Public Key Cryptography David Brumley
Presentations text content in Public Key Cryptography David Brumley
Public Key Cryptography
David Brumleydbrumley@cmu.eduCarnegie Mellon University
Credits:
Many
slides from Dan
Boneh’s
June 2012
Coursera
crypto class, which is awesome!
Slide2Problem: Communicating among n users.
Total: O(n) keys per user
K
ey management
U
1
U
4
U3
U2
k
1,2
k
1,4
k
3,2
k
4,3
k
4,2
k1,3
2
Slide3One Solution: Trusted Third Party (TTP)
Everyone needs only one key3
U
1
U
4
U
3
U
2
TTP
k
1,TTP
k
2,TTP
k
4
,TTP
k3,TTP
Can we remove the TTP as a communication and privacy bottleneck?
Slide4Session Keys and Mitigating TTP Privacy Concerns
4
Alice (
k
a
)
Bob (kb)
TTP (kt)
1. E(kt, “talk to bob”)
2. Choose random KAB
3. E(ka, “A,B”  KAB
) ticket = E(kb, “A,B”  Kab)
4
. E(
K
ab, “Hi.”) ticket = E(kb
, “A,B”  Kab)
5. D(kb, “A,B”  K
ab) D(Kab, “Hi.”  Knew)
Basis for
K
erberos
Slide5Security AnalysisSuppose (E,D) is secure (i.e., semantically secure).
✓ Eve sees messages, but learns nothing about kab
✗
TTP needed to set up every session
✗
TTP can decrypt everything
5Alice (k
a)Bob (kb)
TTP (kt)
Eve Sees All Traffic
Slide6Key question
Can we generate shared keys without an online trusted 3rd party?
Answer: yes!
Starting point of publickey cryptography
:
Merkle (1974),
DiffieHellman (1976), RSA (1977)More recently: IDbased enc. (BF 2001), Functional enc. (BSW 2011)6
Slide7The DiffieHellman Protocol
7
Whitfield
Diffie
Martin Hellman
Slide8Goal: establish shared key for security against eavesdroppers without a TTP
8
Alice
Bob
Eve
Slide9Discrete Log: A Review
Recall: Logarithms are the inverse of exponentiation. by = x is equivalent to log
b
(x) = y
Consider arithmetic mod
p, where
p is a prime. The discrete log to the base b of x is an integer y such that b
y mod p = x.9
Example. Let p = 17. Then:34 mod 17 = 81 mod 17 = 13. So 3
4 = 13 (mod p)And the discrete log3(13) = 4
Slide10Discrete Log ExampleFix a prime p>2 and g in (
Zp)* of order q. Consider the function:
f( x ) =
g
x
in ZpNow, consider the inverse function:
Dlogg (gx) = x where x in {0, …, q2}
Example: Let g = 2 in Z11. Dlog2(2x)=y s.t. y = 2x mod 11
g
x
1
2
3
4
5
6
7
8
9
10
Dlog
2
(
g
x
)
0
1
8
2
4
9
7
3
6
5
2
x
mod 11
2
0
=1
2
1
=2
2
8
=3
2
2
=4
2
4
=5
2
9
=6
2
7
=7
2
3
=8
2
6
=9
2
5
=10
10
Slide11Easy: Given b, y, and p, compute by by mod pSee “Handbook of Applied Cryptography”, available free online
Believed Hard: Given b, p, x, compute y such that by mod p = x.
11
The “Discrete Log” problem
A candidate One Way Function
Slide12Key Exchange with Discrete Log
Setup: Fix a public large prime p (~600 digits ≈ 2048 bits) and a public number g between 0 and p.
12
3.
g
a
mod p
4
. gb
mod p1. Pick a from [0,p1)
2. Pick b from [0,p1)
5. Compute k = (ga)b mod p
5. Compute
k = (gb)a mod p
Alice
Bob
6. Use k for symmetric (authenticated) encryption.
Slide13Eve
observes: g, ga, gbGoal 1 (computational DH): compute
a
(or
b) (i.e., calculate the discrete log) or compute g
abGoal 2 (strong DDH): Given (g,
ga, gb) return whether x = gab or gc where c !=
ab13
3. ga mod p
4
. gb mod p
1. Pick a from [0,p1)
2. Pick b
from [0,p1)5. Compute (
ga)b mod pas secret key
6. Compute (gb)a
mod pas secret key
Alice
Bob
Eve
Slide14How hard is the DH function mod p?
Suppose prime p is nbits long. Best known algorithm (GNFS)*:
Sym
Key
Modulus
Elliptic
Curve80
bits1024 bits160 bits128 bits3072 bits256
bits256 bits (AES)15360 bits512 bits
Slow transition to elliptic curve
* Ohat means left lots of lowerorder terms off
Can we do DH another way that is faster?
14
Slide15Elliptic curve
DiffieHellman
15
Slide16MITM Adversary
As described, DiffieHellman is insecure against active
Man
In The Middle (MITM) attacks
Alice
Bob
MITM
ga mod p
g
m mod p
g
b mod p
g
m
mod p
g
ma
mod p
g
mb mod p
16
Slide17Public Key Encryption
17
Slide18Last few slides: establish shared key (only) without TTP. What about actual encryption?
18
Alice
Bob
Public Channel
Eve
E
D
c
c
Slide19Public Key Encryption19
Alice
Bob
Public Channel
Eve
E
D
c
c
Public
Key
Bob
Private
Key
Bob
Slide20Public Key Encryption
Def: a publickey encryption system is a triple of algorithms (G, E, D)G(): randomized alg. outputs a key pair (pk, sk)
E
(
pk, m): randomized alg. that takes
m∈M and outputs c
∈CD(sk,c): deterministic alg. that takes c∈C and outputs m ∈ M or ⊥
Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk
, E(pk, m) ) = m
Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2
) when m1=m2
20
Slide21Semantic Security
For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)):
Def
:
Enc
=
(G,E,D)
is
sem. secure (a.k.a INDCPA) if for all efficient A:
AdvSS [A,Enc] = 
Pr[EXP(0)=1] – Pr[EXP(1)=1]  < negligible
Chal.
b
Adv. A
(
p
k,sk)G()
m
0
, m1 M : m0 = m
1

c
E
(
pk
,
m
b
)
b’
{0,1}
EXP(b)
pk
No query encryptions of messages. Why?
21
Slide22Establishing a shared secret
AliceBob
(
pk
,
sk) ⟵ G()
“Alice”,
pkchoose random x ∈ {0,1}128
“Bob”, C = E(
pk,x)D(sk,c) = x
x is shared key
22
Slide23Security (eavesdropping)
Adversary sees pk, E(pk, x) and wants
x
∈M
Semantic security means the
adversary cannot distinguish{ pk, E(pk
, x), x } from { pk, E(
pk, x), rand∈M }
Note: protocol is also vulnerable to MITM attack23
Slide24Public key encryption: constructions
Constructions generally rely on hard problems from number theory and algebra24
Slide25NotationLet N denotes a
nbit positive integer. Notation: (In powerpoint, we will sometimes use
Z
n
since it doesn’t have fancy latex fonts.)
Can do addition and multiplication modulo N
25
Slide26Intractable problems with composites
Suppose N=pq is a 1024 bit number where p = q. Let ϕ(N) = (p1)(q1)
Easy Problems:
Computing
x
y mod N
Inverting elements. If z = x mod N, finding x1Hard Problems: Factor N
Given xy mod N, compute the y’th root (when gcd(y, ϕ(N)) = 1)
26
Slide27The factoring problem
Gauss (1805):“The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the
most
important and useful in arithmetic.”
Current world record:
RSA768
(232 digits) Work: two years on hundreds of machinesFactoring a 1024bit integer: about 1000 times harder ⇒ likely possible this decade
27
Slide28RSA and Trapdoors
28
Slide29Trapdoor functions (TDF)
Def: a trapdoor func. X⟶Y is a triple of efficient algs. (G, F, F1)
G(): randomized alg. outputs a key pair (
pk
,
sk)
F(pk,⋅): det. alg. that defines a function X ⟶ YF1(sk
,⋅) (the trapdoor): a function Y ⟶ X that inverts F(pk,⋅) ∀(pk, sk) output by G
∀x∈X: F1(sk, F(pk, x) ) = x
29
Slide30Arithmetic Mod Composites
Let N =
p
q
where
p,q
are prime Z
N = {0,1,2,…,N1} ; (ZN)*
= {invertible elements in ZN}Facts
: x ZN is invertible gcd(
x,N) = 1Number of elements in (Z
N)* is
(N) = (p1)(q1) = Npq+1
Euler’s thm: x (Z
N)* : x(N)
= 1
30
Slide31The RSA trapdoor permutation
First published in Scientific American, Aug. 1977Very widely used:
SSL/TLS: certificates and keyexchange
Secure email and file systems
… many others
31
Slide32The RSA trapdoor permutation
G(): choose random primes p,q
1024
bits. Set N
=
pq. choose integers e, d s.t
. e⋅d = 1 mod (p1)(q1)
output pk = (N, e) , sk = (N, d)
F
1
(
sk
, y)
= yd
; yd
= RSA(x)d
=
xed
=
xk(N)+
1 =
(
x
(N)
)
k
x
=
x
F
(
p
k
, x )
:
;
RSA
(x) =
x
e
(in Z
N
)
32
Slide33The RSA assumption
RSA is assumed to be a oneway trapdoor permutation
For all efficient
algs
. A:
Pr
[ A
(N,e,y) = y1/e
] < negligible
where p,q nbit primes, Npq
, yZN
*
33
Slide34Textbook RSA is insecure
Textbook RSA encryption:public key: (N,e) Encrypt:
c
⟵ m
e
(
in ZN) secret key:
(N,d) Decrypt: cd ⟶ m
Insecure cryptosystem !! Is not semantically secure and many attacks exist
⇒ The RSA trapdoor permutation is not an encryption scheme !34
Slide35RSA encryption in practice
Never use textbook RSA.RSA in practice:
Main
questions:
How should the preprocessing be done?
Can we argue about security of resulting system?
msg
key
int. msg
Preprocessing
RSA
ciphertext
35
Slide36PKCS1 v2.0: OAEP
Preprocessing function: OAEP [BR94]
Thm
[FOPS’01]
: If RSA
is a trapdoor permutation, then RSAOAEP is
secure when H,G are perfect hash functions (technically, random oracle)*. *In practice: use SHA256 for H and G
H
+
G
+
p
laintext
to encrypt with RSA
rand.
msg
01
00..0
c
heck
pad
on decryption.
reject
CT if invalid.
{0,1}
n1
36
Slide37Is RSA a oneway permutation?
To invert the RSA oneway func. (without d) attacker must compute:
x
from
c
= xe (mod N).
How hard is computing e’th roots modulo N ??Best known algorithm: Step 1: factor
N (hard)Step 2: compute e’th roots modulo p and
q (easy)37
Slide3838
Slide39Implementation attacks
Timing attack: [Kocher et al. 1997], [BB’04] The time it takes to compute cd (mod N) can expose d.
Power
attack
:
[Kocher et al. 1999]
The power consumption of a smartcard while it is computing cd (mod N) can expose d.Faults attack: [BDL’97]
A computer error during cd (mod N) can expose d. (common defense: check output with 10% slowdown) 39
Slide40Extra slides if time
40
Slide41RSA Key Generation Trouble [Heninger et al./
Lenstra et al.]OpenSSL RSA key generation (abstract):
Suppose poor entropy at startup:
S
ame p will be generated by multiple devices, but different q
N1 , N2
: RSA keys from different devices ⇒ gcd(N1,N2) = p
prng.seed(seed)p =
prng.generate_random_prime()prng.add_randomness(bits)q
= prng.generate_random_prime()
N = p*q
41
Slide42RSA Key Generation Trouble [Heninger et al./
Lenstra et al.] Experiment:
factors
0.4%
of public HTTPS keys!
Lesson: Make sure random number generator is properly seeded when generating keys42
Slide4343
Questions?
Slide44END
Slide45Number Theory Primer
45
Slide46BackgroundWe will use a bit of number theory to construct:
Key exchange protocolsDigital signaturesPublickey encryptionMore info: http:
//
shoup.net
/ntb/ntbv2.pdf
http://cseweb.ucsd.edu/~
mihir/cse107/and other places across the web.46
Slide47Modular Arithmetic
Defn: a = b mod N iff ab = kNAddition and multiplication work as expected, e.g.,
x(
y+z
) = x*y + x*z
Examples:
47
Slide48Greatest Common Divisor
Def: for integers x,y, gcd(
x,y
)
is the
greatest common divisor of x and y.
Fact: for all integers x, y there exists integers a,b such that:a*x +b*y = gcd(x,y)and a,b can be found efficiently with the extended
Euclidian algorithmExample: gcd(12, 18) = 6 2*12 + (1)*18 = 6Def
: If gcd(x,y) = 1, then we say x and y are relative primes.48
Slide49Modular InversionOver the
rationals the inverse of 2 is ½. What about modulo N?Def: The inverse
of an integer x is an integer y such that x*y = 1 mod N, and is denoted x
1
Example: Let N be an odd integer. Then the inverse of 2 is (N+1)/2
Proof: 49
Slide50Which Elements Have Inverses?
Thm: an element x only has an inverse mod N iff gcd(x, N) = 1Computing
: Calculate
gcd
(x,N
) using extended Euclidian to come up with ax + bN = 1. Then a*x =1 mod N, so a is the inverse for x.
Example: For N = 12, we have the following invertible elements: 50
gcd(0, 12) = 0gcd(1, 12) = 1
gcd(2, 12) = 2 gcd(3, 12) = 3gcd(4, 12) = 4gcd(5, 12) = 1
gcd(6, 12) = 6gcd(7, 12) = 1gcd
(8, 12) = 4gcd(9, 12) = 3 gcd(10, 12) = 2gcd
(11, 12) = 1
Slide51Twinkle Twinkle Little StarDef
: Let Z* be the set of invertible elements (i.e., the set {x in N  gcd(x, N) = 1})
Example
:
Zp
* = {1, 2, 3, ..., p1} for all primes p Z12* = {1, 5, 7, 11}51
Slide52Fermat’s Theorem (1640)
Thm: Let p be a prime ∀ x ∈ (
Z
p
)
*
: xp1 = 1 mod p Example
: p=5. 34 = 81 = 1 in Z5Example Application
: x ∈ (Zp)* ⇒ x⋅xp2 = 1 ⇒ x
−1 = xp2 in Zp(this is less efficient than extended Euclidian, and for demonstration purposes only.)
52
Slide53Application: Generating Primes*Suppose we want a large prime, e.g., 1024bits
53
Step 1: choose a random p from
[2
1024
,2
10251]Step 2: test if 2p1 = 1 in Zp. If so, output p,
else goto step 1 (only a few 100 iter. needed)
Pr[p not prime] < 260
All nbit numbers
primes
Tiny set that fails test
“Carmichael” number
*not used in modern crypto, but good example
Slide54Structure of Zp*
Thm (Euler): Zp*
(
p is prime) is
a cyclic group
, that is: ∃
g ∈ Zp* such that {1, g, g2, g3, …, gp2} = Zp
* Def: g is called a generator of Zp*
Example: p=7. {1, 3, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} = Z7
* but not every elem. is a generator, e.g., 2 for Z7 {1, 2, 22, 23, 2
4, 25} = {1, 2, 4} 54
Slide55Order
For x ∈ Zp
*
the set {1 ,
x ,
x2, x3, … } is called
the group generated by x, denoted <x>Def
: the order of x ∈ Zp* is
the size of <x> ordp(g) = <x>
= (smallest a>0 s.t. xa = 1 in Z
p)Examples:
ord7(3) = 6
ord 7(2) = 3 ord
7(1) = 1
Thm (Lagrange): ∀ x∈ Z
p*: ordp
(x) divides p1
55
Slide56Euler’s generalization of Fermat (1736)
Def (Euler’s ϕ
func
.
): For an integer N define
ϕ (N) = 
ZN* Examples: ϕ(12) = {1,5,7,11} = 4
ϕ(p) = p1 For N=p⋅q: ϕ (N) = Npq+1 = (p1)(q1)
Thm (Euler): ∀ x ∈ ZN* : xϕ(N) = 1
in ZN Example: 5ϕ(12) = 54 = 625 = 1 in Z12
Generalization of Fermat. Basis of the RSA cryptosystem56
Slide57Solving Linear Equations
Solve: a⋅x + b = 0 (mod N)Solution: x = −b⋅a
1
(mod N)
F
ind a1 using extended Euclidian alg. Run time: O(log2 N)57
Slide58Modular e’th roots
What about higher degree polynomials?Example: let p be a prime and c ∈
Z
p
. Can we solve:
x2 – c = 0 y3 – c = 0 z37 – c = 0 in
Zp?Example: let N be composite. Can we solve:
x2 – c = 0 y3 – c = 0 z37 – c = 0 in Z
N?
Linear equations
Quadratic equations✗ Higher powers of composite N
(believed to require factoring)
58
Slide59Representing Big Numbers
Representing an nbit integer (e.g. n=2048) on a 32bit machine
Note: some processors have 128bit registers (or more)
and support multiplication on them
32 bits
32 bits
32 bits
32 bits
⋯n/32 blocks
59
Slide60Arithmetic
Given: two nbit integersAddition and subtraction: linear time O(n)Multiplication: naively O(n2).
Karatsuba
(1960): O(n
1.585) Basic idea: (2b
x2+ x1) × (2b y2+ y1) with 3 mults.Best (asymptotic) algorithm:
about O(n⋅log n). Division with remainder: O(n2). 60
Slide61ExponentiationFinite cyclic group G (for example G = Z
P) Goal: given g, x in G, compute gx
Example
: g
53. x = 53 = (110101)
2 = 32+16+4+1
Then: g53 = g32+16+4+1 = g32⋅g16⋅g4
⋅g1g ⟶ g2
⟶ g4 ⟶ g
8 ⟶ g16 ⟶ g
32 g
53
61
Slide62Repeated Squaring AlgorithmInput
: g in G and x>0 Output: gx
Square and Multiple(g, x)
write x = (
x
n
xn1 … x2 x1 x0)2 y ⟵ g
, z ⟵ 1 for i = 0 to n do: if (x[i] == 1): z ⟵ z⋅y
y ⟵ y2 output z
dexample: g
53 y z
g2 g g4 g
g8 g5 g
16 g5 g32 g
21 g64 g
5362
Slide63Running timesGiven nbit integer
N:Addition and subtraction in ZN:
linear
time
T+ = O
(n)Modular multiplication
in ZN: naively T× = O(n2)Modular exponentiation in ZN
( gx ): O( (log x)⋅T×) ≤ O(
(log x)⋅n2) ≤ O( n3 )63
Slide64Easy and Hard Problems
64
Slide65DLOG: more generally
Let G be a finite cyclic group and g a generator of G
G =
{ 1 , g , g2
, g3 , … , g
q1 } ( q is called the order of G )Def: We say that DLOG is hard in G if for all efficient alg. A:
Pr g⟵G, x ⟵Zq [ A( G, q, g, gx
) = x ] < negligibleExample candidates:Zp
for large pElliptic curve groups mod p65
Slide66Easy problem
Given composite N=pq, where p and q are large primes, and x in ZN find x1 in Z
N
66
Public Key Cryptography David Brumley
Download Presentation  The PPT/PDF document "Public Key Cryptography David Brumley" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, noncommercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.