Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7

Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures

Key management Problem: difficult n users. Storing mutual secret keys is Total: O(n) keys per user

A better solution Online Trusted 3 rd Party (TTP) TTP

Generating keys: a toy protocol Alice wants a shared key with Bob. only. Eavesdropping security Bob (k B ) Alice (k A ) TTP ticket Alice wants key with Bob choose random k AB k AB k AB (E,D) a CPA-secure cipher

Generating keys: a toy protocol Alice wants a shared key with Bob. only. Eavesdropping security Eavesdropper sees: E(k A, A, B ll k AB ) ; E(k B, A, B ll k AB ) (E,D) is CPA-secure eavesdropper learns nothing about k AB Note: TTP needed for every key exchange, knows all session keys. (basis of Kerberos system)

Toy protocol: insecure against active attacks Example: insecure against replay attacks Attacker records session between Alice and merchant Bob For example a book order Attacker replays session to Bob Bob thinks Alice is ordering another copy of book

Key question Can we generate shared keys without an online trusted 3 rd party? Answer: yes! Starting point of public-key cryptography: Merkle (1974), Diffie-Hellman (1976), RSA (1977) More recently: ID-based enc. (BF 2001), Functional enc. (BSW 2011)

Key exchange without an online TTP? Goal: Alice and Bob want shared key, unknown to eavesdropper For now: security against eavesdropping only (no tampering) Alice Bob eavesdropper?? Can this be done using generic symmetric crypto?

Merkle Puzzles (1974) Answer: yes, but very inefficient Main tool: puzzles Problems that can be solved with some effort Example: E(k,m) a symmetric cipher with k {0,1} 128 puzzle(p) = E(P, message ) where P = 0 96 ll b 1 b 32 Goal: find P by trying all 2 32 possibilities

Merkle puzzles Alice: prepare 2 32 puzzles For i=1,, 2 32 choose random P i {0,1} 32 and x i, k i {0,1} 128 set puzzle i E( 0 96 ll P i, Puzzle # x i ll k i ) Send puzzle 1,, puzzle 2 32 to Bob Bob: choose a random puzzle j and solve it. Obtain ( x j, k j ). Send x j to Alice Alice: lookup puzzle with number x j. secret Use k j as shared

In a figure Alice puzzle 1,, puzzle n x j Bob k j k j Alice s work: O(n) Bob s work: O(n) (prepare n puzzles) (solve one puzzle) Eavesdropper s work: O( n 2 ) (e.g. 2 64 time)

The Diffie-Hellman protocol (1977) Fix a finite cyclic group G (e.g G = (Z p ) * ) of order n Fix a generator g in G (i.e. G = {1, g, g 2, g 3,, g n-1 } ) Alice choose random a in {1,,n} A = g a B a = (g b ) a = B = g b Bob choose random b in {1,,n} k AB = g ab = (g a ) b = A b

Security (much more on this later) Eavesdropper sees: (mod p) p, g, A=g a (mod p), and B=g b Can she compute g ab (mod p)?? More generally: define DH g (g a, g b ) = g ab (mod p) How hard is the DH function mod p?

How hard is the DH function mod p? Suppose prime p is n bits long. Best known algorithm (GNFS): run time exp( ) cipher key size modulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits (AES) 15360 bits Elliptic Curve size 160 bits 256 bits 512 bits As a result: slow transition away from (mod p) to elliptic curves

Insecure against man-in-the-middle As described, the protocol is insecure against active attacks Alice MiTM Bob

Using D-H in phone book mode

ElGamal: converting to pub-key enc. (1984) Fix a finite cyclic group G (e.g G = (Z p ) * ) of order n Fix a generator g in G (i.e. G = {1, g, g 2, g 3,, g n-1 } ) Alice choose random a in {1,,n} A = g a Treat as a public key Bob choose random b in {1,,n} compute g ab = A b, [ ct = B = g b derive symmetric key k,, encrypt message m with k ]

ElGamal: converting to pub-key enc. (1984) Fix a finite cyclic group G (e.g G = (Z p ) * ) of order n Fix a generator g in G (i.e. G = {1, g, g 2, g 3,, g n-1 } ) Alice choose random a in {1,,n} A = g a To decrypt: compute g ab = B a, derive k, and decrypt Treat as a public key Bob choose random b in {1,,n} compute g ab = A b, [ ct = B = g b derive symmetric key k,, encrypt message m with k ]

Diffie-Hellman Key Exchange in Practice Insecurity against man-in-the-middle attack First demonstration that asymmetric techniques and number theoretic problems could be used to alleviate the key distribution in cryptography

Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob m c c m E D pk Invented and published in 1975 A public/private key pair is used Public key can be announced to everyone Private key is kept secret by the owner of the key Also known as asymmetric cryptography Much slower to compute than secret key cryptography sk

Applications 1. Message integrity with digital signatures Alice computes hash, signs with her private key (no one else can do this without her key) Bob verifies hash on receipt using Alice s public key using the verification equation

Applications (Cont.) The digital signature is verifiable by anybody Only one person can sign the message: nonrepudiation Non-repudiation is not possible for secret key cryptography

Applications (cont.) 2. Communicating securely over an insecure channel 2.1 Session setup (for now, only eavesdropping security) Alice Generate (pk, sk) x pk E(pk, x) Bob choose random x (e.g. 48 bytes) 2.2 Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pk alice Note: Bob needs pk alice (public key management)

Public key encryption Def: a public-key encryption system is a triple of algs. (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m M and outputs c C D(sk,c): det. alg. that takes c C and outputs m M or Consistency: (pk, sk) output by G : m M: D(sk, E(pk, m) ) = m

Public key encryption: constructions Constructions generally rely on hard problems from number theory and algebra It must be computationally easy to generate a public/private key pair hard to determine the private key, given the public key It must be computationally easy to encrypt using the public key Easy to decrypt using the private key Hard to recover the plaintext message from just the ciphertext and the public key

Trapdoor functions (TDF)

RSA (Rivest, Shamir, Adelman) A dominant public key algorithm Provides both public key encryption and digital signatures Basis: factorization of large numbers is hard Variable key length (1024 bits or greater) Variable plaintext block size Plaintext block size must be smaller than key size Ciphertext block size is same as key size Very widely used: SSL/TLS: certificates and key-exchange Secure e-mail and file systems A method for obtaining Digital Signatures and Public Key cryptosystems, Communications of the ACM, Feb., 1978

https://en.wikipedia.org/wiki/extended_euclidean_algorithm

Reminder of Results Let N = p q where p,q are prime Z N } Z N = {0,1,2,,N-1} ; (Z N ) * = {invertible elements in Facts: x Î Z N is invertible Û gcd(x,n) = 1 Number of elements in (Z N ) * is j(n) = (p-1)(q-1) = N-p-q+1 Euler s thm: " xî (Z N ) * : x j(n) = 1

RSA Key Generation generating a public/private key pair Find large primes p,q»1024 bits. Let N=pq Don t disclose p and q! j(n) = (p-1)(q-1) choose integers e, d s.t. e d = 1 (mod j(n) ) output public key = (N, e), private key = (N, d)

RSA Encryption/Decryption F -1 ( sk, y) = y d ; y d = RSA(x) d = x ed = x kj(n)+ 1 = (x j(n) ) k x = x

Is RSA secure (Cont.) Deterministic encryption an attacker can successfully launch a chosen plaintext attack against the cryptosystem Solution: pad plaintext message with random text before encryption

Digital Signatures

RSA signatures Inverse use of public key and private key

DSA signatures Based on a different hard problem: discrete logarithm problem

Review: secret vs. public key crypto

The symmetric/asymmetric key tradeoff