Excursus 03

Upload
francescopistolesi 
Category
Documents

view
223 
download
0
Embed Size (px)
Transcript of Excursus 03

8/12/2019 Excursus 03
1/39
C R Y P T O G R A P H Y
A.A. 2010/2011 1
Cryptography Part III
Public Key Systems
michele elia
Politecnico di Torino

8/12/2019 Excursus 03
2/39
C R Y P T O G R A P H Y
A.A. 2010/2011 2
In the eworld a definition of cryptography is
The art of information integrity
Beside confidentiality Information may need Integrity
Availability
Ubiquity Authenticity (without secrecy)
Tracking

8/12/2019 Excursus 03
3/39
C R Y P T O G R A P H Y
A.A. 2010/2011 3
Secret key cryptography cannot solve largescale problems
that occur in civilian life:
1Key Distribution Problem:two users need toshare a common secret key. A channel for secret key
exchange may not be available.
2Key Management Problem:in a network of nusers, every pair of users must share a secret key, fora total of n(n1)/2 keys. If n is not small, then the
number of keys becomes unmanageable.
3Digital Signature Problem:nonsecret
authentication and nonrepudiation problems are theelectronic counterparts of a handwritten signature;
neither problem can be solved by a secret key system

8/12/2019 Excursus 03
4/39
C R Y P T O G R A P H Y
A.A. 2010/2011 4
Diffie and Hellman
In 1976, Witfield Diffie and Martin Hellman
invented
Public Key Cryptography (PKC)to address key management issues.
The basic idea was the exploitation of a
concept already present in secret key
systems
ONEWAY FUNCTION

8/12/2019 Excursus 03
5/39
C R Y P T O G R A P H Y
A.A. 2010/2011 5
A naive definition of oneway function is
A function F: D U is oneway if three
conditions are met:
1. It is onetoone, that is the
functionF1 : U D exists and is unique
2. It is easyto compute Y=F(X) for
every X D1. It is hardto compute X= F1(Y) for
almost every Y D

8/12/2019 Excursus 03
6/39
C R Y P T O G R A P H Y
A.A. 2010/2011 6
Public key cryptography: In 25 years manyoneway functions have
been put forward, all based on hard arithmetical problems.Only four functions or principles have survived:
1. Prime factorization: it is easy to multiply two
primes, whereas it is hard to factor their product (Rabin)
2. Discrete Logarithm: it is easy to compute a power in a
cyclic group, whereas it is hard to find the exponent3. Evaluation of the order of a group: it is possible and
easy to define a finite group, whereas the computation
of its order (number of its elements) may be hard
4. Decoding Linear Codes: it is easy to encode and to
corrupt the code word with noise, whereas it is hard
to recover the code word

8/12/2019 Excursus 03
7/39
C R Y P T O G R A P H Y
A.A. 2010/2011 7
OneWay functions vs. Hard Problems  status
Name Hard Problem Equivalent problem?
Rabin Factorisation Solve equations overrings
RSA Order of a
group
Factorisation?
DiffieHellman
DiffieHellmanproblem
Discrete logarithm?
El Gamal Discretelogarithm
McEliece Decodinglinear codes
Equivalent Goppacodes are difficult todecode?

8/12/2019 Excursus 03
8/39
C R Y P T O G R A P H Y
A.A. 2010/2011 8
Rabin: public key N=pq, message M
Encryption
C = M2 mod N
Decryption
M = C1/2 mod N
p,qprime numbers (Blum primes, 4k+3)
M relatively prime withp,q
Decryption is easy using Chinese Remainder Theorem ifp,q are known Blum primes, and is hard otherwise

8/12/2019 Excursus 03
9/39
C R Y P T O G R A P H Y
A.A. 2010/2011 9
Rabin  2
Decrypting is equivalent to solving
x2 = C mod pq
CRT requires solving two equations over fields
x2 = C mod p and x2 = C mod q
Ifp and q are Blum primes then
xp = C(p+1)/4 mod p ; xq = C
(q+1)/4 mod q
solution moduloN=pq is obtained as a linear combination
pqpgqg
where
pqCCx qp
mod,
mod
2211
2
4/)1(
1
4/)1(

8/12/2019 Excursus 03
10/39
C R Y P T O G R A P H Y
A.A. 2010/2011 10
Rabin  3
Cryptanalysis is equivalent to factoring:
If an oracle can compute the four square roots then p is
computed as the common factor between
N=pq and x1x3
pq
CCx
CCx
CCx
CCx
qp
qp
qp
qp
mod
2
4/)1(
1
4/)1(
4
24/)1(
14/)1(
3
2
4/)1(
1
4/)1(
2
2
4/)1(
1
4/)1(
1
pgCCxx qq 14/)1(
2
4/)1(
31 22

8/12/2019 Excursus 03
11/39
C R Y P T O G R A P H Y
A.A. 2010/2011 11
RSA: public key [N,E], message M
Let p, q be prime numbers andN=p q
Encryption: C = ME mod N
Decryption: M = CD
mod N
M relatively prime with p,q
E relatively prime with the Euler totient function
and
)1)(1()( qppq
)(mod1 pqDE

8/12/2019 Excursus 03
12/39
C R Y P T O G R A P H Y
A.A. 2010/2011 12
DiffieHellman
Public parameters: a Z, p prime
Alice: Secret key X
Public Key KA = aX
mod p
Bob: Secret key Y
Public Key KB = aY mod p
AliceBob: Common key KAB = aXY mod p

8/12/2019 Excursus 03
13/39
C R Y P T O G R A P H Y
A.A. 2010/2011 13
McEliece
G generator matrix of a linear code (n, k, 2t+1)allowing an algebraic decoding algorithm
[Goppa code (2m, 2mmt, 2t+1) are good candidates]
Bob: Secret Key (P, A, G)
Public Key: a pair (t, Gp)
where: Gp = PGA
P is a n n permutation matrixA is a k k nonsingular matrix

8/12/2019 Excursus 03
14/39
C R Y P T O G R A P H Y
A.A. 2010/2011 14
McEliece continuation
Alice Encryption: E= Gp M + e
where e is a random vector with less than t 1s
Bob Decryption: E1 = PT E,
M1 = E1 + e ,
where e results from an algebraic decoding
[With Goppa codes the BerlekampMassey algorithm is used]
Message recovering
M = A1 M1

8/12/2019 Excursus 03
15/39
C R Y P T O G R A P H Y
A.A. 2010/2011 15
Complexity
An axiomatic measure of complexity is missing
Problem size is defined to be n, where n may be
number of variables
number of equations
number of bits for representing a parameter
A practical measure of complexity is a function f(n)
A problem is considered hard if f(n)= a0 n
A problem is considered easy if f(n)= b0 log(n) Frequently f(n) = eg(n)
with g(n)=[log(n)]1/2 , n1/3 [log(n)]1/3

8/12/2019 Excursus 03
16/39
C R Y P T O G R A P H Y
A.A. 2010/2011 16
Chinese Remainder Theorem
Let be a product of r positive
integers mi which are relatively primes
Given a nonnegative integer a not greater than N,
then r remainders can be computed easily
The Chinese remainder theorem solves the
problem of computing a given the r remainders ai
rmmmN 21
imaa ii mod
iij ji
iij jii
rr
mmg
ofsolutionisgandmg
whereaaaa
mod1
1111

8/12/2019 Excursus 03
17/39
C R Y P T O G R A P H Y
A.A. 2010/2011 17
Chinese Remainder Theorem Properties
Let be
two numbers in ZN decomposed according to CRT
Then
where the operations ai bi, ai+bi and ain are
performed modulo mi. In general CRT reduces the complexity since the
operations are performed in domains of smaller
cardinality.
),,,(),,,( 2121 rr bbbbaaaa
),,,( 2211 rrbaabbaab
),,,( 2211 rr baabbaba ),,,( 21
n
r
nnn aaaa

8/12/2019 Excursus 03
18/39
C R Y P T O G R A P H Y
A.A. 2010/2011 18
Electronic Signature
based on reverse use of a ONEWAY
function
consists in a pair of numbers
S plain signature encoded as an integer
ES electronic signature
computed from S using a oneway functionhas the significance of an authentication mark.

8/12/2019 Excursus 03
19/39
C R Y P T O G R A P H Y
A.A. 2010/2011 19
Electronic Signature
Standard procedure to sign Bobs message M electronically:
1 A public key directory contains PK the public key of
signatory Bob
2 Bob computes a Digest from M using a hash function(oneway function)
3 Bob forms his signature by juxtaposing
S = NameDateDigestRandom
4 Bob computes the electronic signature ES encryptingS with his private key PVK
5 Bobs electronic signature (S,ES) is verified using
Bobs PK public key.

8/12/2019 Excursus 03
20/39

8/12/2019 Excursus 03
21/39
C R Y P T O G R A P H Y
A.A. 2010/2011 21
El Gamal signature public key [p, g, k]
message M
secrect signature: random m, and u
where k = gu mod p
signature(M, a, b)
where a = gm mod p
b solution of b m + a u = M mod p1

8/12/2019 Excursus 03
22/39
C R Y P T O G R A P H Y
A.A. 2010/2011 22
El Gamal signature public key [p, g, k]
signature
(M, a, b)
verification
?
gM = ab ka mod p

8/12/2019 Excursus 03
23/39
C R Y P T O G R A P H Y
A.A. 2010/2011 23
Digital Signature
Two main scopes:
certify the authenticity of a public or secret message
avoid repudiation
Uses
electronic locking/unlocking of doors
electronic orders and payments
networks or physical access
Algorithm
RSA
Rabib
El Gamal

8/12/2019 Excursus 03
24/39
C R Y P T O G R A P H Y
A.A. 2010/2011 24
Elliptic curves
Elliptic curves are algebraic curves endowed with agroup structure that was discovered by
Giulio Fagnano de Toschi in the eighteen century.
Given two points P and Q on an elliptic curve E, athird point R on E is defined as the sum
R=P+Q
This property was exploited by Euler in his
development of the elliptic integral theory.
In cryptography, the elliptic curves are usedas a rich source of Abelian group

8/12/2019 Excursus 03
25/39
C R Y P T O G R A P H Y
A.A. 2010/2011 25
Elliptic curves
The set of real points of an Elliptic curve E overa finite field forms an Abelian group for a point
sum.
Given P on E and an integer m, the point mP isdefined as mP=P+P+P + +P (m times)
The set of points mP forms a cyclic group where
the discrete logarithm problem is hard:
It is easy to compute Q = mP
It is hard to compute m from Q given P

8/12/2019 Excursus 03
26/39
C R Y P T O G R A P H Y
A.A. 2010/2011 26
Elliptic curve over a finite field GF(pm)
An elliptic curve E consists of a set of points P=(x,y)
whose coordinates satisfy
Y2 = X3 + a4X + a6
where a4, a6X and Y belongs to GF(pm
).
Hasses theorem asserts that the number of points #E
on E with coordinates in GF(pm) satisfies theinequality
ppEpp 21#21

8/12/2019 Excursus 03
27/39
C R Y P T O G R A P H Y
A.A. 2010/2011 27
In E an addition of points is defined as

8/12/2019 Excursus 03
28/39
C R Y P T O G R A P H Y
A.A. 2010/2011 28
The set E is a group for point addition
Given P1=(x1,y1) and P2=(x2,y2)
the sum is point P3=(x3,y3) written
P3= P1+ P2
Addition is
 Commutative and Associative.
 A point O exists which has the role of
group identity
P=P+O

8/12/2019 Excursus 03
29/39

8/12/2019 Excursus 03
30/39
C R Y P T O G R A P H Y
A.A. 2010/2011 30
Addition formulas overGF(2m):NonSupersingular Curves
6
2
2
32 axaxxyy
21
21
123
221
2
3 ,
)1(
)(
xx
yyQPif
yyy
axxx
QPif
xxx
yxxy
x
axx
33
1
11
2
13
2
1
62
13
)(

8/12/2019 Excursus 03
31/39

8/12/2019 Excursus 03
32/39
C R Y P T O G R A P H Y
A.A. 2010/2011 32
Group structure of E over GF(pm)
Theorem 1 (Hasse)
#E=pm+1t, with
Theorem 2
Let Ebe an elliptic curve defined over GF(pm),
where p is a prime. Then there exist integers n
and k such that E is isomorphic to Zn Zk.
Further kn and k(pm 1).
Zn denotes a cyclic group of order n
mpt 2

8/12/2019 Excursus 03
33/39
C R Y P T O G R A P H Y
A.A. 2010/2011 33
ECC  Elliptic Curve Cryptosystem
EC are used as a rich source of cyclic groups
where the discrete logarithm problem is hard.
EC are used to define a DiffieHellman public
key scheme as follows:
Let P be a public fixed point of an Elliptic curve E
Let A= x P and x be Alices public and secret keys,
respectively
Let B= y P and y be Bobs public and secret keys,
respectively The common secret key is K= x y P

8/12/2019 Excursus 03
34/39
C R Y P T O G R A P H Y
A.A. 2010/2011 34
Factorization
Gauss recognized that factorization is an
important, though difficult, problem in arithmetic
Fermat observed that is prime for n=0,1,2,3,4
and guessed that it was prime for every n.At present, a more likely guess would be that no
Fermat number is prime for n greater than 4.
RSA renewed the challenge to factor largenumbers and inspired the development of recent
factorization methods.
122 n

8/12/2019 Excursus 03
35/39
C R Y P T O G R A P H Y
A.A. 2010/2011 35
In 1977 Martin Gardner in ScientificAmerican proposed cryptanalysing a
message encoded with the RSA algorithm
using a 129 digit number product of two
primes (Rivest)
In 1994 the number was factored into two
primes of 64 and 65 digits and the
message was decryptedThe magic words are
squeamish ossifrage

8/12/2019 Excursus 03
36/39

8/12/2019 Excursus 03
37/39
C R Y P T O G R A P H Y
A.A. 2010/2011 37
A millennial evolution has shown that cryptography is a science
rather than an art.
Today, the prophetic words of Adrian A. Albert at theopening of the 382nd Congress of the American
Mathematical Society in 1939 are fully meaningful:
We shall see that cryptography is more thana subject permitting mathematical formulation
for indeed it would not be an exaggeration
to state that
abstract cryptographyis identical with
abstract mathematics.

8/12/2019 Excursus 03
38/39

8/12/2019 Excursus 03
39/39