� � � Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to exchange secure common keys using insecure channels! See: Diffie and Hellman, New Directions in Cryptography , IEEE Transactions on Information Theory, Vol. IT-22, No. 6, Nov. 1976. � Eli Biham - May 3, 2005 c 220 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 221 Public Key Cryptography 1 (9) Diffie-Hellman Key Exchange Protocol Diffie-Hellman Key Exchange Protocol (cont.) Based on number theory assumptions. Notations : The basic idea : • Denote x in binary representation as � n − 1 i =0 x i 2 i . x = x n − 1 x n − 2 . . . x 1 x 0 , where x = 1. It is easy to calculate a x mod q • Let q be a large prime number. for any a , x and q . (The algorithm is shown in Slide 274). • All the multiplications from now on are modulo q . 2. There is no efficient algorithm which computes x given a , q , and a x mod q. This is the discrete logarithm (DLOG) problem. � Eli Biham - May 3, 2005 c 222 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 223 Public Key Cryptography 1 (9) Diffie-Hellman Key Exchange Protocol (cont.) Diffie-Hellman Key Exchange Protocol (cont.) Preparations : The key exchange : System parameters common to all users : Two users A,B who wish to have a common key, known only to them: • A calculates K = ( Y B ) X A mod q . • Let q be a large prime number ( q > 2 400 ). • B calculates K = ( Y A ) X B mod q . • Let a an integer 1 < a < q . A and B result with the same common key K : Public and private keys : Each user U: ( Y B ) X A ≡ ( a X B ) X A ≡ a X B X A ≡ • chooses a random value X U (1 < X U < q ) and keeps it secret. ≡ a X A X B ≡ ( a X A ) X B ≡ ( Y A ) X B (mod q ) . • publishes Y U = a X U mod q . � Eli Biham - May 3, 2005 c 224 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 225 Public Key Cryptography 1 (9) Diffie-Hellman Key Exchange Protocol (cont.) Public Key Cryptography Security : Solution : Each user chooses two keys: ✝✟✞✡✠☛✝☞✂ ) K E which he publishes. This key is publicly • A public key ( 1. The secret keys are secure: if one can compute the secret key X A of A ✁✄✂✆☎ from Y A = a X A mod q , he solved the DLOG problem, and we assume it is known. The public key is used for encryption. difficult. ✎✏✞✡✠☛✝✑✂ ) K D which he keeps secret (also called private • A secret key ( ✌✍☎ ✒✄✓✔✝✕✞✡✠☛✝☞✂ ). The secret key is used for decryption. key – 2. Can somebody compute the common key of A and B from their pub- lished keys (without computing the secret keys)? The problem of com- puting a X A X B mod q from a , a X A mod q and a X B mod q is assumed to be as difficult as DLOG. c c � Eli Biham - May 3, 2005 226 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 227 Public Key Cryptography 1 (9)
Public Key Cryptography (cont.) Public Key Cryptography (cont.) Required properties : Everybody (B) who knows A’s public key can encrypt messages to A by C = E K E ( M ) 1. the encryption and decryption functions E , D are publicly known and easy to compute. but only A can decrypt it by 2. It is possible to generate pairs of keys K E and K D which satisfy ∀ M : M = D K D ( C ) . D K D ( E K E ( M )) = M . Even B cannot decrypt messages he encrypted under A’s public key (unless 3. Without the knowledge of K D , it is difficult to decrypt C , given only the he keeps records of the messages he encrypted). public key K E (even though encryption is easy). Result : It is difficult compute K D from K E (even if the attacker have also many encrypted messages). � Eli Biham - May 3, 2005 c 228 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 229 Public Key Cryptography 1 (9) The Key Generation The Key Generation (cont.) It is difficult to calculate K D from K E . In many cases it is also difficult to Usage : Each user U generates a pair of random keys calculate K E from K D . ( K E , K D ) = G (random X ) , We need a trapdoor function E K E : easy to calculate, but difficult to invert. and publishes K E (in a public file). K D is kept secret. We should use an efficient function G ( X ) which takes a random X and When another user A wishes to send a message M to U, he requests U’s public generates both keys simultaneously . key K E (from the public file), computes C = E K E ( M ) , and sends C to U. U decrypts by M = D K D ( C ) . � Eli Biham - May 3, 2005 c 230 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 231 Public Key Cryptography 1 (9) The Key Generation (cont.) The Key Generation (cont.) Properties : 5. Two users who have never met, can communicate securely even without a trusted center. However, they cannot authenticate each other without a trusted center . 1. Everybody can send messages to U, without the need to distribute a common secret key in advance. 6. The center can generate certificates for the users: he signs the users identity together with their public key. The users can then receive the 2. Only U can decrypt. certificates directly from the receivers, rather than asking the center for 3. The center (maintaining the public file) cannot decrypt (if he is only the public keys of the receivers. Then, they verify with the center’s well- trusted to send U’s real key to A). known public key. 4. There is no need to set common secret keys in advance. A and B can communicate securely after they request each others key from the center. The communication with the center does not have to be encrypted. � Eli Biham - May 3, 2005 c 232 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 233 Public Key Cryptography 1 (9) Shortened Notation Remark After the user U chooses his pair of keys K E and K D , and publishes his public Remark : Diffie and Hellman did not suggest a good implementation of a pub- key K E , we denote his encryption function (known to everybody) by lic key cryptosystem. Only after they published their paper, several public key cryptosystems were suggested, such as Merkle-Hellman’s knapsack cryptosys- E U ( · ) = E K E ( · ) tem (broken later) and RSA. They predicted that public key cryptosystems will be based on the following and his decryption function (whose key is secret) by problems (as was the case later in the listed systems) D U ( · ) = D K D ( · ) . 1. Knapsack (an NP-complete problem): such as Merkle-Hellman. 2. Factoring: RSA, etc. For every user U, E U can be computed by all the users, but D U can be computed only by U. 3. Discrete logarithm: ElGamal, DSS, etc. c c � Eli Biham - May 3, 2005 234 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 235 Public Key Cryptography 1 (9)
Public Key Signatures Public Key Signatures (cont.) The encryption function E U is 1-1 . If it is also onto , E U : M → M , it can Claim : E U ( D U ( X )) = X for every X . be used for signatures as well. Proof : Let X be some value. From the definition, D U ( E U ( Y )) = Y for every U signs a message M by Y , and in particular for Y = D U ( X ). S = D U ( H ( M )) , Therefore, D U ( E U ( D U ( X ))) = D U ( E U ( Y )) = Y = D U ( X ). where H is a collision free hash function. Since E U is 1-1, then D U is 1-1, and E U ( D U ( X )) = X . QED Everybody can verify the originality of the signature S by checking whether Secret signatures : If U wishes to keep the signature (sent to B) secret, he sends E B ( S ) = E B ( D U ( H ( M ))). B will decrypt and get S , and then will be E U ( S ) ? = H ( M ) . able to verify it as before. � Eli Biham - May 3, 2005 c 236 Public Key Cryptography 1 (9) � Eli Biham - May 3, 2005 c 237 Public Key Cryptography 1 (9)
Recommend
More recommend