Example — Kerberos 4

Kerberos 4 generates DES session keys by using a PRNG, seeded with a 32-bit value, to produce two 32-bit random numbers. Problem: only 32 bits of entropy (should be 56) Bigger problem: seed is the XOR of 5 random 32-bit numbers: time of day in seconds since Jan. 1, 1970 fractional part of the current time in microseconds process ID of Kerberos server process cumulative count of session keys produced so far host id of the machine on which Kerberos is running Entropy of each of these quantities: between 1 to 20 bits Thus, Kerberos 4 seed has only 20 bits of entropy — it is easy to test all 220 possible values in seconds! (Better in Kerberos 5.)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 24 / 53

Random Number Generation

Possible Fix to Kerberos 4

Compute a hash on the concatenation of the 5 values. Every bit of randomness contributes to every bit of the session key Successive applications of the hash function will produce further pseudorandom bits (but with no more total entropy than the seed) See the Internet Engineering Task Force’s (IETF) Request For Comments RFC 1750 ”Randomness Recommendations for Security” for more information about guidelines for deploying random number generators. Section 6 covers recommendations for software-based strategies for example.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 25 / 53 Random Number Generation

A Final Bad Example — Factoring RSA Moduli

1 Scrounge the internet for lots of RSA public keys with moduli

n1, n2, . . .

2 Compute gcd(ni, nj) for lots of i = j

You’d be surprised how many of the moduli you can factor! Problem: too many people use the same primes, obtained via bad PRNG. So be sure to mind your p’s and q’s !

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 26 / 53 Random Number Generation

NIST Recommendations

Moral: The number of bits of entropy must correspond to the overall bit security of the system. Example: 3072-bit RSA provides 128 bits of security, so the seed material for the PRNG must have at least 128 bits of entropy. NIST’s Recommendations for Security levels (SP 800-57 part 1): Security level (in bits) 80 112 128 192 256 Hash function size (in bits) 160 224 256 384 512 RSA modulus (in bits) 1024 2048 3072 8192 15360 Security level: key length for block cipher providing equivalent level of difficulty to break The first two security levels (80 and 112) are now considered insufficient. Levels 3, 4 and 5 (128, 192, 256 bits, respectively) are considered secure.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 27 / 53 Where are we at?

Were are we at?

Recall cryptographic services: Data confidentiality: discussed Data integrity: discussed Authentication: discussed, more next Non-repudiation: discussed Access Control: discussed a bit Recall cryptographic mechanisms: Encryption — for confidentiality and limited data integrity: discussed Hash functions, Message Authentication Codes (MACs) — for data integrity : discussed Digital signatures — for data origin authentication and non-repudiation: discussed Authentication protocol — for entity authentication : next

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 28 / 53

Key Management

Authentication

Next topic: authentication in practice. Today, authentication is arguably the most important application of

• cryptography. Three main classifications:

Data-origin authentication (digital signatures) — covered previously Authenticated key establishment — covered next Entity authentication (client-server, user-host, process-host) — covered after that In practice, these are often combined into one protocol (e.g. SSL/TLS).

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 29 / 53 Key Management

Authenticity of Keys

Secure communication requires proper mechanisms for managing keys and ensuring their authenticity. Mechanisms for ensuring authenticity of keys: A trusted third party

A key distribution center (session keys) A certification authority (public keys)

Identity-based cryptography: your ID is your public key. A trusted authority derives users’ private keys (and thus knows all private keys!) Peer authentication via a web of trust that establish the authenticity

• f the binding between a public key and its owner (Phil Zimmerman,

1992, used in PGP secure e-mail) The vast majority of key distribution systems involve a trusted authority to ensure authenticity of keys.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 30 / 53 Key Management Key Distribution Centres

Symmetric Key Distribution

Symmetric schemes require both parties to share a common, secret key. Possible distribution mechanisms: A selects a key and physically delivers to B. Secure, but cumbersome. Third party selects and physically delivers key to A and B. Also secure, but cumbersome. A and B can use a previous key to encrypt a new key. If one key is compromised, all subsequent keys are compromised. A commonly-trusted third party called a key distribution center (KDC) can relay the key between A and B via encrypted links (commonly used solution).

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 31 / 53 Key Management Key Distribution Centres

Key Distribution Centres

Idea: Each user holds a shared symmetric master key with the KDC Master key is used for distributing one-time session keys Encryption is performed with a session key that is destroyed at the end of the session Advantages: Far fewer long-term keys than if each pair of entities holds a shared long-term key Compromise of a session key does not affect master key nor other sessions

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 32 / 53

Key Management Key Distribution Centres

Key Distribution Centres: Issues

Issues: Hierarchies of KDC’s required for large networks, must trust each

• ther

Session key lifetimes should be limited for greater security All keys and entities (users and KDCs) must be authenticated (more later)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 33 / 53 Key Management Public-Key Infrastructures

Public Key Solutions

Key management in conventional cryptography is handled via key distribution centres. Now we look at public key solutions. There are three main contributions in PKC: Digital signatures — for data origin authentication and non-repudiation Key agreement protocols — both parties contribute to the generation of a session key (eg. Diffie-Hellman) Key transport via hybrid encryption — party A generates a session key, encrypts and sends to B using a PKC (B has no control over the session key) Main problem — user’s public keys must be authenticated in order to prevent active attacks such as man-in-the-middle and impersonation.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 34 / 53 Key Management Public-Key Infrastructures

Public-Key Distribution, I

1 Point-to-point delivery over a trusted channel such as personal

exchange, registered mail, courier, etc. Problems: slow, inconvenient, potentially expensive.

2 Direct access to a trusted public file (public-key repository).

Advantage: no user interaction. Problems:

The repository must be secure and tamper-proof (otherwise impersonation is still possible), Users must have a secure channel (see Point 1) to initially register their public keys.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 35 / 53 Key Management Public-Key Infrastructures

Public Key Distribution, II

3 An on-line trusted server dispenses public keys on request. The

server signs the transmitted keys with its private key. Problems:

All users must know the server’s public verification key, The trusted server must be online and may become a bottleneck, A communication link must be established with both the server and the intended recipient, The server’s public-key database may still be subject to tampering.

4 Off-line server and certificates (certification authorities). 5 Use of systems implicitly guaranteeing authenticity of public

parameters (ID-based systems). Option 5 is feasible, but has its own problems. We will focus on Option 4.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 36 / 53

Key Management Public-Key Infrastructures

Public-Key Infrastructures

Definition 3 (Public-Key Infrastructure (PKI))

A set of techniques and procedures supporting authenticated key management for PKC. Specifically, a PKI supports: initialization of system users generation, distribution/authentication, and installation of public and private keys controlling the use of keys (eg. life cycles of session keys, public and private keys) update, revocation, and destruction of keys (eg. managing compromise of private keys) storage, backup/recovery, and archival of keys (eg. maintaining an audit trail)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 37 / 53 Key Management Public-Key Infrastructures

Public-Key Certificates

Definition 4 (Public-Key Certificate)

A data structure consisting of a data part (containing at least the user ID and the corresponding public key) and a signature part consisting of the digital signature of a certification authority over the data part. A certificate should also include information such as: A time-stamp indicating the currency of the certificate (to facilitate key changing and revocation) Additional information about the key (key generation algorithm, intended use) Key status (for revocation) Signature verification information (certification authority’s name, signature algorithm used)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 38 / 53 Key Management Public-Key Infrastructures

Certification Authorities

Definition 5 (Certification Authority (CA))

A trusted third party whose signature on a certificate vouches for the authenticity of the public key bound to the subject entity. Idea: CA issues public key certificates that may be verified off-line. Users may exchange authentic public keys without having to contact the CA.

Example 1

X.509 is an IETF (Internet Engineering Task Force) standard for certificate-based authentication schemes (used in S/MIME, IPsec, SSL).

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 39 / 53 Key Management Public-Key Infrastructures

Obtaining Public Keys

User B uses a public-key certificate to obtain the authentic public key of user A as follows:

1 Acquires the authentic public key of the CA (done only once, eg.

pre-loaded in web browsers)

2 Acquires a public key certificate corresponding to A over an insecure

channel such as a central database, or even directly from A

3 Verify the authenticity of the public key:

(a) Verifies the currency of the certificate using the time-stamp (b) Verifies the signature on A’s certificate using CA’s public key (c) Verifies that the certificate has not been revoked

4 If all the checks succeed, accepts the public key in the certificate as

A’s public key

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 40 / 53

Key Management Public-Key Infrastructures

Requirements for the Scheme

1 Any participant can read a certificate to determine the name and

public key

2 Any participant can verify that the certificate originated from the CA

and is not counterfeit

3 Only the CA can create and update certificates 4 Any participant can verify the currency of the certificate

Main Issue / Problem: CA has to be trustworthy! not bad for small, closed deployment national or international level?

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 41 / 53 Key Management Public-Key Infrastructures

User Registration

Users must register with the CA in a secure manner (typically in person): The CA’s public key (required for certificate verification) may be

• btained at that time

CA may generate user keys, or certify owner-generated keys (possibly without user revealing the private key) May store keys for backup CA must verify the binding between the public and private keys.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 42 / 53 Key Management Public-Key Infrastructures

CA Hierarchies

Large networks have hierarchies of CAs: Tree hierarchy — each node represents a principal whose public key is certified by its parent Leaf nodes — end users Non-leaf nodes — CAs at various levels and domains (e.g. country level has domains) industry (.com) education (.edu) government (.gov)

• ther organization (.org, .net)

Two end users can obtain authentic public keys by finding a common ancestor node in the hierarchy

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 43 / 53 Key Management Public-Key Infrastructures

Certificate Revocation

Certificates may need to be revoked before they expire, for the following reasons: A user’s private key is compromised A user is no longer certified by his current CA A CA’s certificate is assumed to be compromised Mechanisms for revocation: CA maintains a certificate revocation list (CRL), available online, signed by the CA Alternatively, incremental lists known as delta revocation lists are disseminated through the hierarchy CA must time-stamp revocations — signatures issued prior to revocation date should be considered valid

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 44 / 53

Key Management ID-Based Cryptography

Identity Based Cryptography

Motivation: an ideal e-mail system in which knowledge of a person’s name (or e-mail address) alone is sufficient to send mail which can be read by that person only (secure), allow verification of signatures that could have only been produced by that person. Idea (Shamir 1984): bind public keys directly to a user’s identity

Definition 6 (Identity-based cryptosystem)

A PKC in which an entity’s public identification information (unique name) plays the role of its public key.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 45 / 53 Key Management ID-Based Cryptography

Advantages and Challenges

Advantages: need for public key authentication is eliminated. Users need not exchange keys Public directories (files of public keys or certificates) need not be kept If the wrong public user data is used, the cryptographic transformations simply fail. Problem: how are the private keys generated? Recall that in order for a PKC to be secure, it must be computationally infeasible to compute the private key given the public key!

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 46 / 53 Key Management ID-Based Cryptography

Private Key Generation

Answer: The system requires another piece of trap-door information: a master key that can be used to compute the private keys. The unique name (i.e. the public key) is used by a trusted authority to compute the entity’s corresponding private key, using the master key. Advantage: Trusted authority is only required during the set-up phase (to compute private keys) Disadvantage: Users must trust the authority completely (it knows all the private keys)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 47 / 53 Key Management ID-Based Cryptography

Typical Application

Users send encrypted messages using a public key derived from the recipient’s ID and a key validity period (time stamp), using some publicly available function (e.g. converting concatenation of these two strings to appropriate length integer). Recipient requests the private key corresponding to a particular validity period from trusted authority Incorporating a validity period into the public keys gives keys a lifetime, mitigating the problem of compromised keys (i.e. revocation).

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 48 / 53

Key Management ID-Based Cryptography

Comparison to PKI

Both systems require a trusted third party. In ID-based cryptosystems, this authority always has access to the private keys. Important difference: In PKI, senders of messages / verifiers of signatures must obtain public keys of other users. In ID-based crypto, recipients / signers must obtain their own private keys.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 49 / 53 Key Management ID-Based Cryptography

Examples of ID Based Schemes

Signature Schemes Shamir (CRYPTO 1984) — based on RSA Feige Fiat, and Shamir (J. Cryptology 1998) — based on computing square roots modulo pq (p and q large primes) Encryption Schemes (good deal harder!) Boneh and Franklin (CRYPTO 2001) — uses the Weil pairing on elliptic curves. (first practical ID based encryption scheme)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 50 / 53 Key Management ID-Based Cryptography

Shamir’s ID-based Signature Scheme, Key Generation

System parameters (selected by trusted key generation server T): Public system parameters:

RSA public key pair (N, e) hash function H : {0, 1}∗ → Zφ(N)

Trusted authority’s master key: RSA private key d User private key generation (performed by trusted authority): K ≡ IDd (mod N), where ID is a user’s uniquely identifiable identity.

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 51 / 53 Key Management ID-Based Cryptography

Shamir, Signature Generation & Verification

Signature generation on message M ∈ {0, 1}∗: Alice chooses a random r ∈ Z∗

N

Alice computes t ≡ re (mod N) s ≡ K · rH(t,M) (mod N) The signature is (s, t) Signature verification, given (M, s, t): Signature is accepted as valid if se ≡ ID · tH(t,M) (mod N) because se ≡

• K · rH(t,M)e

(mod N) ≡ K e · (re)H(t,M) (mod N) ≡ ID · tH(t,M) (mod N)

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 52 / 53

Key Management ID-Based Cryptography

Security

Recall verification condition: se ≡ ID · tH(t,M) (mod N) Security depends on Difficulty of RSA problem (computing e-th roots modulo N): Adversary

generates random M, t ∈ Z∗

N

computes ID · tH(t,M) (mod N) If she can find an e-th root s of ID · tH(t,M) (mod N), then (s, t) is a valid signature to M.

Collision resistance of H: Adversary

Intercepts a valid triple (M, s, t) If she can find a (weak) collision H(t′, M′) = H(t, M), then (s, t′) is a valid signature to M′

Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 53 / 53