Public ! key cryptography S"##ested )y Diffie . /ellman 1567 - PowerPoint PPT Presentation

Public ! key cryptography � S"##ested )y Diffie . /ellman 1567 � 8nstead 9f 9ne secret, s=ared key ?@it= t=e ass9ciated pr9)lems 9f key distri)"ti9n)C � Dse a key pair ? e,d ) f9r eac= "ser � 9ne f9r encrypti9n, 9ne f9r decrypti9n � 9ne priEate ?secret), 9ne p")lic � sFtF c = E e ? m ), m = D d ? c ) � in s9me cases E=D and m = D e ? E d ? m )) = E e ? D d ? m )) = D d ? E e ? m )) iFeF t=e keys ? e,d ) are inEerses 9f eac= 9t=er

Both confidentiality and authenticity � H =as ? e A , d A ), I =as ? e B , d B ) � @=ere e is priEate, d p")lic � C9nfidentiality H ! IC c = E dB ? m ) � can 9nly )e decrypted )y D eB � H"t=enticity H ! IC c = E eA ? m ) � can )e decrypted )y any9ne, )"t can 9nly =aEe )een encrypted )y E eA � I9t= c9nf.a"t= H ! IC c = E dB ? E eA ? m )) � decrypted )y D dA ? D eB ? c ))

Requirements on PKS 1F Easy t9 #enerate ? e,d ) LF Easy t9 encrypt E k ? m ) #iEen k and m MF Easy t9 decrypt D k ? c ) #iEen k and c NF C9mp"tati9nally infeasi)le t9 find e #iEen d OF C9mp"tati9nally infeasi)le t9 find m #iEen e and c = E e ? m ) 7F m = D e ? E d ? m )) = E e ? D d ? m )) = D d ? E e ? m )) ?n9t al@ays)

One ! way trapdoor functions � H one ! way f"ncti9n f is a ?1 ! 1) f"ncti9n sFtF � y = f ? x ) is easy t9 c9mp"te, )"t x = f ! 1 ? y ) infeasi)le � H trapdoor f"ncti9n f is a f"ncti9n sFtF � x = f k ! 1 ? y ) is easy iff k is kn9@n ?t=e key) � Easy C c9mp"ta)le in p9lyn9mial time, pr9p9rti9nal t9 n a C n len#t= 9f inp"t, a c9nstant � Infeasible C n9t c9mp"ta)le in p9lyn9mial time, eF#F 9nly in L n

Examples of one ! way trapdoors � Ireakin# a le# � SP"eeQin# t99t=paste 9"t 9f a t")e � Mixin# c9l9"rs � M"ltiplicati9n 9f lar#e prime n"m)ers � fact9riQati9n is =ard � Exp9nentiati9n 9f lar#e n"m)ers � discrete l9#arit=ms are =ard

Exponential cryptography � RSHC f9r M = C = Z n � c = m e m9d n � m = c d m9d n � ExampleC e = O, d = 66, n = 115, m = 15 � c = 15 O = LN67055 m9d 115 = 77 � m = 77 66 " 1FL6 # 10 1N0 m9d 115 = 15 � Seems impracticalV � /9@ d9 @e find ? e,d ) pairs sFtF it @9rksV

Review: Modular arithmetic � a $ b ?m9d n ) if a ! b = kn f9r s9me k � eF#F 16 $ 6 ?m9d O) � Write a m9d n = r if r is t=e ?p9sitiEe) resid"e 9f a/n � implies a $ r ?m9d n ) � Let % )e an 9perati9nC Y, ! , ⋅ F Z=en ? a % b ) m9d n = ?? a m9d n ) % ? b m9d n )) m9d n � ? Z n ,[Y, ! , ⋅ \) is a c9mm"tatiEe rin#C "s"al c9mm"tatiEe, ass9ciatiEe, distri)"tiEe la@s

Efficient exponentiation mod n � ? a # b ) m9d n = ?? a m9d n ) # ? b m9d n )) m9d n, s9 a b m9d n can )e c9mp"ted @it=9"t #eneratin# astr9n9mical n"m)ersC � M O m9d 6 = LNM m9d 6 = O M O m9d 6 = ?M L ) L # 3 m9d 6 = ??M L m9d 6) # ?M L m9d 6) m9d 6) # M m9d 6 = ??5 m9d 6) # ?5 m9d 6) m9d 6) # M m9d 6 = ?L # L m9d 6) # M m9d 6 = 1L m9d 6 = O � Hl#9rit=m descripti9n in fi#"re 7F6

Rivest, Shamir, Adleman � RSHC � c = m e m9d n � m = c d m9d n � m = ? m e m9d n ) d m9d n = m ed m9d n ? = m de m9d n ) � Find s"c= e,d, and n "sin# E"ler^s t=e9rem

Review: Modular arithmetic (cont) x is t=e m"ltiplicatiEe inEerse 9f a m9d"l9 n , @ritten a ! 1 , if ax $ 1 ?m9d n ) � ExC M ⋅ O $ 1 ?m9d 1N) Z=e red"ced set 9f resid"es m9d"l9 n is Z * n = [ x & Z n ! [0\ C #cd? x , n ) = 1 \ E"ler^s t9tient f"ncti9n ' ? n ) is t=e cardinality 9f Z * n ExC Z * LN =[ 1, O, 6, 11, 1M, 16, 15, LM \, ' ?LN)=_

Euler and primes LemmaC 8f p and q are prime, t=en ' ? pq ) = ? p ! 1) # ? q ! 1) = ' ? p ) #' ? q ) Pr99fC in Z pq = a0, pq ! 1b, t=e n"m)ers n9t relatiEely prime t9 pq are ?in additi9n t9 0)C � q, 2q, ..., (p ! 1)q � p, 2p, ..., (q ! 1)p s9 ' ? pq ) = pq ! ?? p ! 1)Y? q ! 1)Y1) = pq ! p ! q Y 1 = ? p ! 1)? q ! 1) c9teC ' ? p )= p ! 1, f9r p a prime

Euler’s theorem Z=e9remC f9r all a and n sFtF #cd? a,n ) = 1 ?t=ey are relatiEely prime), a ' ? n ) m9d n = 1 C9r9llaryC f9r p and q primes, n=pq and 0d m<n , m ' ? n )Y1 = m ? p ! 1)? q ! 1)Y1 $ m ?m9d n ) 8f ed m9d ' ? n ) = 1, t=en ed = t ' ? n )Y1 f9r s9me t, s9 ? e,d ) is a @9rkin# key pair ?)y t=e c9r9llary)F

Making RSA key pairs ed m9d ' ? n ) = 1, and if #cd? d , ' ? n )), E"ler^s t=e9rem t=en #iEes e = d ' ? ' ? n )) ! 1 m9d ' ? n ) C9mp"tin# e fr9m d and ' ( n ) is easy, and eEen m9re efficient @it= an extensi9n 9f E"clid^s al#9rit=m f9r #cd? d , ' ? n )) ?see secti9n 6FO) /aEin# ' ? n ) makes RSH easy t9 )reake ' ? n )=? p ! 1)? q ! 1), s9 p and q m"st )e secret, @=ile n = pq m"st )e p")licF Fact9riQin# pr9d"cts 9f lar#e ?prime) n"m)ers is =ardf

Factorization � Fact9riQati9n 9f n = pq ?t9 find ' ? n )) is diffic"lt if p and q are lar#e � H"#"st 1555C 1OO ! di#it ?O1L ! )it) n fact9riQed � MOF6 CPD ! years ?6FN m9nt=s) "sin# 170 @9rkstati9ns, 1L0 P88, 1L str9n# @9rkstati9ns, and 9ne Cray � Fe)r"ary 1555C 1N0 ! di#it n fact9riQed � _F5 CPD ! years ?5 @eeks) "sin# 1LO @9rkstati9ns, 70 Pcs, and 9ne Cray � 10LN ! )it n expected t9 )e N0 milli9n times =arder t=an 1N0 ! )it

Finding large primes � cagEe met=9ds t99 time ! c9ns"min# � h"ess a n"m)er and test it many times � #iEes =i#= pr9)a)ility 9f primeness � m9re likely t=at a )it is flipped )y c9smic radiati9n � f9r L00 di#its, appr9x 60 #"esses eac= tested 100 times is en9"#= � Desired pr9perties t9 make fact9riQati9n =arder � p, q 9f different len#t= � ? p ! 1) and ? q ! 1) @it= lar#e prime fact9rs � #cd? p ! 1, q ! 1) small

RSA cryptanalysis � Ir"te f9rce n9t feasi)le @it= lar#e keys ?typically 10LN ! L0N_ )its) � Fact9riQati9n diffic"lt, )"t mat=ematical adEances may make it si#nificantly easier � 1566 c=allen#eC NL_ ! )it n @9"ld take N0 P"adrilli9n years ! t99k _ m9nt=s ?155N) � Zimin# attack � )ased 9n t=e time t9 decrypt ?cip=ertext ! 9nly attack) � c9"ntermeas"resC rand9m delay, i)lindin#i

Simple RSA key exchange � H sends p")lic key d A and id A t9 I � I selects a rand9m sessi9n key k S � I sends c = E dA ? k S ) t9 H � H decrypts k S = D eA ? c ) j"lnera)le t9 man ! in ! t=e ! middle attack � )9t= c9nfidentiality and a"t=enticity needed

Blind use of RSA is insecure � W=en "sed f9r s=9rt messa#es ?eF#F 1L_ ! )it keys), RSH is Eery E"lnera)le � f9r M & Z m , takes O ?L m/2 ) time and O ? m # L m kL ) space � ideaC c/M L e $ M 1 e ?m9d n ), if M=M 1 M 2 � )"ild ta)le 9f M 1 e m9d n f9r all p9ssi)le M 1 and c=eck f9r c/M 2 e m9d n F Zakes L m1 lL m2 9perati9ns ? M 1 <2 m1 , M 2 <2 m2 ) � Ilindin# necessary! � create secret rand9m r<n � c = m re m9d n � m = c d ·r ! 1 @=ere r ! 1 is t=e inEerse 9f r

Generators and discrete logarithms � a is a primitive root ?9r generator ) m9d"l9 p if Z p * is #enerated )y exp9nentiati9n 9f a m9d p � exC L is a primitiEe r99t m9d 11C m = [ 1, L, M, N, O, 7, 6, _, 5, 10 \ Z 11 = [ L 10 , L 1 , L _ , L L , L N , L 5 , L 6 , L M , L 7 , L O \ m9d 11 � F9r any b, and a a #enerat9r m9d p , a "niP"e i exists sFtF b=a i m9d p F � i is t=e discrete logarithm ?index) 9f b f9r )ase a , m9d p @rite i = ind a,p ? b )

Diffie ! Hellman key exchange � P")licC prime q , #enerat9r a m9d"l9 q. � Dser H selects priEate, rand9m x A < q , and c9mp"tes y A = a xA m9d q � Dser I selects and c9mp"tes x B and y B same @ay � Eac= sends =is y Eal"e t9 t=e 9t=er, and c9mp"tes t=e s=ared keyC � K = ? y B ) xA m9d q = ? a xB m9d q ) xA m9d q = ? a xB # xA ) m9d q = ? a xA # xB ) m9d q = ? a xA m9d q ) xB m9d q = ? y A ) xB m9d q = K

Diffie ! Hellman cryptanalysis � Kn9@nC q, a, y A , y B � Z9 #et k , need x A 9r x B x A = ind a,q ? y B ) � F9r q a lar#e prime, t=is is c9mp"tati9nally infeasi)le

ElGamal PKS � Like Diffie ! /ellman, )"t after exc=an#in# y Eal"es, a messa#e m < q can )e encryptedC � select rand9m k in a1, q ! 1b k m9d q � c9mp"te K = y B � send ?C 1 ,C L ) @=ere � C 1 = a k m9d q � C L = Km m9d q � decrypti9nC xB � K = C 1 m9d q � m = C L K ! 1 m9d q