Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
Lecture8
PublicKeyCryptography(Diffie-HellmanandRSA)
• Asymmetric cryptography • Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-
Adleman) • Two keys: private (SK), public (PK)
– Encryption: with public key; – Decryption: with private key – Digital Signatures: Signing by private key; Verification by public key. i.e.,
“encrypt” message digest/hash -- h(m) -- with private key • Authorship (authentication) • Integrity: Similar to MAC • Non-repudiation: can’t do with secret key cryptography
• Much slower than conventional cryptography • Often used together with conventional cryptography, e.g., to encrypt session keys
2
PublicKeyCryptography
PublicKeyCryptography
3
plaintext message, m
ciphertext encryption algorithm
decryption algorithm
Bob’s public key
plaintext message PK (m)
B
PK B Bob’s private key
SK B
m = SK (PK (m)) B B
4
KeyPre-distribution:Diffie-Hellman“NewDirectionsinCryptography”1976
*p
System wide parameters :p large prime,
a generator in Z
−
−
−
Alice's secret: v, public: mod
Bob's secret: w, public: mod
va
wb
y a p y a p
=
=
Alice has: mod
Bob has: mod
( ) mod
( ) mod
wb
vav
ab b
wba a
y a py a p
K y p
K y p
=
=
=
=
=
5
PublicKeyPre-distribution:Diffie-Hellman
SecurecommunicationwithKab
AlicecomputesKab
BobcomputesKab=Kba
Eveknows:p,a,yaandyb
6
PublicKeyPre-distribution:Diffie-Hellman
*
Diffie Hellman Problem:
:
mod mod
: mod
Discrete Log Problem::
mod:
p
v wa b
vw
va
p large prime, a generator in Z
Given
y a p and y a p
FIND a p
Given
y a p FIND v
−
− −
= =
=
7
PublicKeyPre-distribution:Diffie-HellmanDecision DH Problem:
mod , mod:
mod
v wa b
vwab
p large prime, a generatorGiven :
y a p y a pDistinguish
K a pfrom a random number!
− −
= =
=
• DHAssumption:DHproblemisHARD(notP)• DLAssumption:DLproblemisHARD(notP)• DDHAssumption:solvingDDHproblemisHARD(notP)
8
Interactive(Public)KeyExchange:Diffie-Hellman
Eveispassive…
pay va mod=
SecurecommunicationwithKab
Chooserandomv
pay wb mod= Choose
randomw,Compute
pyK waba mod)(=
Compute( ) modv
ab bK y p=
9
TheMan-in-the-Middle(MitM)Attack(assumeEveisanactiveadversary!)
pay va mod=
SecurecommunicationwithKab
Chooserandomv
pay wb mod=
Chooserandomw,Compute
pyK waba mod)(=
Compute( ) modv
ab bK y p=
10
RSA(1976-8)Let n = pq where p,q − large primese,d ∈R Zn and ed ≡ 1 mod Φ(n)
where : Φ(n)= (p−1)(q−1)= pq− p− q−1
Secrets : p,q,d
Publics : n,e
Encryption : message =m < n
E(x) = y =me mod nDecryption : ciphertext = y
D( y) = x ' = yd mod n
11
Whydoesitallwork?
x ∈ Zn*
xed = x1modΦ(n) mod n =
xc*Φ(n)+1 mod n = x
But, recall that: gΦ(n) =1 mod n (Lagrange)
12
Howdoesitallwork?
Example:p=17q=13n=221(p-1)(q-1)=192=34*2
picke=5,d=77Canwepick16?9?27?185?
x=5,E(x)=3125mod221=31
D(y)=3177=
6.83676142775442000196395599558e+114mod221=5
Example:p=5q=7n=35(p-1)(q-1)=24=3*23
picke=11,d=11
x=2, E(x)=2048mod35=18=y
y=18, D(y)=6.426841007923e+13mod35=2
13
WhyisitSecure?
Why:nhasuniquefactorsp,q
Givenpandq,computing(p-1)(q-1)iseasy:
UseextendedEuclidian!
Conjecture:breakingRSAispolynomiallyequivalenttofactoringnRecallthatnisvery,verylarge!
)(1 n mod ed Φ≡
14
ExponentiationCosts
• Integermultiplication--O(b2)wherebisbit-sizeofthebase
• Modularreduction--O(b2)
• Thus,modularmultiplication--O(b2)
• Modularexponentiation(asinRSA)--memodn
• Naïvemethod:e-1modularproducts--O(b2*e)
• BUTwhatifeislarge,(almost)aslargeasn?
• LetL=|e|(e.g.,l=1024for1024-bitRSAexponent)• Wecanassumebandlareveryclose,almostthesame
• Square-and-multiplymethodworksinO(b3)time…O(b2*2l)
15
Square-and-Multiply
}}
n;temp% mtemp {
e[i] if n% temp
temptemp* { i0 i 1li for
1tempnsizeofl
=
=
=
=
−−>=−=
=
=
−−−−−−−−−−−−
;*)(
;;
);;(;
);(
n mod m compute :goal e
• Example1:e=100• Example2:e=10000000• Example3:e=11111111
Fromlefttorightine
16
SpeedingupRSADecryption
: C - RSA ciphertextmod( 1)
mod( 1)
compute:
mod
mod
and solve:mod
mod
p
q
p
q
dp
dq
p
q
Letd d pd d q
M C p
M C q
M M pM M q
= −
= −
=
=
=
=
)mod()]mod(
)mod([1
1
pqqppM
pqqMM
q
p
−
−
+
=
17
MoreonRSA• Modulusnisuniqueperuserà
– 2ormorepartiescannotsharethesamen• WhathappensifAliceandBobsharethesamemodulus?
– Alicehas(e’,d’,n)andBob–(e”,d”,n)– Alicewantstocomputed”(Bob’sprivatekey)– Sheknowsthat:e’*d’=1modphi(n)– So:e’*d’=k*phi(n)+1and:e’*d’-1=k*phi(n)– Alicejustneedstocomputeinverseofe”modX
• whereX=e’*d’–1=k*phi(n)• let’scallthisinversed’”• andrememberthat:d”’*e”=k’*k*phi(n)+1• canwebesurethat:d”’=d”?
– Isitpossiblethate”hasnoinversemodX?• Yes,ife”=phi(n)orgcd(e”,k)>1butthisisvery,veryUNLIKELY!
– Foralldecryptionpurposes,d”’isEQUIVALENTtod”– SupposeEveencryptedforBob:C=(m)e”modn– Alicecomputes:
Cd”’modn=me”d”’modn=(m)k’*k*phi(n)+1modn=m