Public Key Cryptography David Brumley

Public Key Cryptography

David Brumleydbrumley@cmu.eduCarnegie Mellon University

Credits:

Many

slides from Dan

Boneh’s

June 2012

Coursera

crypto class, which is awesome!

Problem: Communicating among n users.

Total: O(n) keys per user

K

ey management

U

1

U

4

U3

U2

k

1,2

k

1,4

k

3,2

k

4,3

k

4,2

k1,3

2

One Solution: Trusted Third Party (TTP)

Everyone needs only one key3

U

1

U

4

U

3

U

2

TTP

k

1,TTP

k

2,TTP

k

4

,TTP

k3,TTP

Can we remove the TTP as a communication and privacy bottleneck?

Session Keys and Mitigating TTP Privacy Concerns

4

Alice (

k

a

)

Bob (kb)

TTP (kt)

1. E(kt, “talk to bob”)

2. Choose random KAB

3. E(ka, “A,B” || KAB

) ticket = E(kb, “A,B” || Kab)

4

. E(

K

ab, “Hi.”) ticket = E(kb

, “A,B” || Kab)

5. D(kb, “A,B” || K

ab) D(Kab, “Hi.” || Knew)

Basis for

K

erberos

Security AnalysisSuppose (E,D) is secure (i.e., semantically secure).

✓ Eve sees messages, but learns nothing about kab

✗

TTP needed to set up every session

✗

TTP can decrypt everything

5Alice (k

a)Bob (kb)

TTP (kt)

Eve Sees All Traffic

Key question

Can we generate shared keys without an online trusted 3rd party?

Answer: yes!

Starting point of public-key cryptography

:

Merkle (1974),

Diffie-Hellman (1976), RSA (1977)More recently: ID-based enc. (BF 2001), Functional enc. (BSW 2011)6

The Diffie-Hellman Protocol

7

Whitfield

Diffie

Martin Hellman

Goal: establish shared key for security against eavesdroppers without a TTP

8

Alice

Bob

Eve

Discrete Log: A Review

Recall: Logarithms are the inverse of exponentiation. by = x is equivalent to log

b

(x) = y

Consider arithmetic mod

p, where

p is a prime. The discrete log to the base b of x is an integer y such that b

y mod p = x.9

Example. Let p = 17. Then:34 mod 17 = 81 mod 17 = 13. So 3

4 = 13 (mod p)And the discrete log3(13) = 4

Discrete Log ExampleFix a prime p>2 and g in (

Zp)* of order q. Consider the function:

f( x ) =

g

x

in ZpNow, consider the inverse function:

Dlogg (gx) = x where x in {0, …, q-2}

Example: Let g = 2 in Z11. Dlog2(2x)=y s.t. y = 2x mod 11

g

x

1

2

3

4

5

6

7

8

9

10

Dlog

2

(

g

x

)

0

1

8

2

4

9

7

3

6

5

2

x

mod 11

2

0

=1

2

1

=2

2

8

=3

2

2

=4

2

4

=5

2

9

=6

2

7

=7

2

3

=8

2

6

=9

2

5

=10

10

Easy: Given b, y, and p, compute by by mod pSee “Handbook of Applied Cryptography”, available free online

Believed Hard: Given b, p, x, compute y such that by mod p = x.

11

The “Discrete Log” problem

A candidate One Way Function

Key Exchange with Discrete Log

Setup: Fix a public large prime p (~600 digits ≈ 2048 bits) and a public number g between 0 and p.

12

3.

g

a

mod p

4

. gb

mod p1. Pick a from [0,p-1)

2. Pick b from [0,p-1)

5. Compute k = (ga)b mod p

5. Compute

k = (gb)a mod p

Alice

Bob

6. Use k for symmetric (authenticated) encryption.

Eve

observes: g, ga, gbGoal 1 (computational DH): compute

a

(or

b) (i.e., calculate the discrete log) or compute g

abGoal 2 (strong DDH): Given (g,

ga, gb) return whether x = gab or gc where c !=

ab13

3. ga mod p

4

. gb mod p

1. Pick a from [0,p-1)

2. Pick b

from [0,p-1)5. Compute (

ga)b mod pas secret key

6. Compute (gb)a

mod pas secret key

Alice

Bob

Eve

How hard is the DH function mod p?

Suppose prime p is n-bits long. Best known algorithm (GNFS)*:

Sym

Key

Modulus

Elliptic

Curve80

bits1024 bits160 bits128 bits3072 bits256

bits256 bits (AES)15360 bits512 bits

Slow transition to elliptic curve

* O-hat means left lots of lower-order terms off

Can we do DH another way that is faster?

14

Elliptic curve

Diffie-Hellman

15

MITM Adversary

As described, Diffie-Hellman is insecure against active

Man

In The Middle (MITM) attacks

Alice

Bob

MITM

ga mod p

g

m mod p

g

b mod p

g

m

mod p

g

ma

mod p

g

mb mod p

16

Public Key Encryption

17

Last few slides: establish shared key (only) without TTP. What about actual encryption?

18

Alice

Bob

Public Channel

Eve

E

D

c

c

Public Key Encryption19

Alice

Bob

Public Channel

Eve

E

D

c

c

Public

Key

Bob

Private

Key

Bob

Public Key Encryption

Def: a public-key encryption system is a triple of algorithms (G, E, D)G(): randomized alg. outputs a key pair (pk, sk)

E

(

pk, m): randomized alg. that takes

m∈M and outputs c

∈CD(sk,c): deterministic alg. that takes c∈C and outputs m ∈ M or ⊥

Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk

, E(pk, m) ) = m

Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2

) when m1=m2

20

Semantic Security

For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)):

Def

:

Enc

=

(G,E,D)

is

sem. secure (a.k.a IND-CPA) if for all efficient A:

AdvSS [A,Enc] = |

Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible

Chal.

b

Adv. A

(

p

k,sk)G()

m

0

, m1  M : |m0| = |m

1

|

c



E

(

pk

,

m

b

)

b’

 {0,1}

EXP(b)

pk

No query encryptions of messages. Why?

21

Establishing a shared secret

AliceBob

(

pk

,

sk) ⟵ G()

“Alice”,

pkchoose random x ∈ {0,1}128

“Bob”, C = E(

pk,x)D(sk,c) = x

x is shared key

22

Security (eavesdropping)

Adversary sees pk, E(pk, x) and wants

x

∈M

Semantic security means the

adversary cannot distinguish{ pk, E(pk

, x), x } from { pk, E(

pk, x), rand∈M }

Note: protocol is also vulnerable to MITM attack23

Public key encryption: constructions

Constructions generally rely on hard problems from number theory and algebra24

NotationLet N denotes a

n-bit positive integer. Notation: (In powerpoint, we will sometimes use

Z

n

since it doesn’t have fancy latex fonts.)

Can do addition and multiplication modulo N

25

Intractable problems with composites

Suppose N=pq is a 1024 bit number where |p| = |q|. Let ϕ(N) = (p-1)(q-1)

Easy Problems:

Computing

x

y mod N

Inverting elements. If z = x mod N, finding x-1Hard Problems: Factor N

Given xy mod N, compute the y’th root (when gcd(y, ϕ(N)) = 1)

26

The factoring problem

Gauss (1805):“The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the

most

important and useful in arithmetic.”

Current world record:

RSA-768

(232 digits) Work: two years on hundreds of machinesFactoring a 1024-bit integer: about 1000 times harder ⇒ likely possible this decade

27

RSA and Trapdoors

28

Trapdoor functions (TDF)

Def: a trapdoor func. X⟶Y is a triple of efficient algs. (G, F, F-1)

G(): randomized alg. outputs a key pair (

pk

,

sk)

F(pk,⋅): det. alg. that defines a function X ⟶ YF-1(sk

,⋅) (the trapdoor): a function Y ⟶ X that inverts F(pk,⋅) ∀(pk, sk) output by G

∀x∈X: F-1(sk, F(pk, x) ) = x

29

Arithmetic Mod Composites

Let N =

p

q

where

p,q

are prime Z

N = {0,1,2,…,N-1} ; (ZN)*

= {invertible elements in ZN}Facts

: x  ZN is invertible  gcd(

x,N) = 1Number of elements in (Z

N)* is

(N) = (p-1)(q-1) = N-p-q+1

Euler’s thm:  x (Z

N)* : x(N)

= 1

30

The RSA trapdoor permutation

First published in Scientific American, Aug. 1977Very widely used:

SSL/TLS: certificates and key-exchange

Secure e-mail and file systems

… many others

31

The RSA trapdoor permutation

G(): choose random primes p,q



1024

bits. Set N

=

pq. choose integers e, d s.t

. e⋅d = 1 mod (p-1)(q-1)

output pk = (N, e) , sk = (N, d)

F

-1

(

sk

, y)

= yd

; yd

= RSA(x)d

=

xed

=

xk(N)+

1 =

(

x

(N)

)

k



x

=

x

F

(

p

k

, x )

:

;

RSA

(x) =

x

e

(in Z

N

)

32

The RSA assumption

RSA is assumed to be a one-way trapdoor permutation

For all efficient

algs

. A:

Pr

[ A

(N,e,y) = y1/e

] < negligible

where p,q  n-bit primes, Npq

, yZN

*

33

Textbook RSA is insecure

Textbook RSA encryption:public key: (N,e) Encrypt:

c

⟵ m

e

(

in ZN) secret key:

(N,d) Decrypt: cd ⟶ m

Insecure cryptosystem !! Is not semantically secure and many attacks exist

⇒ The RSA trapdoor permutation is not an encryption scheme !34

RSA encryption in practice

Never use textbook RSA.RSA in practice:

Main

questions:

How should the preprocessing be done?

Can we argue about security of resulting system?

msg

key

int. msg

Preprocessing

RSA

ciphertext

35

PKCS1 v2.0: OAEP

Preprocessing function: OAEP [BR94]

Thm

[FOPS’01]

: If RSA

is a trap-door permutation, then RSA-OAEP is

secure when H,G are perfect hash functions (technically, random oracle)*. *In practice: use SHA-256 for H and G

H

+

G

+

p

laintext

to encrypt with RSA

rand.

msg

01

00..0

c

heck

pad

on decryption.

reject

CT if invalid.



{0,1}

n-1

36

Is RSA a one-way permutation?

To invert the RSA one-way func. (without d) attacker must compute:

x

from

c

= xe (mod N).

How hard is computing e’th roots modulo N ??Best known algorithm: Step 1: factor

N (hard)Step 2: compute e’th roots modulo p and

q (easy)37

38

Implementation attacks

Timing attack: [Kocher et al. 1997], [BB’04] The time it takes to compute cd (mod N) can expose d.

Power

attack

:

[Kocher et al. 1999]

The power consumption of a smartcard while it is computing cd (mod N) can expose d.Faults attack: [BDL’97]

A computer error during cd (mod N) can expose d. (common defense: check output with 10% slowdown) 39

Extra slides if time

40

RSA Key Generation Trouble [Heninger et al./

Lenstra et al.]OpenSSL RSA key generation (abstract):

Suppose poor entropy at startup:

S

ame p will be generated by multiple devices, but different q

N1 , N2

: RSA keys from different devices ⇒ gcd(N1,N2) = p

prng.seed(seed)p =

prng.generate_random_prime()prng.add_randomness(bits)q

= prng.generate_random_prime()

N = p*q

41

RSA Key Generation Trouble [Heninger et al./

Lenstra et al.] Experiment:

factors

0.4%

of public HTTPS keys!

Lesson: Make sure random number generator is properly seeded when generating keys42

43

Questions?

END

Number Theory Primer

45

BackgroundWe will use a bit of number theory to construct:

Key exchange protocolsDigital signaturesPublic-key encryptionMore info: http:

//

shoup.net

/ntb/ntb-v2.pdf

http://cseweb.ucsd.edu/~

mihir/cse107/and other places across the web.46

Modular Arithmetic

Defn: a = b mod N iff a-b = kNAddition and multiplication work as expected, e.g.,

x(

y+z

) = x*y + x*z

Examples:

47

Greatest Common Divisor

Def: for integers x,y, gcd(

x,y

)

is the

greatest common divisor of x and y.

Fact: for all integers x, y there exists integers a,b such that:a*x +b*y = gcd(x,y)and a,b can be found efficiently with the extended

Euclidian algorithmExample: gcd(12, 18) = 6 2*12 + (-1)*18 = 6Def

: If gcd(x,y) = 1, then we say x and y are relative primes.48

Modular InversionOver the

rationals the inverse of 2 is ½. What about modulo N?Def: The inverse

of an integer x is an integer y such that x*y = 1 mod N, and is denoted x

-1

Example: Let N be an odd integer. Then the inverse of 2 is (N+1)/2

Proof: 49

Which Elements Have Inverses?

Thm: an element x only has an inverse mod N iff gcd(x, N) = 1Computing

: Calculate

gcd

(x,N

) using extended Euclidian to come up with ax + bN = 1. Then a*x =1 mod N, so a is the inverse for x.

Example: For N = 12, we have the following invertible elements: 50

gcd(0, 12) = 0gcd(1, 12) = 1

gcd(2, 12) = 2 gcd(3, 12) = 3gcd(4, 12) = 4gcd(5, 12) = 1

gcd(6, 12) = 6gcd(7, 12) = 1gcd

(8, 12) = 4gcd(9, 12) = 3 gcd(10, 12) = 2gcd

(11, 12) = 1

Twinkle Twinkle Little StarDef

: Let Z* be the set of invertible elements (i.e., the set {x in N | gcd(x, N) = 1})

Example

:

Zp

* = {1, 2, 3, ..., p-1} for all primes p Z12* = {1, 5, 7, 11}51

Fermat’s Theorem (1640)

Thm: Let p be a prime ∀ x ∈ (

Z

p

)

*

: xp-1 = 1 mod p Example

: p=5. 34 = 81 = 1 in Z5Example Application

: x ∈ (Zp)* ⇒ x⋅xp-2 = 1 ⇒ x

−1 = xp-2 in Zp(this is less efficient than extended Euclidian, and for demonstration purposes only.)

52

Application: Generating Primes*Suppose we want a large prime, e.g., 1024-bits

53

Step 1: choose a random p from

[2

1024

,2

1025-1]Step 2: test if 2p-1 = 1 in Zp. If so, output p,

else goto step 1 (only a few 100 iter. needed)

Pr[p not prime] < 2-60

All n-bit numbers

primes

Tiny set that fails test

“Carmichael” number

*not used in modern crypto, but good example

Structure of Zp*

Thm (Euler): Zp*

(

p is prime) is

a cyclic group

, that is: ∃

g ∈ Zp* such that {1, g, g2, g3, …, gp-2} = Zp

* Def: g is called a generator of Zp*

Example: p=7. {1, 3, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} = Z7

* but not every elem. is a generator, e.g., 2 for Z7 {1, 2, 22, 23, 2

4, 25} = {1, 2, 4} 54

Order

For x ∈ Zp

*

the set {1 ,

x ,

x2, x3, … } is called

the group generated by x, denoted <x>Def

: the order of x ∈ Zp* is

the size of <x> ordp(g) = |<x>|

= (smallest a>0 s.t. xa = 1 in Z

p)Examples:

ord7(3) = 6

ord 7(2) = 3 ord

7(1) = 1

Thm (Lagrange): ∀ x∈ Z

p*: ordp

(x) divides p-1

55

Euler’s generalization of Fermat (1736)

Def (Euler’s ϕ

func

.

): For an integer N define

ϕ (N) = |

ZN*| Examples: ϕ(12) = |{1,5,7,11}| = 4

ϕ(p) = p-1 For N=p⋅q: ϕ (N) = N-p-q+1 = (p-1)(q-1)

Thm (Euler): ∀ x ∈ ZN* : xϕ(N) = 1

in ZN Example: 5ϕ(12) = 54 = 625 = 1 in Z12

Generalization of Fermat. Basis of the RSA cryptosystem56

Solving Linear Equations

Solve: a⋅x + b = 0 (mod N)Solution: x = −b⋅a

-1

(mod N)

F

ind a-1 using extended Euclidian alg. Run time: O(log2 N)57

Modular e’th roots

What about higher degree polynomials?Example: let p be a prime and c ∈

Z

p

. Can we solve:

x2 – c = 0 y3 – c = 0 z37 – c = 0 in

Zp?Example: let N be composite. Can we solve:

x2 – c = 0 y3 – c = 0 z37 – c = 0 in Z

N?

Linear equations

Quadratic equations✗ Higher powers of composite N

(believed to require factoring)

58

Representing Big Numbers

Representing an n-bit integer (e.g. n=2048) on a 32-bit machine

Note: some processors have 128-bit registers (or more)

and support multiplication on them

32 bits

32 bits

32 bits

32 bits

⋯n/32 blocks

59

Arithmetic

Given: two n-bit integersAddition and subtraction: linear time O(n)Multiplication: naively O(n2).

Karatsuba

(1960): O(n

1.585) Basic idea: (2b

x2+ x1) × (2b y2+ y1) with 3 mults.Best (asymptotic) algorithm:

about O(n⋅log n). Division with remainder: O(n2). 60

ExponentiationFinite cyclic group G (for example G = Z

P) Goal: given g, x in G, compute gx

Example

: g

53. x = 53 = (110101)

2 = 32+16+4+1

Then: g53 = g32+16+4+1 = g32⋅g16⋅g4

⋅g1g ⟶ g2

⟶ g4 ⟶ g

8 ⟶ g16 ⟶ g

32 g

53

61

Repeated Squaring AlgorithmInput

: g in G and x>0 Output: gx

Square and Multiple(g, x)

write x = (

x

n

xn-1 … x2 x1 x0)2 y ⟵ g

, z ⟵ 1 for i = 0 to n do: if (x[i] == 1): z ⟵ z⋅y

y ⟵ y2 output z

dexample: g

53 y z

g2 g g4 g

g8 g5 g

16 g5 g32 g

21 g64 g

5362

Running timesGiven n-bit integer

N:Addition and subtraction in ZN:

linear

time

T+ = O

(n)Modular multiplication

in ZN: naively T× = O(n2)Modular exponentiation in ZN

( gx ): O( (log x)⋅T×) ≤ O(

(log x)⋅n2) ≤ O( n3 )63

Easy and Hard Problems

64

DLOG: more generally

Let G be a finite cyclic group and g a generator of G

G =

{ 1 , g , g2

, g3 , … , g

q-1 } ( q is called the order of G )Def: We say that DLOG is hard in G if for all efficient alg. A:

Pr g⟵G, x ⟵Zq [ A( G, q, g, gx

) = x ] < negligibleExample candidates:Zp

for large pElliptic curve groups mod p65

Easy problem

Given composite N=pq, where p and q are large primes, and x in ZN find x-1 in Z

N

66