Applied Cryptography and Computer Security CSE 664 Spring 2018

Similar documents
Chapter 3 Public Key Cryptography

Chapter 11 : Private-Key Encryption

Lecture 6: Overview of Public-Key Cryptography and RSA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security. Sixth Edition by William Stallings

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Introduction to Cryptography Lecture 7

Public Key Cryptography

Public Key Algorithms

Introduction to Cryptography Lecture 7

CS408 Cryptography & Internet Security

Chapter 9 Public Key Cryptography. WANG YANG

RSA. Public Key CryptoSystem

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Overview. Public Key Algorithms I

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Public-key encipherment concept

Lecture 15: Public Key Encryption: I

Public Key Cryptography and the RSA Cryptosystem

CS669 Network Security

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Computer Security CS 526

Part VI. Public-key cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography. Andreas Hülsing. 6 September 2016

Key Exchange. Secure Software Systems

Asymmetric Primitives. (public key encryptions and digital signatures)

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

RSA (algorithm) History

Public Key Algorithms

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Public Key Cryptography and RSA

Channel Coding and Cryptography Part II: Introduction to Cryptography

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 2 Applied Cryptography (Part 2)

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Public Key Encryption

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Applied Cryptography and Network Security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

ASYMMETRIC CRYPTOGRAPHY

Public-Key Cryptanalysis

Public Key Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Security of Cryptosystems

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security 3/23/18

Information Security CS526

CSC 474/574 Information Systems Security

A nice outline of the RSA algorithm and implementation can be found at:

Study Guide to Mideterm Exam

An overview and Cryptographic Challenges of RSA Bhawana

Some Stuff About Crypto

CSE 127: Computer Security Cryptography. Kirill Levchenko

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Secure Multiparty Computation

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Chapter 7 Public Key Cryptography and Digital Signatures

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CS 161 Computer Security

CS 161 Computer Security

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

A Tour of Classical and Modern Cryptography

Public Key Algorithms

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Admin ENCRYPTION. Admin. Encryption 10/29/15. Assignment 6. 4 more assignments: Midterm next Thursday. What is it and why do we need it?

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Algorithms (III) Yu Yu. Shanghai Jiaotong University

CPSC 467b: Cryptography and Computer Security

ISA 562: Information Security, Theory and Practice. Lecture 1

Introduction to Cryptography. Vasil Slavov William Jewell College

Public-Key Encryption

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Number Theory and RSA Public-Key Encryption

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Tuesday, January 17, 17. Crypto - mini lecture 1

4 PKI Public Key Infrastructure

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Davenport University ITS Lunch and Learn February 2, 2012 Sneden Center Meeting Hall Presented by: Scott Radtke

Computer Security: Principles and Practice

Cryptography V: Digital Signatures

Encryption Details COMP620

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

CPSC 467: Cryptography and Computer Security

Math From Scratch Lesson 22: The RSA Encryption Algorithm

0x1A Great Papers in Computer Security

Transcription:

Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1

Public-Key Cryptography What we already know symmetric key cryptography enables confidentiality achieved through secret key encryption symmetric key cryptography enables authentication and integrity achieved through MACs In all of the above the sender and received must share a secret key need a secure channel for key distribution not possible for parties with no prior relationship public-key cryptography can aid with this 2

Public-Key Cryptography Other limitations of symmetric key cryptography authentication to multiple receivers is difficult non-repudiation cannot be achieved What s the solution? the concept of more powerful asymmetric key encryption Public-key cryptography was proposed by Diffie and Hellman it was in 1976 in their work New directions in cryptography 3

Public-Key Cryptography Diffie and Hellman introduced public-key encryption public-key key agreement protocols digital signatures It also turned out that public-key encryption was proposed earlier James Ellis proposed it in 1970 in a classified paper the paper was made public by the British government in 1997 The concept of key agreement and digital signatures is still due to Diffie and Hellman 4

Public-Key Cryptography Public-key encryption a party creates a public-private key pair the public key is pk the private or secret key is sk the public key is used for encryption Enc pk (m) and is publicly available the private key is used for decryption only Dec sk (c) knowing the public key and the encryption algorithm only, it is computationally infeasible to find the secret key 5

Public-Key Cryptography (Public-key) Key agreement or key distribution prior to the protocol the parties do not share a common secret after the protocol execution they hold a key not known to any eavesdropper Digital signatures a party generates a public-private signing key pair private key is used to sign a message public key is used to verify a signature on a message can be viewed as single-source message authentication 6

Public Key Encryption Formally A public-key encryption scheme consists of three PPT algorithms (Gen, Enc, Dec) such that: 1. key generation Gen, on input security parameter 1 n, outputs a public-private key pair (pk, sk) 2. encryption Enc, on input public key pk and messages m from the message space, outputs ciphertext c Enc pk (m) message space often depends on pk 3. decryption Dec, on input private key sk and ciphertext c, outputs a message m := Dec sk (c) or a special failure symbol. 7

Public Key Encryption Message space M can now be different from, e.g., all strings of size n if we use arithmetic modulo p, a message can be any number in {0,..., p 1} Properties correctness as before, we want Dec sk (Enc sk (m)) = m but we can permit a negligible probability of failure security what is different from our previous definitions? 8

Security Against Eavesdroppers We are given public-key encryption scheme E = (Gen, Enc, Dec) The eavesdropping indistinguishability experiment PubK eav A,E (n) 1. Gen(1 n ) is run to produce keys (pk, sk) 2. adversary A is given pk and outputs two messages m 0, m 1 from message space 3. random bit b {0, 1} is chosen, and ciphertext c Enc pk (m b ) is given to A 4. A outputs bit b ; if b = b, the experiment outputs 1 (A wins), and 0 otherwise 9

Chosen-Plaintext Security The CPA indistinguishability experiment PubK cpa A,E (n) 1. Gen(1 n ) is run to produce keys (pk, sk) 2. adversary A is given pk and oracle access to Enc pk ( ); it outputs two messages m 0, m 1 from message space 3. random bit b {0, 1} is chosen, and ciphertext c Enc pk (m b ) is given to A 4. A continues to have oracle access to Enc pk ( ) and outputs bit b 5. if b = b, the experiment outputs 1 (A wins), and 0 otherwise 10

Notions of Security A public-key encryption scheme E = (Gen, Enc, Dec) has indistinguishable encryptions under a chosen-plaintext attack (or is CPA-secure) if for all PPT adversaries A, Pr[PubK cpa A,E (n) = 1] 1 2 + negl(n) i.e., A cannot win the game with significantly better chances than random guess Similar definition can be constructed for eavesdropping adversaries What is the gap between the two notions of security? 11

Notions of Security We obtain that no deterministic public-key encryption scheme has indistinguishable encryptions in the presence of eavesdropper and under CPA attack Does anything change if we deal with multiple messages? What can we say about encrypting long messages? How about perfect secrecy in the public-key setting? 12

Encrypting Long Messages In practice, to encrypt long messages hybrid encryption is used the simplest way is to choose a random symmetric key k and send it encrypted with the recipient s public key Enc pk (k) encrypt the message m itself using k and symmetric key encryption E = (Gen, Enc, Dec ) m might need to be partitioned as m 1,..., m t send Enc k (m 1),..., Enc k (m t) Why do we use a combination of two different encryption algorithms? 13

RSA Cryptosystem The RSA algorithm invented by Ron Rivest, Adi Shamir, and Leonard Adleman in 1978 its security requires that factoring large numbers is hard but there is no proof that the algorithm is as hard to break as factoring sustained many years of attacks on it 14

Background Recall Euler s φ function for a product of two primes n = pq, φ(n) = (p 1)(q 1) Euler s theorem given m > 1 and a with gcd(a, m) = 1, a φ(m) 1 (mod m) Recall Euler s theorem s corollary given x, y, m, and a with gcd(m, a) = 1, if x y (mod φ(m)), then a x a y (mod m) Computation of a multiplicative inverse modulo m given a and m with gcd(a, m) = 1, there is a unique x (between 0 and m) such that ax 1 (mod m) 15

RSA Cryptosystem The idea for modulus n > 1 and integer e > 0, let x Z n then f(x) = x e mod n is a permutation if gcd(e, n) = 1 if d = e 1 mod φ(n), f (x) = x d mod n is the inverse of f The hardness assumption is called the RSA problem and is to compute the inverse function easy if factorization of n or φ(n) is known believed to be hard otherwise 16

Plain or Textbook RSA Key generation given security parameter 1 k, generate two large prime numbers p and q, each k/2 bits long compute n = pq select a small prime number e compute φ(n) = (p 1)(q 1) and then compute d the inverse of e modulo φ(n) i.e., ed 1 (mod φ(n)) The public key is pk = (e, n) The private key is sk = d 17

Plain RSA Encryption given a message m Z n given a public key pk = (e, n) encrypt as c = Enc pk (m) = m e mod n Decryption given a ciphertext c given a public key pk = (e, n) and the corresponding private key sk = d decrypt as m = Dec sk (c) = c d mod n 18

RSA Example generate a key pair pick p = 7, q = 11 compute n = 77 pick e = 37 compute φ(n) = 6 10 = 60 compute d e 1 13 (mod 60) public key (37, 77) private key 13 19

RSA Example (cont.) encryption given a message m = 15 encryption is c = m e mod n c = 15 37 mod 77 = 71 decryption given ciphertext c = 71 decryption is m = c d mod n m = 71 13 mod 77 = 15 20

RSA Why does it work? we would like to see how the message is recovered from the ciphertext Decrypting encrypted message Dec sk (Enc pk (m)) = recall that ed 1 mod φ(n) also recall that x y mod φ(n) m x m y (mod n) thus, we obtain m ed 21

More on RSA All of the above works when a message m Z n the algorithm doesn t go through if gcd(m, n) 1 the problem is that the space Z n is not known without private key The good news is that we can still use any m between 0 and n 1 for n = pq, the probability that gcd(m, n) 1 is negligible and if gcd(m, n) 1, there are bigger problems than algorithm s failure 22

RSA Security Security of RSA requires that the RSA problem is hard We start with factoring which must also be hard let algorithm GenMod on input 1 k output n = pq, where p and q are k/2-bit primes The factoring experiment Factor A,GenMod (k) 1. run GenMod(1 k ) and obtain (p, q, n) 2. A is given n and outputs p, q > 1 3. output 1 (A wins) if p q = n, and 0 otherwise Factoring is hard (relative to GenMod) if for all PPT algorithms A Pr[Factor A,GenMod (k) = 1] negl(k) 23

RSA Security Let GenRSA be the key generation algorithm for RSA that takes 1 k and outputs (n, e, d) The RSA experiment RSAInv A,GenRSA (k) 1. run GenRSA(1 k ) to obtain (n, e, d) 2. choose y Z n and give n, e, and y to A 3. A outputs x Z n and wins (the experiment outputs 1) iff y = x e mod n The RSA problem is hard (relative to GenRSA) if any PPT algorithm A wins the RSA experiment with at most negligible probability Pr[RSAInv A,GenRSA (k) = 1] negl(k) 24

Insecurity of Plain RSA Hardness of RSA problem implies that it can generally be hard to decrypt messages without the private key (or factorization of the modulus) The above description of RSA, however, is not secure why? What does the above construction exactly guarantee? given a message m chosen uniformly at random from Z n and the public key (n, e) adversary cannot recover the entire m 25

RSA Implementation Choosing p, q, and n today the modulus n needs to be at least 1536 bits long often a random number is chosen for p and q and is tested for primality Miller-Rabin primality test is common the algorithm has a probability of error but it is popular due to its speed how large the error is can be controlled composite numbers that pass this primality test are called strong pseudo-prime numbers 26

RSA Implementation Choosing e the smaller e is, the faster encryption is performed recall that the square-and-multiply algorithm for computing m e mod n depends on the length of the exponent the number of multiplications also directly depends on the number of 1 s in the binary representation of e common choices for e are 3, 17, 2 16 + 1 = 65537 such numbers require only a few modulo multiplications to encrypt 27

RSA Implementation Speeding up decryption we don t have control over d it ll have to be long but we can still decrypt faster using smaller moduli since p and q are known, we can exploit their shorter size we apply the Chinese Remainder Theorem recall that the CRT solves a system of congruences x i a i (modn i ) the solution is a congruence modulo n = n i 28

RSA Implementation Using the CRT for decryption we have c and the goal is to compute m = c d mod n we first compute m 1 = c d mod p and m 2 = c d mod q this gives us m 1 = m mod p and m 2 = m mod q we then combine m 1 and m 2 using the CRT to obtain m mod n the equations we are solving are m m 1 (mod p) and m m 2 (mod q) the unique solution is m m 1 (q 1 mod p)q + m 2 (p 1 mod q)p (mod n) 29

Summary Public key cryptography achieves many objectives Security of public key encryption can be modeled similar to symmetric encryption but security against chosen-plaintext attack (CPA) is now the weakest reasonable security model RSA is the most commonly used public-key encryption algorithm requires that factoring large numbers is hard the plain or textbook RSA doesn t meet our definition of security RSA implementations target at faster performance 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback