Embed Size (px)
Citation preview
15-349
Introduction to Computer and Network Security
Iliano Cervesato
2 September 2008 – Public-key Encryption
2
Where we are
Course intro Cryptography
Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols
Program/OS security & trust Networks security Beyond technology
3
Outline
Public-key cryptography – motivations The Merkle-Hellman encryption algorithm
The knapsack problem How Merkle-Hellman works Cryptoanalysis
Basic number theory Modular arithmetic Primality and inverses
The El Gamal encryption scheme The discrete logarithm problem
RSA The factorization problem RSA cryptographic challenges
4
Asymmetric Encryption – Review
Dk (Ek(m)) = m
ED
MM
XX
kCleartext
Cleartext
CiphertextCiphertext
Public key
Decryption
box
Encryption
box
k-1
Private key
-1
Public data
k
5
Motivations
Can 2 keys be better than 1? How do we make data public?
Why bother?Key management problemAdded flexibility
E.g., digital signatures
6
Naïve Key Management
Principals A1, …, An want to talk
Each pair needs a key n(n-1)/2 keys
Keys must be established Physical exchange Secure channel …
A1
A2
A3A4
A5
7
Improved Solution
Centralized key-distribution center
n key pairs needed However
KDC must be trusted
KDC is single point of failure
Still n direct exchanges
KDC
A1
A2
A3A4
A5
k1
k2
k3
k4
k5
… if Ai wants to talk to Aj …
Ai KDC: “connect me to Aj”
KDC generates new key kij
KDC Ai: Eki(kij)
KDC Aj: Ekj(kij, “Ai wants to talk”)
Still naïve KDC online all the time
8
Public-Key Solution
Pair (ki, ki-1) for each Ai
ki’s are published Phonebook
Simple setup Ai generates (ki, ki
-1)
Ai publishes ki
… details later
Secure web sites would be impossible without https
A1
k-11
Ai
k-1i
Public data
A1 k1
…Ai ki
…
9
The Knapsack problem
Given objects of size s1, s2, … sn, is it possible to completely fill a knapsack of size s?
Is there binary vector v such that
i visi = s ? NP-complete
What if si+1 > j<i sj ? Easy: O(n) Super-increasing knapsack
Hmm, this feels like encryption material …
for (i=n; i > 0; i--) { if (s > si) s = s – si
}return (s == 0)
10
Merkle-Hellman Encryption
Pick a super-increasing sequence S = (s1,s2,…,sn) a prime p > sn 100-200 digits long a multiplier w
(S, w) is the private key
Compute hi = wsi mod p
H = (h1, h2, …, hn) is the public key
Encryption of binary m x = i himi
Attacker has to solve general knapsack in H – hard Decryption of x
Multiply x by w-1
Solve super-increasing knapsack problem in S – easy
11
Cryptanalysis of Merkel-Hellman
Scheme based on a special instance of knapsack problem modular knapsack generated from super-
increasing sequence Not as hard as general knapsack
If p is known If s1 can be found, all si can be found
Can deduce w and p from H Try successive values of w and observe where
whi rolls over Right w is where they all roll over at the same
time
12
Number Theory – Divisors
ZZ = {…, -1, 0, 1, …} + is commutative, associative and invertible w.r.t. 0 * is commutative, associative with identity 1
a|b if c. ac = b E.g., 3|6 E.g., 3|10
gcd(a, b) = largest d ZZs.t. d|a and d|b E.g. gcd(18,15) = 3
Modular arithmetic a = b mod n if c. an + c = b Zn = {0, …, n-1}
All operations modulo n Also a ring
Euclid’s algorithm
Given a > b r0 = b, r1 = a
ri-2 = qiri-1 + ri
When rn+1 = 0, set gcd(a,b) = rn
u,v. gcd(a,b) = ua + vb
ZZ is a ring
13
Number Theory – Prime numbers
p>1 prime if 1 and p are its only divisors E.g. 3, 5, 7, …
p and q are relatively prime if gcd(p,q) = 1 E.g. 4 and 5 are relative primes
There are infinitely many primes
14
Arithmetic Modulo a Prime
p prime number For us, at least 1024 bits (~ 300 digits)
ZZp = {0, 1, …, p-1} Addition and multiplication are modulo p Exponentiation is iterated multiplication x is the inverse of y 0 if xy = 1 mod p
All non-null elements of ZZp are invertible x-1 = xp-2 mod p We can solve linear
equations in ZZ*p
If ax = b mod p, then x = bap-2 mod p
ZZ*p = {1, …, p-1}
Contains all invertible elements of ZZp
ZZp = ZZ*p U {0}
Fermat’s little theorem
If a 0, then ap-1 = 1 mod p
ZZp is aGalois field
15
Computing in ZZp
Let n be the length of p Usually around 1024 bits
Addition in ZZp done in O(n) Multiplication is O(n2)
Clever (and practical) algorithms achieve O(n1.7) Same for inverse
xr mod p computed in O((log r) n2) Repeated squares
E.g.: g23 = g10111 = g . g2 . g4 . g16 (7 multiplications)
Addition chains Saves 20% in average (but shortest chain is NP-complete) g, g2, g3, g5, g10, g20, g23 (6 multiplications)
16
Complexity in ZZp
Easy problems Generating p Addition, multiplication, exponentiation Inversion, solving linear equations
Problems believed to be hard DL: Discrete logarithm
Given g and x ZZp, find r s.t. x = gr mod p DH: Diffie-Hellman
Given g, gr, gs ZZp, find grs mod p Note
DL implies DH Unknown if DH implies DL Best known attack on DL requires space and O(2n) time
17
Diffie-Hellman Key ExchangePublic data
p, gA B
•Choose random a1 a p-1
•send ga mod p
•Receive gb mod p
•(gb)a = gab mod p
•k = f(gab)
•Receive ga mod p
•Choose random b1 b p-1
•Send gb mod p
•(ga)b = gab mod p
•k = f(gab)
ga mod p
gb mod p
18
Diffie-Hellman Key Exchange [2]
Allows 2 principals to produce a shared secret Without secure channel or physical
exchange Without a key distribution center f is typically a hash function
Agreed upon in advance
However, no authentication Can be fixed with some infrastructure
Security relies on hardness of DH
19
El Gamal Encryption Scheme
Security rests on hardness of DL Criticisms
Transmitted message double of m Public data has to be managed Very slow (~10Kb/sec vs. 250Kb/s of DES)
Public data
A1 p1 ,g1,g11
…
Ai pi ,gi,gii
…
A B•Choose random a
•Send gBa,
gBBa m mod pB
•Receive gBa,
gBBa m mod pB
•(gBa)B = gB
Ba mod pB
•Compute gB-Ba mod pB
•gB-Ba gB
Ba m mod pB
= m
gBa, gB
Ba m mod pB
A wants to send
A B
secret m ZZpB to B
20
Arithmetic Modulo a Composite
n natural number For us, typically 1024 bits or ~ 300 digits Typically n = pq, with p and q primes
ZZn = {0, 1, …, n-1} x is inverse of y 0 if xy = 1 mod n x has inverse iff gcd(x,n) = 1
ux + vn = 1 by Euclid’s algorithm so x-1 = u Works also in ZZp where more efficient than x-1 = xp-2
We can solve linear equations in ZZn
ZZ*n = {x : gcd(x,n) = 1}
Contains all invertible elements of ZZn
21
Euler’s Totient Function
(n) is the number of positive integers relatively prime to n
(n) is the size of ZZ*n
If n = ipiei,
then (n) = ipiei-1(pi-1)
If n=pq,then (n) = (p-1)(q-1) = n – p – q – 1
a is invertible with inverse a(n)-1
Euler’s theorem
If a ZZ*n, then a(n) = 1 mod n
23
Computing in ZZn
Easy problemsGenerating pAddition, multiplication,
exponentiation Inversion, solving linear equations
Hard problemsFactoring
Given n, find p,q s.t. n = pq
24
The set-up of RSA
n = pq n is the product of 2 (large) primes
By Euler’s theorem, (n) = (p – 1)(q – 1)
Select e and d such that (me)d = m How? Pick e relative prime to (n)
E.g., a prime greater than (n) By Fermat’s theorem, compute d = e(n)-1
ed = 1 mod (n) ed = k(n) + 1 = k(p-1)(q-1) + 1 = k’(p-1) + 1
Now: mp-1 = 1 mod p mk’(n) = 1 mod p mk’(n)+1 = m mod p med = m mod p
25
RSA [Rivest,Shamir,Adelman ’76]
Security of RSA rests on Hard to factorize n = pq
Hard to compute (n) from n
Factoring implies RSA Unknown if RSA implies factoring
Public data
A1 n1 ,e1
…
Ai ni ,ei
…A B
•Send meB mod nB •Receive meB mod nB
•(meB)dB mod nB
= meBdB mod nB = mk(nB)+1 mod nB = (m(nB))k m mod nB
= (1)k m mod nB
= m mod nB
meB mod nB
A wants to sendsecret m ZZnB
to BpA,qA,dA pB,qB,dB
ni = piqi
eidi = 1 mod (ni)
26
Attacks on RSA
Small d for fast decryption But easy to crack if d < (n1/4)/3 [Wiener]
d should be at least 1080
Small e for fast encryption If m sent to more than e recipients, then m easily
extracted Popular e = 216 + 1
Same message should not be sent more than 216 + 1 times
Modify message (still dangerous)
Timing attacks Time to compute md mod n for many m can reveal d
Homomorphic properties of RSA If ci = mi
e mod n (i=1,2), then c1c2 = (m1m2)e mod n Easy chosen plaintext attack
Eliminated in standards based on RSA
27
RSA Cryptographic Challenges
Factoring given primes set as challenge by RSA Labs
http://www.rsa.com/rsalabs/– RSA-ddd: challenge in digits– RSA-bbb: challenge in bits
RSA-140: 1999 in 1 month RSA-155: 1999 in 4 months RSA-160: 2003 in 20 days RSA-200: 2005 in 18 months
Challenges no longer active
28
Key length
Public-key crypto has very long keys 1024, 2048, 4096 are common
Is it more secure than symmetric crypto? 56, 128, 192, 256
Key lengths don’t compare! 1024 80 bit 2048 112 bit 3072 128 bit 7680 192 bit 15,360 256 bit
