Cryptography Public-Key Cryptography Uwe Egly Vienna University of - PowerPoint PPT Presentation

Cryptography Public-Key Cryptography Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group 1 / 18

Overview ◮ Problem of symmetric procedures: Exchange of secret key ◮ Solution: public-key procedures (PKPs): Use a public key and a secret key ◮ Developed by Diffie, Hellman and Merkle in the mid-70s ◮ Receiver publishes his/her public key (e.g., on the hp) ◮ Potential sender uses the public key for encryption ◮ Receiver uses his/her secret key for decryption ◮ Disadvantage of PKPs: much slower than symmetric ones ◮ Solution: Hybrid procedures 1. Asymmetric procedure for the key exchange phase 2. Fast symmetric en-/decryption with a random session key 2 / 18

Diffie-Hellman Key-Exchange Protocol (DHKEP) ◮ Alice (A) and Bob (B) have not exchanged keys so far ◮ They want to establish a shared secret by exchanging messages over insecure channels ◮ They agree on two public parameters, a large prime p ( resulting Z p ) and a generator α for Z ∗ p (the multiplicative group) p = { α 0 , α 1 , α 2 , . . . , α p − 2 } = { 1 , α, α 2 , . . . , α p − 2 } ◮ Z ∗ ◮ Protocol ( x , y below are chosen from { 0 , . . . , p − 2 } ) ◮ A chooses x and computes X = α x mod p ◮ A sends X to B and keeps x secret ◮ B chooses y and computes Y = α y mod p ◮ B sends Y to A and keeps y secret ◮ A computes Y x and B computes X y ◮ Now A and B have their secret key k because Y x ≡ α yx ≡ α xy ≡ X y ≡ k mod p 3 / 18

The Discrete Logarithm Problem (DLP) ◮ DL: group-theoretic analogues of ordinary logarithms Given a prime p , a generator α of F ∗ p and an element c ∈ F ∗ p , find the unique integer e with 0 ≤ e ≤ p − 2 such that α e mod p c ≡ ◮ If we can solve DLP fast, we can break the DHKEP ◮ No efficient algorithm to solve the DLP is known at the moment ◮ Known algorithms are inspired by factorization algorithms for which also no efficient algorithm is known 4 / 18

(Total) Functions (Reminder) ◮ Defined using two sets X and Y and a rule f ◮ f associates to each element of X exactly 1 element in Y (total on X and unique: ∀ xyz � f ( x ) = y ∧ f ( x ) = z → y = z ) � ◮ Notation: f : X �→ Y ◮ X is called the domain, Y the codomain of f ◮ Image of x ∈ X is y with y = f ( x ) ◮ Preimage of y ∈ Y is an element x ∈ X with f ( x ) = y ◮ Image von f : Im ( f ) = { y | ∃ x ∈ X with f ( x ) = y } 5 / 18

Properties of Functions ◮ f : X �→ Y is injective (one-to-one) Every y ∈ Y is image of at most one x ∈ X ◮ f : X �→ Y is surjective (onto) if Im ( f ) = Y ◮ f is bijective (one-to-one and onto), (i.e., f is injective and surjective like permutations) ◮ Inverse function g = f − 1 of a bijection f : X �→ Y : ◮ Bijection g : Y �→ X ◮ For all y ∈ Y , define g ( y ) = x with x ∈ X and f ( x ) = y ◮ Already used: f for encryption, f − 1 for decryption 6 / 18

One-Way Function ◮ f : X �→ Y is a one-way function, if both conditions hold: 1. f ( x ) is easy to commutate for all x ∈ X 2. for a randomly chosen y ∈ Im ( f ) , it is computational infeasible to find x ∈ X such that f ( x ) = y ◮ f easy to compute, but it is infeasible to compute f − 1 ◮ Exa: f : X �→ Y with X = { 1 , . . . , 16 } and f ( x ) = 3 x mod 17 x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 f ( x ) 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1 ◮ f ( x ) is easy to compute, it is hard to find x with f ( x ) = 7 (Especially if the modulus is a big prime) 7 / 18

Trapdoor One-Way Function ◮ f : X �→ Y is a trapdoor one-way function, if 1. f is a one-way function and 2. with some additional information (trapdoor info), computing the inverse is easy ◮ Exa: Given to primes, p , q , p � = q , and let n = pq . ◮ Let f ( x ) ≡ x 3 mod n and suppose 3 d ≡ 1 mod φ ( n ) ◮ d is the trapdoor information supporting an efficient computation of the f − 1 ◮ Computing f is easy, but computing (from known n and f ) f − 1 ( x 3 ) ≡ f − 1 ( f ( x )) ≡ x 3 d ≡ x mod n is believed to be very hard without the trapdoor info d (The argumentation works also for other exponents) 8 / 18

Trapdoor One-Way Function (cont’d) ◮ How do we justify x 3 d ≡ x mod n ? ◮ With Euler’s generalization of Fermat’s Little Theorem ◮ If n ∈ N and m ∈ Z , such that gcd ( m , n ) = 1, then m φ ( n ) ≡ 1 mod n ◮ Since 3 d ≡ 1 mod φ ( n ) by assumption, it holds that ∃ k ( 3 d = k · φ ( n ) + 1 ) ◮ But then, x 3 d = x k · φ ( n )+ 1 = x φ ( n ) · . . . · x φ ( n ) · x and � �� � k times ◮ x 3 d ≡ x φ ( n ) · . . . · x φ ( n ) · x ≡ 1 · . . . · 1 · x ≡ x mod n � �� � � �� � k times k times 9 / 18

An Example Computation ◮ Take f from above, i.e., f ( x ) ≡ x 3 mod n ◮ Choose p = 5, q = 11 and compute n = 55 and φ ( n ) = 40 ◮ Compute the trapdoor info d , i.e., solve 3 d ≡ 1 mod φ ( n ) (The solution is d = 27, since 3 · 27 ≡ 1 mod 40) ◮ Compute f ( 12 ) ≡ 1728 ≡ 23 mod 55 ◮ Using the trapdoor information d , we compute f − 1 ( 23 ) ≡ f − 1 ( f ( x )) ≡ x 3 · 27 ≡ ( x 3 ) 27 mod 55 Therefore, f − 1 ( 23 ) ≡ 23 27 ≡ 12 mod 55 as expected ◮ When we can factorize n fast, d can be efficiently obtained 10/ 18

Extended Euclidian Algorithm (for Z ) ◮ An interative version of the algorithm from HAC Algorithm 1 : extEuclid( a , b ) Input : Two non-negative integers a , b with a ≥ b Result : d = gcd ( a , b ) and integers x , y satisfying ax + by = d begin if b = 0 then return (a, 1 , 0 ) ; x 2 = 1, x 1 = 0, y 2 = 0, y 1 = 1; while b > 0 do q = a div b ; r = a − qb ; x = x 2 − qx 1 ; y = y 2 − qy 1 ; a = b ; b = r ; x 2 = x 1 ; x 1 = x ; y 2 = y 1 ; y 1 = y ; return (a,x 2 ,y 2 ) ; end ◮ Algorithm has a running time of O ( ld ( a ) 2 ) bit operations 11/ 18

Extended Euclidian Algorithm (for Z ) ◮ A recursive version of the algorithm in Ruby def extended_gcd(b,m) q,r = b.divmod m if r == 0 temp = [0,1] return temp else temp = extended_gcd(m, r) temp2 = [temp[1], temp[0]-temp[1] * q] return temp2 end end 12/ 18

Computing Modular Inverses in Z n Algorithm 2 : modularInverseZn( a , n ) Input : n is the modulus and a ∈ Z n Result : a − 1 mod n , provided it exists begin Use extEuclid( a , n ) to find integers x , y s.t. ax + ny = d = gcd ( a , n ) ; if d > 1 then return a − 1 mod n does not exist ; else x 1 = x mod n ; if x 1 < 0 then return x 1 + n ; else return x 1 ; end 13/ 18

RSA Overview ◮ Published by R. Rivest, A. Shamir and L. Adleman 1978 ◮ An equivalent system obtained by Ellis, Cocks, Williamson at GCHQ but kept secret til 1997 (Ellis’ report is from 1973) ◮ Usage: Encryption and decryption, digital signature ◮ Security of RSA not proven ◮ It is based on the factorization problem for integers ◮ Factorization problem not “provably infeasible”, but . . . ◮ . . . no polynomial algorithm known at the moment ◮ RSA challenge: RSA-640 (Nov. 2005, Bonn University) 14/ 18

Key Generation for RSA 1. Choose random primes p , q of approx. same size ( p � = q ) 2. Compute n = pq and φ ( pq ) = ( p − 1 )( q − 1 ) (simply call it φ ) 3. Choose e ∈ N with 1 < e < φ such that gcd ( e , φ ) = 1 ⇒ e is odd, since φ is even and gcd ( e , φ ) = 1 = 4. Compute unique d with 1 < d < φ such that ed ≡ 1 mod φ (We compute the modular inverse of e in Z φ ( pq ) ) 5. Recall: e − 1 exists because of gcd ( e , φ ) = 1 6. Public key ( n , e ) , private (secret) key d n is the RSA-Modul e / d is the encryption/decryption exponent 15/ 18

Encryption of Message Blocks in RSA ◮ Interpret plaintext block as an integer m with 0 ≤ m < n ◮ Plaintexts are all numbers from P = { 0 , 1 , . . . , n − 1 } ◮ Encryption of the plaintext m by c = m e mod n ◮ Public key is sufficient for encryption ◮ m e mod n is computed efficiently with fast exponentiation ◮ Example: p = 11, q = 23, n = 253, e = 3 ◮ Plaintexts are: { 0 , 1 , . . . , 252 } ◮ Encryption of m = 165: 165 3 mod 253 = 110 16/ 18

Decryption of Ciphertext Blocks in RSA ◮ p = 11, q = 23, n = 253, e = 3, φ = ( p − 1 )( q − 1 ) = 220 ◮ Compute d with 1 < d < φ with ed ≡ 1 mod φ d = 147, because 3 · 147 = 441 = 2 · 220 + 1 ◮ Decryption of the ciphertext c = 110 by c d mod n I.e., compute 110 147 mod 253 110 2 mod 253 = 209 110 4 mod 253 = 165 110 8 mod 253 = 154 110 16 mod 253 = 187 110 32 mod 253 = 55 110 64 mod 253 = 242 110 128 mod 253 = 121 ◮ Compose d from the powers of 2 (guided by the binary representation): 147 = 128 + 16 + 2 + 1 ◮ Decrypt c = 110: ( 121 · 187 · 209 · 110 ) mod 253 = 165 17/ 18

Good Choices for p , q and e ◮ Choose p and q of approximately the same size ⇒ no small factors p or q = ◮ Choose p and q at random and equally distributed (but not too close: 0 . 5 < | log 2 ( p ) − log 2 ( q ) | < 30 (GISA)) ◮ Choose e such that encryption is efficient and secure ◮ Usual values for e : 3, 17, 65 537 = 2 16 + 1 (often: choose e with max { p , q } < e < φ ( n ) − 1) ◮ e = 3 is efficient (1 square operation and 1 mult modulo n ) ◮ Exa: n = 253, e = 3, m = 165 Compute m 2 mod n = 154, then compute m 3 mod n = = (( m 2 mod n ) · m ) mod n = 154 · 165 mod 253 = 110 18/ 18