Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete...
-
Upload
sandra-mason -
Category
Documents
-
view
224 -
download
1
Transcript of Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete...
Introduction to Modern Cryptography
Lecture 5
• Number Theory: 1 .Quadratic residues.
2 .The discrete log problem. • Intro to Public Key Cryptography• Diffie & Hellman Key Exchange
Course Summary - Math Part (Previous lectures)
• Euclid gcd ; extended gcd.
• The ring Zm.• Finite groups: Lagrange theorem (if G is finite and H is a sub-group then |H| divides |G|)• Finite fields arythmetic - GF(pk).• Primitive elements in finite fields (generators of the multiplicative group with pk-1 elements)
• The birthday paradox.
Course Summary - Crypto Part (first 4 lectures)
• Introduction• Stream & Block Ciphers• Block Ciphers Modes (ECB,CBC,OFB)• Advanced Encryption Standard (AES)• Message Authentication Codes (based on CBC and on cryptographic hashing)
The Birthday Paradox: Wrap Up
•Let R be a finite set of size r .•Pick k elements of R uniformly
and independently.•What is the probability of getting
at least one collision ?
The Birthday Paradox (cont.)•Consider the event Ek: No Collision after k elements.
Prob(Ek)=1(1- 1/r)(1- 2/r)… (1- (k-1)/r) < exp(-1/r) exp(-2/r) … exp(-(k-1)/r)
= exp(-(1+2+…+(k-1) )/r) = exp(-(k(k-1) )/2r)
~ exp(-k2/2r)
For k=r1/2 , Prob(Ek)<0.607,
thus
Prob(Collisionk)>0.393For k=1.2r1/2 ,
Prob(Ek)<0.487, thus
Prob(Collisionk)>0.513
plot({exp(-x),1-x},x=0..0.5);
Application to Cryptographic HashingLet H:D --> R, R of size r.Suppose we can get k random images under H.
If k2 is larger than r then the probabilityof a collision, 1-exp(-k2/2r), is large.
Thus a necessary condition for avoiding collisionsis that r is so large that it is infeasible to generater2 hash values.
This leads to requiring that message digests be at least
160 bits long (2160/2 = 280 is large enough).
Fermat “Little” Theorem•Let if G be a finite group with m
elements. Let a be an element of G. Then am=1 (the unit element of G) .
Example
G=Zp*, the multiplicative group
of Zp. The polynomial xp-1-1 has p-1
roots, so xp-1-1 = a 0 (x-a).
> factor (x^6-1);
(x-1()+1x()x2+ +1x()x2- +1x)
> factor (x^6-1) mod 7; (x+6()+1x()+4x()+2x()+5x)
(+3x)x + x + 1) (x - x
Quadratic Residues• Definition: An element x is a quadratic
residue modulo n if there exists y such that y2x mod n
• Claim: if p is prime there are exactly (p-1)/2 quadratic residues in Zp*• Claim: if p is prime, and g is a generator
of the multiplicative group, the quadratic residues are all the even powers of g
g0, g2,…,g2i, … , gp-3
Quadratic Residues in Zp (cont.)
• The quadratic residues (QR) form a subgroup of Zp*.
• x(p-1) -1 = (x(p-1)/2 -1) (x(p-1)/2+1 ). • Thus x(p-1)/2 -1 has (p-1)/2 roots in Zp .
Quadratic Residues in Zp (cont.)Claim: an element x in Zp is a quadratic
residue if and only if x(p-1)/21 mod pProof Sketch: • Suppose x=y2 (x is a QR), then x(p-1)/2 -1 =0.
• Suppose x(p-1)/2=1. Let x=gi where g is primitive element. Then gi (p-1)/2 =1. Since g has order p-1, p-1 must divide i (p-1)/2 ,
implying i even, x a QR.
Testing Quadratic Residues• Efficient O(log3p) algorithm in Zp (p prime)
• Applies the repeated squaring idea.
• For composite m (esp. m=pq), no efficient algorithm for testing quadratic residues is known. Problem believed to
be computationally hard (but not NPC).
One-Way Functions
• A function f: DR is called one-way if:– Computing f(x) is “easy”
– Computing f-1(y) for almost all the images is “hard”
• Given the “real-world” definition of “hard” a one-way function may be a single function (e.g. SHA-1)
• Given the theoretical definition, we refer to a family of one-way functions
Example
• The Domain is all the pairs of prime numbers.• The function is f(p,q) = pq• Multiplication is easy – naïve algorithm is O(n2)• Factoring is difficult – simple algorithm is O(2n/2).
NFS and ECM are better but not polynomial. •The function f(p,q) = pq maintains length
The Chinese Remainder Theorem
• Given – x mod p– x mod q
• Compute x mod pq• If gcd(p,q)=1 take ((x mod p) (q-1 mod p) q + (x mod q) (p-1 mod q) p) mod pq• x mod 3 = 2, x mod 5 = 3, 1/3 mod 5 = 2, 1/5 mod 3 = ½
mod 3 = 2• (x mod p) (q-1 mod p) q = 2 * 2 * 5 = 20• (x mod q) (p-1 mod q) p = 3 * 2 * 3 = 18, 38 mod 15 = 8
Quadratic Residues mod n
• An element x is a quadratic residue modulo n if there exists y such that y2x mod n
• If x is a quadratic residue then so is –x mod n• If p is prime there are exactly (p-1)/2 quadratic
residues• If p is prime, and g is a generator of the
multiplicative group, the quadratic residues are even powers of g.
The four different square roots modulo pq
• Let x be a quadratic residue modulo pq• Then, x mod p is a quadratic residue and so is x
mod q• x mod p has two roots mod p: y and p - y• x mod q has two roots mod q: z and q - z• Using the Chinese remainder theorem, we get four
root modulo pq: A, B, pq – A, pq – B• (y,z) -> A, (p - y, q - z) -> pq – A• (y, q - z) -> B, (p – y, z) -> pq – B• gcd(A - B,np) = p
Factoring Idea: square roots
• Compute x2 mod np• Extract y = square root of x2 mod np• If y = x or y = np - x then useless• If not, x2 mod np = y2 mod np
– then gcd(x - y, np) = p or gcd(x - y,np) = q
• The square root extraction algorithm does not “know” if we started with x, np - x, y, or np - y
Pollards rho (ρ) method
• Imagine the following process mod p:
• x0 – random
• xi+1 = xi2+1 mod p
• After p1/2 steps, we’ll find xi, xj such that xi = xj mod p. What this means is that the function f(x) = x2+1 mod p loops.
Pollards rho (ρ) method • Imagine the following process mod pq: • x0 – random• xi+1 = xi
2+1 mod pq• This will loop only after (pq)1/2 steps (modulo pq)• However, modulo p (or q) it will loop after p1/2 (or
q1/2) steps• Given two values xi, xj, such that xi=xj mod p but xi
<> xj mod pq, we have that gcd(xi - xj, pq) = p• Repeat:
– x = x2 + 1 mod pq– y = (y2 +1)2 + 1 mod pq– If gcd(x - y, pq) > 1 then found factor
More complex factoring ideas• A number is smooth with respect to the set of
primes ≤ L if all prime factors are ≤ L • If a smooth number has all powers even then it is
easy to extract a square root• Major idea:
– Generate quadratic residues, one of whose roots is known
– Compute a product of these quadratic residues which is smooth and has all powers even
– Now, you have a 2nd root of this product, use it for factoring
Quadratic Sieve Factoring• Determine a limit L• Generate random values x2 mod pq• Check them for smoothness, discard if not• This process can be done entirely distributed• Collect all smooth quadratic residues• Solve a set of linear equations over GF(2)
– This can be done if the matrix is singular, i.e., if we have sufficiently many smooth quadratic residues
– How many smooth quadratic residues are required?
Discrete Log (DL)
• Let G be a group and g an element in G.• Let y=gx and x the minimal non negative integer satisfying the equation.• x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative
group of Zp
Discrete Log in Zp
A candidate for One Way Function• Let y=gx mod p in the multiplicative group of Zp
• Exponentiation takes O(log3p) steps• Standard discrete log is believed to be
computationally hard.• x gx is easy (efficiently computable).• gx x believed hard (computionally
infeasible).
• x gx is a one way function.• This is a computation based notion.
Classical, Symmetric Ciphers•Alice and Bob share the same secret key
KA,B.
•KA,B must be secretly generated and exchanged prior to using the unsecure channel .
Alice Bob
Diffie and Hellman (76)“New Directions in Cryptography”
Split the Bob’s secret key K to two parts:•KE , to be used for encrypting messages
to Bob.•KD , to be used for decrypting messages
by Bob.KE can be made public
( public key cryptography , assymetric cryptography)
“New Directions in Cryptography”•The Diffie-Hellman paper (IEEE IT, vol. 22, no. 6,
Nov. 1976) generated lots of interest in crypto research in academia and private industry.
•Diffie & Hellman came up with the revolutionary idea of public key cryptography, but did not have a proposed implementation (these came up 2 years later with Merkle-Hellman and Rivest-Shamir-Adelman).
•In their 76 paper, Diffie & Hellman did invent a method for key exchange over insecure communication lines, a method that is still in use today.
Public Exchange of Keys
• Goal: Two parties (Alice and Bob) who do not share any secret information, perform a protocol and derive the same shared key.
• Eve who is listening in cannot obtain the new shared key if she has limited computational resources.
Diffie-Hellman Key Exchange• Public parameters: A prime p, and an element
g (possibly a generator of the multiplicative group Zp* )
• Alice chooses a at random from the interval [1..p-2] and sends ga mod p to Bob.• Bob chooses b at random from the interval [1..p-2] and sends gb mod p to Alice. • Alice and Bob compute the shared key gab
mod p : Bob holds b, computes (ga)b= gab. Alice holds a, computes (gb)a= gab.
DH Security
• DH is at most as strong as DL in Zp.• Formal equivalence unknown, though
some partial results known.• Despite 25 years effort, still considered
secure todate.
• Computation time is O(log3p).
Properties of Key Exchange
• Necessary security requirement: the shared secret key is a one way function of the public and transmitted information.
• Necessary “constructive” requirement: an appropriate combination of public and private pieces of information forms the shared secret key efficiently.
• DH Key exchange by itself is effective only against a passive adversary. Man-in-the-middle attack is lethal.
Security Requirements
• Is the one-way relationship between public information and shared private key sufficient?
• A one-way function may leak some bits of its arguments.
• Example: gx mod p• Shared key may be compromised • Example: gx+y mod p
Security Requirements (cont.)
• The full requirement is: given all the communication recorded throughout the protocol, computing any bit of the shared key is hard
• Note that the “any bit” requirement is especially important
Other DH Systems
• The DH idea can be used with any group structure
• Limitation: groups in which the discrete log can be easily computed are not useful
• Example: additive group of Zp
• Currently useful DH systems: the multiplicative group of Zp and elliptic curve systems
Key Exchange in Systems
• VPN usually has two phases– Handshake protocol: key exchange between parties sets symmetric
keys
– Traffic protocol: communication is encrypted and authenticated by symmetric keys
• Automatic distribution of keys- flexibility and scalability
• Periodic refreshing of keys- reduced material for attacks, recovery from leaks