Lecture 3.2: Public Key Cryptography II
description
Transcript of Lecture 3.2: Public Key Cryptography II
![Page 1: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/1.jpg)
Lecture 3.2: Public Key Cryptography II
CS 436/636/736 Spring 2014
Nitesh Saxena
![Page 2: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/2.jpg)
Course Administration
• HW1 solution has been posted• Grades posted• We will distribute after lecture today• Any questions, or help needed?
• We need to something to make-up the missed material– Waiting on UAB for guidelines
2
![Page 3: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/3.jpg)
Outline of Today’s Lecture
• The RSA Cryptosystem (Encryption)
3
![Page 4: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/4.jpg)
“Textbook” RSA: KeyGen• Alice wants people to be able to send her encrypted
messages.• She chooses two (large) prime numbers, p and q and
computes n=pq and . [“large” = 1024 bits +]• She chooses a number e such that e is relatively prime to
and computes d, the inverse of e in , i.e., ed =1 mod • She publicizes the pair (e,n) as her public key. (e is called RSA
exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and
• Plaintext and ciphertext messages are elements of Zn and e is the encryption key.
4
)(n)(n
)(nZ
)(n
)(n
![Page 5: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/5.jpg)
RSA: Encryption
• Bob wants to send a message x (an element of Zn
*) to Alice.
• He looks up her encryption key, (e,n), in a directory.
• The encrypted message is
• Bob sends y to Alice.5
nxxEy e mod)(
![Page 6: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/6.jpg)
RSA: Decryption
• To decrypt the message
she’s received from Bob, Alice computes
Claim: D(y) = x6
nyyD d mod)(
nxxEy e mod)(
![Page 7: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/7.jpg)
RSA: why does it all work• Need to show
D[E[x]] = x E[x] and D[y] can be computed efficiently if keys
are known E-1[y] cannot be computed efficiently without
knowledge of the (private) decryption key d.
• Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so
efficiency requirements are less stringent.7
![Page 8: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/8.jpg)
E and D are Inverses
8
nxnx
nxx
nx
nx
nx
nnx
nyyD
t
tn
nt
ed
de
de
d
modmod1
mod)(
mod
mod
mod)(
mod)mod(
mod)(
)(
1)(
Because
From Euler’s Theorem
)(mod1 ned
![Page 9: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/9.jpg)
Tiny RSA example.
• Let p = 7, q = 11. Then n = 77 and
• Choose e = 13. Then d = 13-1 mod 60 = 37.• Let message = 2.• E(2) = 213 mod 77 = 30.• D(30) = 3037 mod 77=2
9
60)( n
![Page 10: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/10.jpg)
Slightly Larger RSA example.
• Let p = 47, q = 71. Then n = 3337 and
• Choose e = 79. Then d = 79-1 mod 3220 = 1019.• Let message = 688232… Break it into 3 digit
blocks to encrypt.• E(688) = 68879 mod 3337 = 1570. E(232) = 23279 mod 3337 = 2756• D(1570) = 15701019 mod 3337 = 688. D(2756) = 27561019 mod 3337 = 232.
10
322070*46)( pq
![Page 11: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/11.jpg)
Security of RSA: RSA assumption• Suppose Oscar intercepts the encrypted
message y that Bob has sent to Alice.• Oscar can look up (e,n) in the public directory
(just as Bob did when he encrypted the message)
• If Oscar can compute d = e-1 mod then he can use to recover the plaintext x.
• If Oscar can compute , he can compute d (the same way Alice did). 11
xnyyD d mod)(
)(n
)(n
![Page 12: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/12.jpg)
Security of RSA: factoring
• Oscar knows that n is the product of two primes
• If he can factor n, he can compute • But factoring large numbers is very difficult:– Grade school method takes divisions.– Prohibitive for large n, such as 160 bits– Better factorization algorithms exist, but they are
still too slow for large n– Lower bound for factorization is an open problem
12
)(n
)( nO
![Page 13: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/13.jpg)
How big should n be?
• Today we need n to be at least 1024-bits– This is equivalent to security provided by 80-bit
long keys in private-key crypto
• No other attack on RSA known– Except some side channel attacks, based on
timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem!
13
![Page 14: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/14.jpg)
Key selection
• To select keys we need efficient algorithms to– Select large primes• Primes are dense so choose randomly.• Probabilistic primality testing methods known. Work in
logarithmic time.
– Compute multiplicative inverses• Extended Euclidean algorithm
14
![Page 15: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/15.jpg)
RSA in Practice
• Textbook RSA is insecure– Known-plaintext?– CPA?– CCA?
• In practice, we use a “randomized” version of RSA, called RSA-OAEP– Use PKCS#1 standard for RSA encryptionhttp://www.rsa.com/rsalabs/node.asp?id=2125– Interested in details of OAEP: refer to (section 3.1 of)
http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf
15
![Page 16: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/16.jpg)
Some questions
• c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). – What is RSA_Enc(m1m2)?
• Homomorphic property
– What is RSA_Enc(2m1)?• Malleability (not a good property!)
• Is it possible to find inverses mod n (RSA modulus)?
16
![Page 17: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/17.jpg)
Some Questions
• RSA stands for Robust Security Algorithm, right?• If e is small (such as 3)
– Encryption is faster than decryption or the other way round?
• Private key crypto has key distribution problem and Public key crypto is slow– How about a hybrid approach?– Do you know how ssl/ssh works?
17
![Page 18: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/18.jpg)
Some Questions
• I encrypt m with Alice’s RSA PK, I get c– I encryt m again, I get --?– What does this mean?
• What if I do the above with DES?
18
![Page 19: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/19.jpg)
Further Reading
• Section 8.2 of HAC• Section 9 of Stallings
19
![Page 20: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/20.jpg)
Outline of Today’s Lecture
• Discrete Logarithm System• El Gamal Encryption• Digital Signatures
Lecture 3.4: Public Key Cryptography IV
![Page 21: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/21.jpg)
Discrete Logarithm Assumption• Work with a cyclic group G with generator g• Let |G| = m• G = {g0, g1, g2,…,gm-1}
• Given any y = gx in G (where x belongs to Zm), g and and m, it is not possible to compute x
• This is known as the DL assumption• Of course, x should be fairly large – at least
160-bits in length • This suggests that one can possibly use x as
the secret key, and y (and other parameters) as the public key
![Page 22: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/22.jpg)
El Gamal Encryption -- KeyGen• p, q primes such that q|p-1• g is an element of order q and generates a group Gq of
order q – g = g’(p-1)/q (were g’ is the generator of Zp*)
• x in Zq, y = gx mod p• DL assumption -- given (p, q, g, y), it is computationally
hard to compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits
• x becomes the private key and y becomes the public key
![Page 23: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/23.jpg)
ElGamal Encryption/Decryption
• Encryption (of m in Gq):– Choose random r in Zq
– k = gr mod p– c = myr mod p– Output (k,c)
• Decryption of (k,c)– M = ck-x mod p
• Secure under (a variant of) the discrete logarithm assumption
Lecture 3.4: Public Key Cryptography IV
![Page 24: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/24.jpg)
ElGamal Example: dummy
• Let’s construct an example• KeyGen:
– p = 11, q = 2 or 5; let’s say q = 5– g’ = 2 is a generator of Z11*
– g = 22 = 4– x = 2; y = 42 mod 11 = 5
• Enc(3):– r = 4 k = 44 mod 11 = 3– c = 3*54 mod 11 = 5
• Dec(3,5):– m = 5*3-2 mod 11 = 3
Lecture 3.4: Public Key Cryptography IV
![Page 25: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/25.jpg)
El Gamal Security
• Secure against CPA attacks assuming that discrete logarithm is hard
• Not secure against CCA attacks; why?– It is possible to massage the ciphertext in a
meaningful way– Given a ciphertext (k, c), compute k’ = kgr’and c’ =
cyr’ (r’ is picked by the adversary)– Query the decryption oracle on (k’,c’); it decrypts
and returns the response -- m
Lecture 3.4: Public Key Cryptography IV
![Page 26: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/26.jpg)
CCA Security
• Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption
• Just prevent any massaging of the ciphertext• Integrity protection mechanism is needed– But, now a public-key based mechanism is needed
• Digital signatures -- next
Lecture 3.4: Public Key Cryptography IV
![Page 27: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/27.jpg)
Digital Signatures
• Message Integrity– Detect if message is tampered with while in the
transit
• Source/Sender Authentication– No forgery possible
• Non-repudiation– If I sign something, I can not deny later– A trusted third party (court) can resolve dispute
• Many applications – signed email, e-contracts, e-transactions…
![Page 28: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/28.jpg)
Public Key Signatures
• Signer has public key, private key pair• Signer signs using its private key• Verifier verifies using public key of the signer
Lecture 3.4: Public Key Cryptography IV
![Page 29: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/29.jpg)
Security Notion/Model for Signatures
• Existential Forgery under (adaptively) chosen message attack (CMA)– Adversary (adaptively) chooses messages mi of its
choice– Obtains the signature si on each mi
– Outputs any message m (≠ mi) and a signature s on m
Lecture 3.4: Public Key Cryptography IV
![Page 30: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/30.jpg)
RSA Signatures
• Key Generation: same as in encryption• Sign(m): s = md mod N• Verify(m,s): (se == m mod N)
• The above text-book version is insecure; why?• In practice, we use a randomized version of
RSA (implemented in PKCS#1)– Hash the message and then sign the hash
Lecture 3.4: Public Key Cryptography IV
![Page 31: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/31.jpg)
Digital Signature Standard (DSS)
• Adopted as standard in 1994• Security based on hardness of the discrete
logarithm problem
Lecture 3.4: Public Key Cryptography IV
![Page 32: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/32.jpg)
DSS – KeyGen; Signing; Verification• KeyGen: the same way as El Gamal
– p, q primes such that q|p-1– g is an element of order q and generates a group Gq of order q
• g = g’(p-1)/q (were g’ is the generator of Zp*)
– x in Zq, y = gx mod p
• Sign: – Pick random r from Z*q
– k = (gr mod p) mod q; c = (m + xk)r-1 mod q– Output (k,c) and also the message m
• Verify: kc == gm.yk mod p
Lecture 3.4: Public Key Cryptography IV
![Page 33: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/33.jpg)
DSS Example
• Refer to 11.57 of HAC
Lecture 3.4: Public Key Cryptography IV
![Page 34: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/34.jpg)
Some Questions
• I encrypt m with Alice’s ElGamal PK, I get c– I encrypt m again, I get --?– What does this mean?
• Is RSA-OAEP CCA secure?• Is El Gamal CCA secure?
Lecture 3.4: Public Key Cryptography IV
![Page 35: Lecture 3.2: Public Key Cryptography II](https://reader035.fdocuments.net/reader035/viewer/2022070410/568145a4550346895db29752/html5/thumbnails/35.jpg)
Further Reading
• Stalling Chapter 10• HAC Chapter 8 and Chapter 11
Lecture 3.4: Public Key Cryptography IV