Public key crypto Public key crypto RSA Essentials RSA Essentials Public key protocols Radboud University Nijmegen Public key protocols Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs Public key protocols Public key infrastructures Institute for Computing and Information Sciences – Digital Security Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman key exchange Version: fall 2010 El Gamal encryption Elliptic curves Bart Jacobs Version: fall 2010 Computer Security 1 / 61 Bart Jacobs Version: fall 2010 Computer Security 2 / 61 Public key crypto Public key crypto RSA Essentials RSA Essentials Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Public key background Using locks to explain the (encryption) idea • Suppose Alice wants to sent Bob an encrypted message • A big problem in secret key crypto is key managment: • Bob first sends Alice his open padlock • N users need N ( N − 1) different keys 2 • only Bob has the key to open it • but Alice (or anyone else) can close it • Public key crypto involves a revolutionary idea: use one key • this open padlock corresponds to Bob’s pair per user, consisting of public key • a public key, for: • Alice puts the message in a box, and closes it with Bob’s 1 encryption 2 checking signatures padlock • a private key, for: • the box can be seen as a form of encryption 1 decryption • Upon receiving the box, Bob uses is private key to open the 2 putting signatures padlock (and the box), and reads the message. • Question: how do you know for sure this is Bob’s lock? Bart Jacobs Version: fall 2010 Computer Security 4 / 61 Bart Jacobs Version: fall 2010 Computer Security 5 / 61 Public key crypto Public key crypto RSA Essentials RSA Essentials Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Public key crypto: historical essentials Public key equation • Let’s write a key pair as: • K e for encryption / public key • The idea of public key crypto: • K d for decryption / private key • first invented in 1969 by James Ellis of GCHQ • Let’s further write the relevant operations as: • first published in 1976 by Diffie & Hellman • { m } K e for encryption of message m with public key K e • Implementations of public key crypto: • [ n ] K d for decryption of message n with private key K d • first one by Clifford Cocks (GCHQ) , but unpublished • The relevant equations are: • Rivest, Shamir and Adleman (RSA) first published in 1978, [ { m } K e ] K d = m using the difficulty of prime number factorisation • several alternatives exist today, notably using “El-Gamal” on • But for certain systems (like RSA) one also has: “elliptic curves” { [ m ] K d } K e = m Bart Jacobs Version: fall 2010 Computer Security 6 / 61 Bart Jacobs Version: fall 2010 Computer Security 7 / 61
Public key crypto Public key crypto RSA Essentials RSA Essentials Public key protocols Radboud University Nijmegen Public key protocols Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Number theoretic ingredients I Modular arithmetic • Recall that that a number is prime if it is divisible only by 1 • On a 12-hour clock, the time ‘ 1 o’clock ’ is the same as the and by itself. time ‘ 13 o’clock ’; one writes Prime numbers are: 2, 3, 5, 7, 11, 13, . . . . . . (infinitely many) 1 ≡ 13 (mod 12) ie “1 and 13 are the same modulo 12” • Each number can be written in a unique way as product of • Similarly for 24-hour clocks: primes (possibly multiple times), as in: 100 = 2 2 · 5 2 30 = 2 · 3 · 5 12345 = 3 · 5 · 823 5 ≡ 29 (mod 24) since 5 + 24 = 29 5 ≡ 53 (mod 24) since 5 + (2 · 24) = 53 • Finding such a prime number factorisation is a 19 ≡ − 5 (mod 24) since 19 + ( − 1 · 24) = − 5 computationally hard problem • In general, for N > 0 and n , m ∈ Z , • In particular, given two very large primes p , q , you can publish n = p · q and no-one will (easily) find out what p , q are. n ≡ m (mod N ) ⇐ ⇒ there is a k ∈ Z with n = m + k · N • In 2009 factoring a 232-digit (768 bit) number n = p · q with In words, the difference of n , m is a multiple of N . hundreds of machines took about 2 years Bart Jacobs Version: fall 2010 Computer Security 9 / 61 Bart Jacobs Version: fall 2010 Computer Security 10 / 61 Public key crypto Public key crypto RSA Essentials RSA Essentials Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Numbers modulo N Residues form a ring How many numbers are there modulo N ? • Numbers modulo N can be added, subtracted and multiplied: they form a “ring” One writes Z N for the set of numbers modulo N . Thus: • For instance, modulo N = 15 � � Z N = 0 , 1 , 2 , · · · N − 1 10 + 6 ≡ 1 6 − 10 ≡ 11 3 + 2 ≡ 5 0 − 14 ≡ 1 Some Remarks 4 · 5 ≡ 5 10 · 10 ≡ 10 • Sometimes Z / N Z is written for Z N • Sometimes it happens that a product is 1 • Formally, the elements m of Z N are equivalence classes For instance (still modulo 15): 4 · 4 ≡ 1 and 7 · 13 ≡ 1 { k | k ≡ m (mod N ) } of numbers modulo N • In that case one can say: • These classes are also called residue classeses or just residues 1 1 4 = 4 and 7 = 13 • In practice we treat them simply as numbers. Bart Jacobs Version: fall 2010 Computer Security 11 / 61 Bart Jacobs Version: fall 2010 Computer Security 12 / 61 Public key crypto Public key crypto RSA Essentials RSA Essentials Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Multiplication tables Greatest common divisors For small N it is easy to make multiplication tables for Z N . • Recall: gcd ( n , m ) = “greatest common divisor of n and m ” For instance, for N = 5, = greatest k with k divides both n , m Z 5 0 1 2 3 4 greatest k with n = k · n ′ and m = k · m ′ , = • Note : every number in Z 5 has for some n ′ , m ′ 0 0 0 0 0 0 an inverse 0 1 2 3 4 1 • Examples: • This holds for every Z p with p 2 0 2 4 1 3 a prime number gcd (20 , 15) = 5 gcd (78 , 12) = 6 gcd (15 , 8) = 1 3 0 3 1 4 2 (more below) 0 4 3 2 1 4 • If gcd ( n , m ) = 1 one calls n , m relative prime Bart Jacobs Version: fall 2010 Computer Security 13 / 61 Bart Jacobs Version: fall 2010 Computer Security 14 / 61
Recommend
More recommend
