# Public Key Cryptography David Brumley  2018-09-18 8K 8 0 0

## Public Key Cryptography David Brumley - Description

dbrumley@cmu.edu. Carnegie Mellon University. Credits: . Many. slides from Dan . Boneh’s. June 2012 . Coursera. . crypto class, which is awesome!. Problem: Communicating among . n. users.. Total: O(n) keys per user. ID: 670256 Download Presentation

Embed code:

## Public Key Cryptography David Brumley

Download Presentation - The PPT/PDF document "Public Key Cryptography David Brumley" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

### Presentations text content in Public Key Cryptography David Brumley

Slide1

Public Key Cryptography

David Brumleydbrumley@cmu.eduCarnegie Mellon University

Credits:

Many

slides from Dan

Boneh’s

June 2012

Coursera

crypto class, which is awesome!

Slide2

Problem: Communicating among n users.

Total: O(n) keys per user

K

ey management

U

1

U

4

U3

U2

k

1,2

k

1,4

k

3,2

k

4,3

k

4,2

k1,3

2

Slide3

One Solution: Trusted Third Party (TTP)

Everyone needs only one key3

U

1

U

4

U

3

U

2

TTP

k

1,TTP

k

2,TTP

k

4

,TTP

k3,TTP

Can we remove the TTP as a communication and privacy bottleneck?

Slide4

Session Keys and Mitigating TTP Privacy Concerns

4

Alice (

k

a

)

Bob (kb)

TTP (kt)

1. E(kt, “talk to bob”)

2. Choose random KAB

3. E(ka, “A,B” || KAB

) ticket = E(kb, “A,B” || Kab)

4

. E(

K

ab, “Hi.”) ticket = E(kb

, “A,B” || Kab)

5. D(kb, “A,B” || K

ab) D(Kab, “Hi.” || Knew)

Basis for

K

erberos

Slide5

Security AnalysisSuppose (E,D) is secure (i.e., semantically secure).

✓ Eve sees messages, but learns nothing about kab

TTP needed to set up every session

TTP can decrypt everything

5Alice (k

a)Bob (kb)

TTP (kt)

Eve Sees All Traffic

Slide6

Key question

Can we generate shared keys without an online trusted 3rd party?

Starting point of public-key cryptography

:

Merkle (1974),

Diffie-Hellman (1976), RSA (1977)More recently: ID-based enc. (BF 2001), Functional enc. (BSW 2011)6

Slide7

The Diffie-Hellman Protocol

7

Whitfield

Diffie

Martin Hellman

Slide8

Goal: establish shared key for security against eavesdroppers without a TTP

8

Alice

Bob

Eve

Slide9

Discrete Log: A Review

Recall: Logarithms are the inverse of exponentiation. by = x is equivalent to log

b

(x) = y

Consider arithmetic mod

p, where

p is a prime. The discrete log to the base b of x is an integer y such that b

y mod p = x.9

Example. Let p = 17. Then:34 mod 17 = 81 mod 17 = 13. So 3

4 = 13 (mod p)And the discrete log3(13) = 4

Slide10

Discrete Log ExampleFix a prime p>2 and g in (

Zp)* of order q. Consider the function:

f( x ) =

g

x

in ZpNow, consider the inverse function:

Dlogg (gx) = x where x in {0, …, q-2}

Example: Let g = 2 in Z11. Dlog2(2x)=y s.t. y = 2x mod 11

g

x

1

2

3

4

5

6

7

8

9

10

Dlog

2

(

g

x

)

0

1

8

2

4

9

7

3

6

5

2

x

mod 11

2

0

=1

2

1

=2

2

8

=3

2

2

=4

2

4

=5

2

9

=6

2

7

=7

2

3

=8

2

6

=9

2

5

=10

10

Slide11

Easy: Given b, y, and p, compute by by mod pSee “Handbook of Applied Cryptography”, available free online

Believed Hard: Given b, p, x, compute y such that by mod p = x.

11

The “Discrete Log” problem

A candidate One Way Function

Slide12

Key Exchange with Discrete Log

Setup: Fix a public large prime p (~600 digits ≈ 2048 bits) and a public number g between 0 and p.

12

3.

g

a

mod p

4

. gb

mod p1. Pick a from [0,p-1)

2. Pick b from [0,p-1)

5. Compute k = (ga)b mod p

5. Compute

k = (gb)a mod p

Alice

Bob

6. Use k for symmetric (authenticated) encryption.

Slide13

Eve

observes: g, ga, gbGoal 1 (computational DH): compute

a

(or

b) (i.e., calculate the discrete log) or compute g

abGoal 2 (strong DDH): Given (g,

ga, gb) return whether x = gab or gc where c !=

ab13

3. ga mod p

4

. gb mod p

1. Pick a from [0,p-1)

2. Pick b

from [0,p-1)5. Compute (

ga)b mod pas secret key

6. Compute (gb)a

mod pas secret key

Alice

Bob

Eve

Slide14

How hard is the DH function mod p?

Suppose prime p is n-bits long. Best known algorithm (GNFS)*:

Sym

Key

Modulus

Elliptic

Curve80

bits1024 bits160 bits128 bits3072 bits256

bits256 bits (AES)15360 bits512 bits

Slow transition to elliptic curve

* O-hat means left lots of lower-order terms off

Can we do DH another way that is faster?

14

Slide15

Elliptic curve

Diffie-Hellman

15

Slide16

As described, Diffie-Hellman is insecure against active

Man

In The Middle (MITM) attacks

Alice

Bob

MITM

ga mod p

g

m mod p

g

b mod p

g

m

mod p

g

ma

mod p

g

mb mod p

16

Slide17

Public Key Encryption

17

Slide18

Last few slides: establish shared key (only) without TTP. What about actual encryption?

18

Alice

Bob

Public Channel

Eve

E

D

c

c

Slide19

Public Key Encryption19

Alice

Bob

Public Channel

Eve

E

D

c

c

Public

Key

Bob

Private

Key

Bob

Slide20

Public Key Encryption

Def: a public-key encryption system is a triple of algorithms (G, E, D)G(): randomized alg. outputs a key pair (pk, sk)

E

(

pk, m): randomized alg. that takes

m∈M and outputs c

∈CD(sk,c): deterministic alg. that takes c∈C and outputs m ∈ M or ⊥

Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk

, E(pk, m) ) = m

Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2

) when m1=m2

20

Slide21

Semantic Security

For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)):

Def

:

Enc

=

(G,E,D)

is

sem. secure (a.k.a IND-CPA) if for all efficient A:

Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible

Chal.

b

(

p

k,sk)G()

m

0

, m1  M : |m0| = |m

1

|

c

E

(

pk

,

m

b

)

b’

 {0,1}

EXP(b)

pk

No query encryptions of messages. Why?

21

Slide22

Establishing a shared secret

AliceBob

(

pk

,

sk) ⟵ G()

“Alice”,

pkchoose random x ∈ {0,1}128

“Bob”, C = E(

pk,x)D(sk,c) = x

x is shared key

22

Slide23

Security (eavesdropping)

Adversary sees pk, E(pk, x) and wants

x

∈M

Semantic security means the

, x), x } from { pk, E(

pk, x), rand∈M }

Note: protocol is also vulnerable to MITM attack23

Slide24

Public key encryption: constructions

Constructions generally rely on hard problems from number theory and algebra24

Slide25

NotationLet N denotes a

n-bit positive integer. Notation: (In powerpoint, we will sometimes use

Z

n

since it doesn’t have fancy latex fonts.)

Can do addition and multiplication modulo N

25

Slide26

Intractable problems with composites

Suppose N=pq is a 1024 bit number where |p| = |q|. Let ϕ(N) = (p-1)(q-1)

Easy Problems:

Computing

x

y mod N

Inverting elements. If z = x mod N, finding x-1Hard Problems: Factor N

Given xy mod N, compute the y’th root (when gcd(y, ϕ(N)) = 1)

26

Slide27

The factoring problem

Gauss (1805):“The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the

most

important and useful in arithmetic.”

Current world record:

RSA-768

(232 digits) Work: two years on hundreds of machinesFactoring a 1024-bit integer: about 1000 times harder ⇒ likely possible this decade

27

Slide28

RSA and Trapdoors

28

Slide29

Trapdoor functions (TDF)

Def: a trapdoor func. X⟶Y is a triple of efficient algs. (G, F, F-1)

G(): randomized alg. outputs a key pair (

pk

,

sk)

F(pk,⋅): det. alg. that defines a function X ⟶ YF-1(sk

,⋅) (the trapdoor): a function Y ⟶ X that inverts F(pk,⋅) ∀(pk, sk) output by G

∀x∈X: F-1(sk, F(pk, x) ) = x

29

Slide30

Arithmetic Mod Composites

Let N =

p

q

where

p,q

are prime Z

N = {0,1,2,…,N-1} ; (ZN)*

= {invertible elements in ZN}Facts

: x  ZN is invertible  gcd(

x,N) = 1Number of elements in (Z

N)* is

(N) = (p-1)(q-1) = N-p-q+1

Euler’s thm:  x (Z

N)* : x(N)

= 1

30

Slide31

The RSA trapdoor permutation

First published in Scientific American, Aug. 1977Very widely used:

SSL/TLS: certificates and key-exchange

Secure e-mail and file systems

… many others

31

Slide32

The RSA trapdoor permutation

G(): choose random primes p,q

1024

bits. Set N

=

pq. choose integers e, d s.t

. e⋅d = 1 mod (p-1)(q-1)

output pk = (N, e) , sk = (N, d)

F

-1

(

sk

, y)

= yd

; yd

= RSA(x)d

=

xed

=

xk(N)+

1 =

(

x

(N)

)

k

x

=

x

F

(

p

k

, x )

:

;

RSA

(x) =

x

e

(in Z

N

)

32

Slide33

The RSA assumption

RSA is assumed to be a one-way trapdoor permutation

For all efficient

algs

. A:

Pr

[ A

(N,e,y) = y1/e

] < negligible

where p,q  n-bit primes, Npq

, yZN

*

33

Slide34

Textbook RSA is insecure

Textbook RSA encryption:public key: (N,e) Encrypt:

c

⟵ m

e

(

in ZN) secret key:

(N,d) Decrypt: cd ⟶ m

Insecure cryptosystem !! Is not semantically secure and many attacks exist

⇒ The RSA trapdoor permutation is not an encryption scheme !34

Slide35

RSA encryption in practice

Never use textbook RSA.RSA in practice:

Main

questions:

How should the preprocessing be done?

Can we argue about security of resulting system?

msg

key

int. msg

Preprocessing

RSA

ciphertext

35

Slide36

PKCS1 v2.0: OAEP

Preprocessing function: OAEP [BR94]

Thm

[FOPS’01]

: If RSA

is a trap-door permutation, then RSA-OAEP is

secure when H,G are perfect hash functions (technically, random oracle)*. *In practice: use SHA-256 for H and G

H

+

G

+

p

laintext

to encrypt with RSA

rand.

msg

01

00..0

c

heck

on decryption.

reject

CT if invalid.

{0,1}

n-1

36

Slide37

Is RSA a one-way permutation?

To invert the RSA one-way func. (without d) attacker must compute:

x

from

c

= xe (mod N).

How hard is computing e’th roots modulo N ??Best known algorithm: Step 1: factor

N (hard)Step 2: compute e’th roots modulo p and

q (easy)37

Slide38

38

Slide39

Implementation attacks

Timing attack: [Kocher et al. 1997], [BB’04] The time it takes to compute cd (mod N) can expose d.

Power

attack

:

[Kocher et al. 1999]

The power consumption of a smartcard while it is computing cd (mod N) can expose d.Faults attack: [BDL’97]

A computer error during cd (mod N) can expose d. (common defense: check output with 10% slowdown) 39

Slide40

Extra slides if time

40

Slide41

RSA Key Generation Trouble [Heninger et al./

Lenstra et al.]OpenSSL RSA key generation (abstract):

Suppose poor entropy at startup:

S

ame p will be generated by multiple devices, but different q

N1 , N2

: RSA keys from different devices ⇒ gcd(N1,N2) = p

prng.seed(seed)p =

= prng.generate_random_prime()

N = p*q

41

Slide42

RSA Key Generation Trouble [Heninger et al./

Lenstra et al.] Experiment:

factors

0.4%

of public HTTPS keys!

Lesson: Make sure random number generator is properly seeded when generating keys42

Slide43

43

Questions?

Slide44

END

Slide45

Number Theory Primer

45

Slide46

BackgroundWe will use a bit of number theory to construct:

//

shoup.net

/ntb/ntb-v2.pdf

http://cseweb.ucsd.edu/~

mihir/cse107/and other places across the web.46

Slide47

Modular Arithmetic

Defn: a = b mod N iff a-b = kNAddition and multiplication work as expected, e.g.,

x(

y+z

) = x*y + x*z

Examples:

47

Slide48

Greatest Common Divisor

Def: for integers x,y, gcd(

x,y

)

is the

greatest common divisor of x and y.

Fact: for all integers x, y there exists integers a,b such that:a*x +b*y = gcd(x,y)and a,b can be found efficiently with the extended

Euclidian algorithmExample: gcd(12, 18) = 6 2*12 + (-1)*18 = 6Def

: If gcd(x,y) = 1, then we say x and y are relative primes.48

Slide49

Modular InversionOver the

rationals the inverse of 2 is ½. What about modulo N?Def: The inverse

of an integer x is an integer y such that x*y = 1 mod N, and is denoted x

-1

Example: Let N be an odd integer. Then the inverse of 2 is (N+1)/2

Proof: 49

Slide50

Which Elements Have Inverses?

Thm: an element x only has an inverse mod N iff gcd(x, N) = 1Computing

: Calculate

gcd

(x,N

) using extended Euclidian to come up with ax + bN = 1. Then a*x =1 mod N, so a is the inverse for x.

Example: For N = 12, we have the following invertible elements: 50

gcd(0, 12) = 0gcd(1, 12) = 1

gcd(2, 12) = 2 gcd(3, 12) = 3gcd(4, 12) = 4gcd(5, 12) = 1

gcd(6, 12) = 6gcd(7, 12) = 1gcd

(8, 12) = 4gcd(9, 12) = 3 gcd(10, 12) = 2gcd

(11, 12) = 1

Slide51

Twinkle Twinkle Little StarDef

: Let Z* be the set of invertible elements (i.e., the set {x in N | gcd(x, N) = 1})

Example

:

Zp

* = {1, 2, 3, ..., p-1} for all primes p Z12* = {1, 5, 7, 11}51

Slide52

Fermat’s Theorem (1640)

Thm: Let p be a prime ∀ x ∈ (

Z

p

)

*

: xp-1 = 1 mod p Example

: p=5. 34 = 81 = 1 in Z5Example Application

: x ∈ (Zp)* ⇒ x⋅xp-2 = 1 ⇒ x

−1 = xp-2 in Zp(this is less efficient than extended Euclidian, and for demonstration purposes only.)

52

Slide53

Application: Generating Primes*Suppose we want a large prime, e.g., 1024-bits

53

Step 1: choose a random p from

[2

1024

,2

1025-1]Step 2: test if 2p-1 = 1 in Zp. If so, output p,

else goto step 1 (only a few 100 iter. needed)

Pr[p not prime] < 2-60

All n-bit numbers

primes

Tiny set that fails test

“Carmichael” number

*not used in modern crypto, but good example

Slide54

Structure of Zp*

Thm (Euler): Zp*

(

p is prime) is

a cyclic group

, that is: ∃

g ∈ Zp* such that {1, g, g2, g3, …, gp-2} = Zp

* Def: g is called a generator of Zp*

Example: p=7. {1, 3, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} = Z7

* but not every elem. is a generator, e.g., 2 for Z7 {1, 2, 22, 23, 2

4, 25} = {1, 2, 4} 54

Slide55

Order

For x ∈ Zp

*

the set {1 ,

x ,

x2, x3, … } is called

the group generated by x, denoted <x>Def

: the order of x ∈ Zp* is

the size of <x> ordp(g) = |<x>|

= (smallest a>0 s.t. xa = 1 in Z

p)Examples:

ord7(3) = 6

ord 7(2) = 3 ord

7(1) = 1

Thm (Lagrange): ∀ x∈ Z

p*: ordp

(x) divides p-1

55

Slide56

Euler’s generalization of Fermat (1736)

Def (Euler’s ϕ

func

.

): For an integer N define

ϕ (N) = |

ZN*| Examples: ϕ(12) = |{1,5,7,11}| = 4

ϕ(p) = p-1 For N=p⋅q: ϕ (N) = N-p-q+1 = (p-1)(q-1)

Thm (Euler): ∀ x ∈ ZN* : xϕ(N) = 1

in ZN Example: 5ϕ(12) = 54 = 625 = 1 in Z12

Generalization of Fermat. Basis of the RSA cryptosystem56

Slide57

Solving Linear Equations

Solve: a⋅x + b = 0 (mod N)Solution: x = −b⋅a

-1

(mod N)

F

ind a-1 using extended Euclidian alg. Run time: O(log2 N)57

Slide58

Modular e’th roots

What about higher degree polynomials?Example: let p be a prime and c ∈

Z

p

. Can we solve:

x2 – c = 0 y3 – c = 0 z37 – c = 0 in

Zp?Example: let N be composite. Can we solve:

x2 – c = 0 y3 – c = 0 z37 – c = 0 in Z

N?

Linear equations

Quadratic equations✗ Higher powers of composite N

(believed to require factoring)

58

Slide59

Representing Big Numbers

Representing an n-bit integer (e.g. n=2048) on a 32-bit machine

Note: some processors have 128-bit registers (or more)

and support multiplication on them

32 bits

32 bits

32 bits

32 bits

⋯n/32 blocks

59

Slide60

Arithmetic

Given: two n-bit integersAddition and subtraction: linear time O(n)Multiplication: naively O(n2).

Karatsuba

(1960): O(n

1.585) Basic idea: (2b

x2+ x1) × (2b y2+ y1) with 3 mults.Best (asymptotic) algorithm:

about O(n⋅log n). Division with remainder: O(n2). 60

Slide61

ExponentiationFinite cyclic group G (for example G = Z

P) Goal: given g, x in G, compute gx

Example

: g

53. x = 53 = (110101)

2 = 32+16+4+1

Then: g53 = g32+16+4+1 = g32⋅g16⋅g4

⋅g1g ⟶ g2

⟶ g4 ⟶ g

8 ⟶ g16 ⟶ g

32 g

53

61

Slide62

Repeated Squaring AlgorithmInput

: g in G and x>0 Output: gx

Square and Multiple(g, x)

write x = (

x

n

xn-1 … x2 x1 x0)2 y ⟵ g

, z ⟵ 1 for i = 0 to n do: if (x[i] == 1): z ⟵ z⋅y

y ⟵ y2 output z

dexample: g

53 y z

g2 g g4 g

g8 g5 g

16 g5 g32 g

21 g64 g

5362

Slide63

Running timesGiven n-bit integer

linear

time

T+ = O

(n)Modular multiplication

in ZN: naively T× = O(n2)Modular exponentiation in ZN

( gx ): O( (log x)⋅T×) ≤ O(

(log x)⋅n2) ≤ O( n3 )63

Slide64

Easy and Hard Problems

64

Slide65

DLOG: more generally

Let G be a finite cyclic group and g a generator of G

G =

{ 1 , g , g2

, g3 , … , g

q-1 } ( q is called the order of G )Def: We say that DLOG is hard in G if for all efficient alg. A:

Pr g⟵G, x ⟵Zq [ A( G, q, g, gx

) = x ] < negligibleExample candidates:Zp

for large pElliptic curve groups mod p65

Slide66

Easy problem

Given composite N=pq, where p and q are large primes, and x in ZN find x-1 in Z

N

66