PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Similar documents
Public Key Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security. Sixth Edition by William Stallings

Chapter 9. Public Key Cryptography, RSA And Key Management

Chapter 7 Public Key Cryptography and Digital Signatures

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Chapter 3 Public Key Cryptography

Public Key Algorithms

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Chapter 9 Public Key Cryptography. WANG YANG

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Overview. Public Key Algorithms I

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Computer Security: Principles and Practice

Public Key Algorithms

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Applied Cryptography and Computer Security CSE 664 Spring 2018

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

CSC 474/574 Information Systems Security

Lecture 2 Applied Cryptography (Part 2)

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

The Application of Elliptic Curves Cryptography in Embedded Systems

Key Management and Distribution

Cryptography and Network Security

Public Key Algorithms

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Public Key Cryptography

Cryptographic Systems

Key Exchange. Secure Software Systems

Computer Security 3/23/18

Cryptography MIS

CSE 127: Computer Security Cryptography. Kirill Levchenko

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CS669 Network Security

Lecture 6: Overview of Public-Key Cryptography and RSA

Part VI. Public-key cryptography

Introduction to Cryptography Lecture 7

Public-key encipherment concept

Elliptic Curve Public Key Cryptography

Diffie-Hellman. Part 1 Cryptography 136

Introduction to Cryptography Lecture 7

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Public Key Cryptography and RSA

Asymmetric Primitives. (public key encryptions and digital signatures)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Crypto CS 485/ECE 440/CS 585 Fall 2017

Encryption. INST 346, Section 0201 April 3, 2018

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

KALASALINGAM UNIVERSITY

Abhijith Chandrashekar and Dushyant Maheshwary

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Channel Coding and Cryptography Part II: Introduction to Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Digital Signature. Raj Jain

Kurose & Ross, Chapters (5 th ed.)

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

LECTURE 4: Cryptography

Public Key Cryptography and the RSA Cryptosystem

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Encryption 2. Tom Chothia Computer Security: Lecture 3

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Public Key Encryption

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Public-Key Cryptanalysis

Other Topics in Cryptography. Truong Tuan Anh

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

PROTECTING CONVERSATIONS

1.264 Lecture 28. Cryptography: Asymmetric keys

RSA. Public Key CryptoSystem

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Tuesday, January 17, 17. Crypto - mini lecture 1

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Introduction to Cryptography. Vasil Slavov William Jewell College

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

Chapter 3. Principles of Public-Key Cryptosystems

Topics. Number Theory Review. Public Key Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Public Key (asymmetric) Cryptography

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Lecture 6 - Cryptography

Garantía y Seguridad en Sistemas y Redes

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Key Management and Elliptic Curves

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

RSA (algorithm) History

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Secure Multiparty Computation

Transcription:

PUBLIC KEY CRYPTO Anwitaman DATTA SCSE, NTU Singapore

Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William Stallings

Use case: key distribution, digital signatures Public key cryptosystems: RSA, ECC PUBLIC KEY CRYPTO

System model A tale of two keys Alice creates a private/public key pair - Knowing just the public key, one cannot infer the private key - Data is encrypted with one key but it can be decrypted only with the other key (and not with the encryption key! So then, knowing plain/cipher-text pair in itself should also not compromise the cipher (e.g., by disclosing the private key). Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

System model A tale of two keys - Alice keeps the private key - Everyone and their cat can have the public key CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Confidential communication Assuming a mechanism to guarantee this e.g., trusted PKI Bobs's public key ring Confidential info Publicly known info Joy Mike PU a Alice Ted Alice's public key Receiver s Public Key PR a Alice's private key X Transmitted ciphertext X = D[PR a, Y] Y = E[PU a, X] Plaintext input Encryption algorithm (e.g., RSA) Decryption algorithm Plaintext output Bob (a) Encryption with public key Alice

Authentication The described process does not provide confidentiality of plaintext. Why? Confidential info Publicly known info Alice's public key ring PR b Sender s Private Key Bob's private key Joy Mike PU b Bob Ted Bob's public key X Transmitted ciphertext Y = E[PR b, X] X = D[PU b, Y] Plaintext input Encryption algorithm (e.g., RSA) Decryption algorithm Plaintext output Bob (b) Encryption with private key Alice Note: Not all public-key cryptosystems support use of either key for encryption, and the other for decryption.

Authentication A more efficient variation For confidentiality: - Need to encrypt the whole digitally signed data as the plaintext. - Four encrypt/decrypt operations!

A pragmatic solution Authentication and confidentiality: both together, efficiently message message hash encrypt/sign with sender s private key append signed hash with message generate a (symmetric crypto) session key append and transmit encrypt the session key w/ receiver s public key encrypt with the session key

A pragmatic solution Authentication and confidentiality: both together, efficiently message message hash encrypt/sign with sender s private key append signed hash with message PKI generate a (symmetric crypto) session key How do we know? append and transmit encrypt the session key w/ receiver s public key encrypt with the session key

Public key cryptosystems: Wish list It is easy - for a party X to generate its public and private keys PUx and PRx respectively - for sender S to encrypt message M, knowing PUx C=E(PUx,M) - for receiver X (knowing PRx) to decrypt message M=D(PRx,C)=D(PRx,E(PUx,M)) Optionally: either key can be used in either order - M=D(PRx,E(PUx,M))=D(PUx,E(PRx,M)) It is computationally infeasible for anyone to - determine PRx knowing PUx - determine M knowing C and PUx CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Trapdoor functions Trapdoor functions - Easy to compute in one direction - Difficult to compute in other direction (finding the inverse) but easy to compute, with some special information (trapdoor) Source: https://en.wikipedia.org/wiki/trapdoor_function CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

The RSA algorithm Ron Rivest born in 1947 Adi Shamir born in 1952 Leonard M. Adleman born in 1945 - Excerpt from ACM news release on 2002 Turing award

RSA overview Assumes: factorization of the product of two large primes & discrete logarithm are hard RSA cryptosystem - plaintext and ciphertext are (represented as) integers - between 0 and n-1 for some n - block cipher with bock size b, such that 2 b < n 2 b+1 keys - public key PU=(e,n) - private key PR=(d,n) encryption & decryption assuming: - The encryption and decryption computations are relatively easy - It is infeasible to determine d given e and n

RSA overview assuming: claim: - with semiprime n=pq, where p and q are prime numbers - e and d, with ed mod φ(n) =1 satisfies the property M ed mod n = M Equivalent to say: ed 1 (mod φ(n)) d e -1 (mod φ(n)) caveat There is no formal proof of hardness. It s just that right now no efficient, non-quantum integer factorization algorithm is (publicly) known. True iff e (and thus d) are relatively prime with φ(n)

3 Sender RSA cryptosystem PKI Plaintext P Decimal string Select p, q pand q both prime, p Z q 4 Blocks of numbers P 1, P 2, Calculate n = p * q Calcuate f(n) = (p - 1)(q - 1) Select integer e Calculate d gcd (f(n), e) = 1; 1 < e < f(n) d K e -1 (mod f(n)) 2 Public key e, n 5 Ciphertext C C 1 = P 1 e mod n C 2 = P 2 e mod n Public key PU = {e, n} Private key PR = {d, n} Assuming: it is infeasible to determine d given e and n n = pq 6 Private key d, n 7 Transmit Recovered decimal text Encryption and Decryption 1 d = e 1 mod φ(n) φ(n) = (p 1)(q 1) n = pq P 1 = C 1 d mod n P 2 = C 2 d mod n e, p, q A 3 rd party web demo (worksheet): https://www.cs.drexel.edu/~jpopyack/introcs/hw/rsaworksheet.html Random number generator Receiver

RSA computation Example recipient knows: - PR={23,187} // d=23, n=187-187=17 11 // p=17, q=11 - ɸ(n)=(p-1)(q-1)=160 // check: 7 23 mod 160=1 sender knows: - PU={7,187} // e=7, n=187 - plaintext to encrypt: M=88 // 88 < 187

RSA computation Example: Encryption sender knows: - PU={7,187} - plaintext to encrypt: M=88 // 88 < 187 Encryption ciphertext

RSA computation Example: Decryption recipient knows: - PR={23,187} - 187=17 11 // p=17, q=11 - ɸ(n)=(p-1)(q-1)=160 // check: 7 23 mod 160=1 - receives cipher text: 11 Decryption plaintext

RSA: concluding remarks 3 Sender Plaintext P Decimal string 4 Blocks of numbers P 1, P 2, 2 Public key e, n 5 Ciphertext C C 1 = P 1 e mod n C 2 = P 2 e mod n 1 n = pq 6 Private key d, n d = e 1 mod φ(n) φ(n) = (p 1)(q 1) n = pq e, p, q 7 Transmit Recovered decimal text P 1 = C 1 d mod n P 2 = C 2 d mod n Source: http://en.wikipedia.org/wiki/rsa_factoring_challenge Random number generator Receiver

Key measure: Encryption strength NIST recommendations Bits of Security Symmetric Key Algorithm Corresponding RSA Key Size 80 Triple DES (2 keys) 1024 160 112 Triple DES (3 keys) 2048 224 128 AES-128 3072 256 192 AES-192 7680 384 256 AES-256 15360 512 Corresponding ECC Key Size Source: http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf

Elliptic curve cryptography (ECC) Not such a new kid in town! ECC invented (independently): - 1985 - wide-scale adoption circa 2005 barrier to adoption: patent/license protections Neal Koblitz born in 1948 Victor S. Miller born in 1947 Web resources: Certicom s tutorial on ECC: https://www.certicom.com/content/certicom/en/ecc-tutorial.html Very nice 3 rd party web demo (and tutorial): https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html

Elliptic curves Point addition over the elliptic curve y 2 = x 3-1x + 2 in R. Point addition over the elliptic curve y 2 = x 3-1x + 2 in F 23. The curve has 30 points (including the point at infinity). These plots were generated using the following (3 rd party) web demo: https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html

Elliptic curves over finite fields For applications to cryptography, - we are interested in curves over finite fields variables and coefficients restricted to elements of a finite field - Binary curves over GF(2 m ) - Prime curves E p (a,b) over Z p (this is the one we shall study in this course) Example: (4,5) E 23 (9,17)

Prime curves: E p (a,b) over Z p claim: Finite abelian group if (4a 3 +27b 2 ) mod p 0 mod p - addition (algebraic interpretation) we will use the results as is, without derivation/proof P, Q E p (a,b) i. P+0=P Remark: Point at Infinity is the new zero ii. If P=(x P,y P ) then P=(x P,-y P ) iii. For P=(x P,y P ), Q=(x Q,y Q ), when P -Q, R=P+Q is computed as:

Prime curves: E p (a,b) over Z p - multiplication using repeated addition 10P=P+P+P+P+P+P+P+P+P+P = (((P+P)+(2P))+4P)+2P note the trick to reduce the number of actual operations!

Prime curves: E p (a,b) over Z p exercise - Consider P,Q E 23 (9,17), with P=(16,5), Q=(4,5). Determine k such that Q=kP. recall

Discrete log: prime-field elliptic curves Example with P E 23 (9,17) P=(16,5) n n P 1 (16,5) 2 (20,20) 3 (14,14) 4 (19,20) 5 (13,10) 6 (7,3) 7 (8,7) 8 (12,17) n n P 9 (4,5) 10 (3,18) 11 (5,7) 12 (18,10) 13 (1,21) 14 (10,7) 15 (15,10) 16 (17,0) n n P 17 (15,13) 18 (10,16) 19 (1,2) 20 (18,13) 21 (5,16) 22 (3,5) 23 (4,18) 24 (12,6) P=(16,5), Q=(4,5). Determine k such that Q=kP. 9P=Q, i.e. k=9 n n P 25 (8,16) 26 (7,20) 27 (13,13) 28 (19,3) 29 (14,9) 30 (20,3) 31 (16,18) -P 32 (inf,inf) 0 33 (16,5) 1 P Recall: Point at Infinity is the new zero

Elliptic curve public key cryptography Security derived from hardness of discrete logarithm: computing x, given G and xg global information: - E q (a,b) :elliptic curve with parameters a, b and q; where q is a prime of integer of the form 2 m - G : point on the elliptic curve whose order is a large value n public/private key pair (of user X): - select private key n X : n X < n - calculate public key P X : P X =n X G Known to sender only Encryption: to send a message M (to user X), C={kG,M+kP X } Decryption: M+kP X -n X kg = M+kn X G-n X kg = M

Concluding remarks RSA: - Plain RSA not semantically secure: known ciphertext attack - Remedy: padding Optimal Asymmetric Encryption Padding (OAEP) Public key infrastructure: - Verification of identity: levels - Revocation of keys - Single point of breach: Certification agency s own private key e.g. Dutch certificate authority DigiNotar ECC: popular these days, but - Particularly vulnerable to sidechannel attacks - Easier (than RSA) to break by a (still hypothetical) quantum computer - Backdoor in NIST standards? Dual_EC_DRBG cryptotrojan Further reading: - Diffie Hellman key exchange - ElGamal encryption

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback