PublicKey Cryptography - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

PublicKey Cryptography

Description:

ONE-WAY PROPERTY: The public encryption function should be easy to compute ... inverse function (decryption) should be hard ... Possible application is e-cash. ... – PowerPoint PPT presentation

Number of Views:119
Avg rating:3.0/5.0
Slides: 27
Provided by: bica2
Category:

less

Transcript and Presenter's Notes

Title: PublicKey Cryptography


1
Lecture 6
  • Public-Key Cryptography

2
This Week
  • Public Key Cryptography
  • Cryptography based on Factoring
  • Cryptography based on Discrete Logarithm
  • Secret Sharing
  • Timestamping
  • One-Time Signatures

3
Public Key Encryption
x
Plaintext
Encryption
Decryption
Plaintext
Y
x
Ek
Dk
  • YeK(x) and xdK(Y)
  • It is computationally infeasible to compute Dk
    from Ek.

4
Trapdoor One-Way Function
  • ONE-WAY PROPERTY The public encryption function
    should be easy to compute however computing the
    inverse function (decryption) should be hard (for
    anyone other than the owner of the private key).
  • Here is an example of a function which is
    believed to be one-way
  • n is the product of two large primes p and q and
    let e a positive integer.
  • Is this function sufficient to construct a public
    key cryptosystem?

5
Trapdoor (contd)
  • Finding a one-way function is not sufficient to
    construct a public key cryptosystem.
  • We do not want eK to be a one-way for the private
    key owner. Thus it is necessary he possesses a
    trapdoor, which consists of secret information
    that permits easy inversion of eK.
  • When we find a trapdoor for the function f
    defined in the previous slide, this will lead to
    RSA Cryptosystem.

6
RSA (Key Generation)
  • RSA gets its security from the difficulty of
    factoring large numbers.
  • To generate the two keys, choose two large random
    prime numbers p and q. Compute the product npq
  • Then randomly choose the encryption key e such
    that e and (p-1)(q-1) are relatively prime.
  • Finally use the extended Euclidean algorithm to
    compute the decryption key d, such that
  • The numbers e and n are the public key the
    number d is the private key.

7
RSA (contd)
  • To encrypt a message m, first divide it into
    numerical blocks smaller than n. The encryption
    formula is simply
  • To decrypt a message, take each encrypted block
    and compute
  • Since

8
RSA Signatures
  • Encryption and decryption commute, therefore RSA
    decryption of a message with added redundancy
    forms a signature.
  • Anyone can verify the signature with the public
    key by testing whether after encryption the
    redundant part is intact.

9
Digital Signature
  • Three security services it provides
  • Authentication assurance of the identity of the
    signer.
  • Integrity assurance that the message is not
    altered after it is signed.
  • Non-repudiation blocking a senders false denial
    that he or she signed a particular message, thus
    enabling the receiver to easily prove that the
    sender actually did sign the message.

10
Digital Signatures
11
Homomorphism
  • Neither RSA encryption nor signature is safe to
    use on its own.
  • The reason is that encryption being an algebraic
    process, it preserves certain algebraic
    properties.
  • For example if M1 M2M3 then C1 C2C3 and Sig1
    Sig2Sig3 (multiplicative homomorphism).
  • There are a number of standards that try to stop
    attacks based on this property.

12
Discrete Logarithm Problem
  • A primitive root modulo p is a number whose
    powers generate all the nonzero numbers mod p.
  • For example 5 is a primitive root modulo 7.
  • This means that given any y, we can always solve
    the equation y5x mod 7.
  • Small examples can be solved by inspection, but
    for large prime number p, we do not know how to
    do this computation.
  • So the mapping f x?gx mod p is a one-way
    function.

13
Diffie-Hellman Key Exchange
Source Dr. Kuhns notes
14
ElGamal Encryption
Source Dr. Kuhns notes
15
ElGamal Signature
Source Dr. Kuhns notes
16
Elliptic Curves
  • So far we have considered the Discrete Logarithm
    problem in the finite field Zp, but it is also
    possible to consider the problem in other
    settings.
  • We can implement existing public key algorithms
    including Diffie-Hellman using elliptic curves.
  • The idea is essentially the same but the
    implementation is more complex.
  • The benefit of using elliptic curves is shorter
    key sizes for the same level of security.

17
Selecting Key Size
From ECRYPT 2005 Report (see www.keylength.com)
18
Special-Purpose Signatures
  • Blind Signatures Making signatures on a message
    without knowing what the message is.
  • Possible application is e-cash.
  • Threshold signatures Signing key can be split up
    among n principals so that any k out of n can
    sign a message.
  • For kn the construction is easy.
  • To implement business rules such as
  • a check may be signed by any two of the seven
    directors.

19
Secret Sharing
  • Adi Shamir uses polynomial equations in a finite
    field to construct a threshold scheme.
  • Choose a prime p, which is both larger than the
    number of possible shadows and larger than the
    largest possible secret M.
  • To share a secret, generate an arbitrary
    polynomial of degree m-1. For example if you want
    a (3,n)-threshold scheme (three shadows are
    necessary to reconstruct M), generate a quadratic
    polynomial
  • The shadows are obtained by evaluating the
    polynomial at n different points

20
Timestamping
  • In many situations, people need to certify that a
    document existed on a certain date.
  • One solution based on one-way hash functions and
    digital signatures is as follows
  • The originator produces a one-way hash of the
    document.
  • He transmits the hash to trusted timestamping
    service (TTS).
  • TTS appends the date and time he received the
    hash onto the hash and then digitally signs the
    result.
  • TTS sends the signed hash with timestamp back to
    the originator.
  • What might be the problem here?

21
One-time Signatures (OTS)
  • Offers a viable alternative to public-key
    signatures.
  • Secure
  • Not depend on the difficulty of a mathematical
    problem.
  • Efficient
  • Based only on one-way functions.

22
One-time Signatures (contd)
  • A message sender prepares for a digital signature
    by generating a random number r, which is
    retained as the private value.
  • He then securely distributes the hash of r,
    h(r), where h is a hash function this represents
    the public value and is used by receivers as the
    signature certificate to verify the signature.
  • The signature is sent by distributing the value
    r itself.
  • Receivers verify that this message could only be
    sent by the sender by applying h to r to get
    h(r).
  • In order to sign any 1-bit value, two random
    numbers (r1, r2) are needed this way, both h(r1)
    and h(r2) are pre-distributed but at most one of
    (r1,r2) is revealed as a signature.

23
Signing An Arbitrary-Length Message
  • p out of n random numbers are sufficient to sign
    a b bit length message if the following
    inequality holds for a given n and p

24
Using OTS More Than Once
  • One-Time Signatures has the well-known
    deficiency only one signature can be generated
    per one public key.
  • Solutions
  • On-line/Off-line Signatures
  • Merkles Tree
  • Problem Increased lengths of signatures
  • Hash Chains
  • Another method
  • Server Assisted One-Time Signatures (SAOTS)

25
SAOTS - Setup
  • Each user registers to a server, generates a
    one-time private key (random numbers) and a
    one-time public key (hash values).
  • In a secure fashion, he distributes the one-time
    public key to the server.
  • The server obtains a public key certificate from
    a CA for each registered user (if transparent
    SAOTS is used).

26
SAOTS - Operation
Originator
Receiver 1
VS
Receiver 2
Write a Comment
User Comments (0)
About PowerShow.com