PUBLIC KEY CRYPTO Anwitaman DATTA SCSE, NTU Singapore
Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William Stallings
Use case: key distribution, digital signatures Public key cryptosystems: RSA, ECC PUBLIC KEY CRYPTO
System model A tale of two keys Alice creates a private/public key pair - Knowing just the public key, one cannot infer the private key - Data is encrypted with one key but it can be decrypted only with the other key (and not with the encryption key! So then, knowing plain/cipher-text pair in itself should also not compromise the cipher (e.g., by disclosing the private key). Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
System model A tale of two keys - Alice keeps the private key - Everyone and their cat can have the public key CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
Confidential communication Assuming a mechanism to guarantee this e.g., trusted PKI Bobs's public key ring Confidential info Publicly known info Joy Mike PU a Alice Ted Alice's public key Receiver s Public Key PR a Alice's private key X Transmitted ciphertext X = D[PR a, Y] Y = E[PU a, X] Plaintext input Encryption algorithm (e.g., RSA) Decryption algorithm Plaintext output Bob (a) Encryption with public key Alice
Authentication The described process does not provide confidentiality of plaintext. Why? Confidential info Publicly known info Alice's public key ring PR b Sender s Private Key Bob's private key Joy Mike PU b Bob Ted Bob's public key X Transmitted ciphertext Y = E[PR b, X] X = D[PU b, Y] Plaintext input Encryption algorithm (e.g., RSA) Decryption algorithm Plaintext output Bob (b) Encryption with private key Alice Note: Not all public-key cryptosystems support use of either key for encryption, and the other for decryption.
Authentication A more efficient variation For confidentiality: - Need to encrypt the whole digitally signed data as the plaintext. - Four encrypt/decrypt operations!
A pragmatic solution Authentication and confidentiality: both together, efficiently message message hash encrypt/sign with sender s private key append signed hash with message generate a (symmetric crypto) session key append and transmit encrypt the session key w/ receiver s public key encrypt with the session key
A pragmatic solution Authentication and confidentiality: both together, efficiently message message hash encrypt/sign with sender s private key append signed hash with message PKI generate a (symmetric crypto) session key How do we know? append and transmit encrypt the session key w/ receiver s public key encrypt with the session key
Public key cryptosystems: Wish list It is easy - for a party X to generate its public and private keys PUx and PRx respectively - for sender S to encrypt message M, knowing PUx C=E(PUx,M) - for receiver X (knowing PRx) to decrypt message M=D(PRx,C)=D(PRx,E(PUx,M)) Optionally: either key can be used in either order - M=D(PRx,E(PUx,M))=D(PUx,E(PRx,M)) It is computationally infeasible for anyone to - determine PRx knowing PUx - determine M knowing C and PUx CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
Trapdoor functions Trapdoor functions - Easy to compute in one direction - Difficult to compute in other direction (finding the inverse) but easy to compute, with some special information (trapdoor) Source: https://en.wikipedia.org/wiki/trapdoor_function CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
The RSA algorithm Ron Rivest born in 1947 Adi Shamir born in 1952 Leonard M. Adleman born in 1945 - Excerpt from ACM news release on 2002 Turing award
RSA overview Assumes: factorization of the product of two large primes & discrete logarithm are hard RSA cryptosystem - plaintext and ciphertext are (represented as) integers - between 0 and n-1 for some n - block cipher with bock size b, such that 2 b < n 2 b+1 keys - public key PU=(e,n) - private key PR=(d,n) encryption & decryption assuming: - The encryption and decryption computations are relatively easy - It is infeasible to determine d given e and n
RSA overview assuming: claim: - with semiprime n=pq, where p and q are prime numbers - e and d, with ed mod φ(n) =1 satisfies the property M ed mod n = M Equivalent to say: ed 1 (mod φ(n)) d e -1 (mod φ(n)) caveat There is no formal proof of hardness. It s just that right now no efficient, non-quantum integer factorization algorithm is (publicly) known. True iff e (and thus d) are relatively prime with φ(n)
3 Sender RSA cryptosystem PKI Plaintext P Decimal string Select p, q pand q both prime, p Z q 4 Blocks of numbers P 1, P 2, Calculate n = p * q Calcuate f(n) = (p - 1)(q - 1) Select integer e Calculate d gcd (f(n), e) = 1; 1 < e < f(n) d K e -1 (mod f(n)) 2 Public key e, n 5 Ciphertext C C 1 = P 1 e mod n C 2 = P 2 e mod n Public key PU = {e, n} Private key PR = {d, n} Assuming: it is infeasible to determine d given e and n n = pq 6 Private key d, n 7 Transmit Recovered decimal text Encryption and Decryption 1 d = e 1 mod φ(n) φ(n) = (p 1)(q 1) n = pq P 1 = C 1 d mod n P 2 = C 2 d mod n e, p, q A 3 rd party web demo (worksheet): https://www.cs.drexel.edu/~jpopyack/introcs/hw/rsaworksheet.html Random number generator Receiver
RSA computation Example recipient knows: - PR={23,187} // d=23, n=187-187=17 11 // p=17, q=11 - ɸ(n)=(p-1)(q-1)=160 // check: 7 23 mod 160=1 sender knows: - PU={7,187} // e=7, n=187 - plaintext to encrypt: M=88 // 88 < 187
RSA computation Example: Encryption sender knows: - PU={7,187} - plaintext to encrypt: M=88 // 88 < 187 Encryption ciphertext
RSA computation Example: Decryption recipient knows: - PR={23,187} - 187=17 11 // p=17, q=11 - ɸ(n)=(p-1)(q-1)=160 // check: 7 23 mod 160=1 - receives cipher text: 11 Decryption plaintext
RSA: concluding remarks 3 Sender Plaintext P Decimal string 4 Blocks of numbers P 1, P 2, 2 Public key e, n 5 Ciphertext C C 1 = P 1 e mod n C 2 = P 2 e mod n 1 n = pq 6 Private key d, n d = e 1 mod φ(n) φ(n) = (p 1)(q 1) n = pq e, p, q 7 Transmit Recovered decimal text P 1 = C 1 d mod n P 2 = C 2 d mod n Source: http://en.wikipedia.org/wiki/rsa_factoring_challenge Random number generator Receiver
Key measure: Encryption strength NIST recommendations Bits of Security Symmetric Key Algorithm Corresponding RSA Key Size 80 Triple DES (2 keys) 1024 160 112 Triple DES (3 keys) 2048 224 128 AES-128 3072 256 192 AES-192 7680 384 256 AES-256 15360 512 Corresponding ECC Key Size Source: http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf
Elliptic curve cryptography (ECC) Not such a new kid in town! ECC invented (independently): - 1985 - wide-scale adoption circa 2005 barrier to adoption: patent/license protections Neal Koblitz born in 1948 Victor S. Miller born in 1947 Web resources: Certicom s tutorial on ECC: https://www.certicom.com/content/certicom/en/ecc-tutorial.html Very nice 3 rd party web demo (and tutorial): https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html
Elliptic curves Point addition over the elliptic curve y 2 = x 3-1x + 2 in R. Point addition over the elliptic curve y 2 = x 3-1x + 2 in F 23. The curve has 30 points (including the point at infinity). These plots were generated using the following (3 rd party) web demo: https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html
Elliptic curves over finite fields For applications to cryptography, - we are interested in curves over finite fields variables and coefficients restricted to elements of a finite field - Binary curves over GF(2 m ) - Prime curves E p (a,b) over Z p (this is the one we shall study in this course) Example: (4,5) E 23 (9,17)
Prime curves: E p (a,b) over Z p claim: Finite abelian group if (4a 3 +27b 2 ) mod p 0 mod p - addition (algebraic interpretation) we will use the results as is, without derivation/proof P, Q E p (a,b) i. P+0=P Remark: Point at Infinity is the new zero ii. If P=(x P,y P ) then P=(x P,-y P ) iii. For P=(x P,y P ), Q=(x Q,y Q ), when P -Q, R=P+Q is computed as:
Prime curves: E p (a,b) over Z p - multiplication using repeated addition 10P=P+P+P+P+P+P+P+P+P+P = (((P+P)+(2P))+4P)+2P note the trick to reduce the number of actual operations!
Prime curves: E p (a,b) over Z p exercise - Consider P,Q E 23 (9,17), with P=(16,5), Q=(4,5). Determine k such that Q=kP. recall
Discrete log: prime-field elliptic curves Example with P E 23 (9,17) P=(16,5) n n P 1 (16,5) 2 (20,20) 3 (14,14) 4 (19,20) 5 (13,10) 6 (7,3) 7 (8,7) 8 (12,17) n n P 9 (4,5) 10 (3,18) 11 (5,7) 12 (18,10) 13 (1,21) 14 (10,7) 15 (15,10) 16 (17,0) n n P 17 (15,13) 18 (10,16) 19 (1,2) 20 (18,13) 21 (5,16) 22 (3,5) 23 (4,18) 24 (12,6) P=(16,5), Q=(4,5). Determine k such that Q=kP. 9P=Q, i.e. k=9 n n P 25 (8,16) 26 (7,20) 27 (13,13) 28 (19,3) 29 (14,9) 30 (20,3) 31 (16,18) -P 32 (inf,inf) 0 33 (16,5) 1 P Recall: Point at Infinity is the new zero
Elliptic curve public key cryptography Security derived from hardness of discrete logarithm: computing x, given G and xg global information: - E q (a,b) :elliptic curve with parameters a, b and q; where q is a prime of integer of the form 2 m - G : point on the elliptic curve whose order is a large value n public/private key pair (of user X): - select private key n X : n X < n - calculate public key P X : P X =n X G Known to sender only Encryption: to send a message M (to user X), C={kG,M+kP X } Decryption: M+kP X -n X kg = M+kn X G-n X kg = M
Concluding remarks RSA: - Plain RSA not semantically secure: known ciphertext attack - Remedy: padding Optimal Asymmetric Encryption Padding (OAEP) Public key infrastructure: - Verification of identity: levels - Revocation of keys - Single point of breach: Certification agency s own private key e.g. Dutch certificate authority DigiNotar ECC: popular these days, but - Particularly vulnerable to sidechannel attacks - Easier (than RSA) to break by a (still hypothetical) quantum computer - Backdoor in NIST standards? Dual_EC_DRBG cryptotrojan Further reading: - Diffie Hellman key exchange - ElGamal encryption