Public Key Cryptography - PowerPoint PPT Presentation

1 / 46

About This Presentation

Title:

Public Key Cryptography

Description:

ed 1 (mod (p-1)(q-1)) where p, q are prime factors of n. 32 ... g generates large set of powers gx mod p ('base') x is an integer. y is an integer defined as ... – PowerPoint PPT presentation

Number of Views:70

Avg rating:3.0/5.0

Slides: 47

Provided by: Sun49

Category:

Tags: cryptography | ed | key | powers | public

more less

Transcript and Presenter's Notes

Title: Public Key Cryptography

1
Public Key Cryptography
2
Outline

Foundations
Merkles puzzles, Diffie-Hellman
Trapdoor function model
Practical issues
Examples
Knapsacks, RSA, McEliece,
Goldwasser-Micali, ElGamal

3
Foundations

Two cryptographic problems
privacy Alice wants to send a message to Bob
privately
authentication Alice wants assure Bob a message
from her is authentic
Traditional solution (in the mid-1970s)
prior secrets - but quadratic growth
third - party key server
ideal for closed systems

4
Foundations 2

New direction Public-key cryptography
no prior secrets
no third parties sharing secret keys
ideal for emerging open systems
privacy and authentication
Partial solution Key-agreement protocols
no prior secrets or third parties
privacy only
no authentication, so active attacker can
impersonate

5
Merkles puzzles

R. Merkle (1974, pub. 1978)
Key-agreement protocol
Based on simple cryptographic puzzles
easy to create
moderately hard to solve
a primitive one-way function
Moderate security against eavesdroppers

6
Merkles puzzles 2

Alice
Generates n potential keys k1, k2,, kn at
random
Creates n puzzles P1, P2,, Pn whose solutions
are the potential keys
Sends puzzles to Bob
Bob
Chooses one puzzle Pi at random
Solves puzzle Pi to find key ki
Encrypts fixed message under key ki
Sends encrypted message to Alice

7
Merkles puzzles 3

Alice decrypts encrypted message with n potential
keys to find ki that recovers fixed message
Key ki is now shared secret

8
Merkles puzzles 4

Alices work is easy
creates n puzzles
decrypts encrypted test message with n keys
Bobs work is easy
solves one puzzle
encrypts test message with one key

9
Merkles puzzles 5

Eavesdroppers work is (moderately) hard
solve n puzzles
decrypts encrypted test message with n keys
Main drawback Security increases only linearly
in number of puzzles

10
Diffie-Hellman key agreement

W. Diffie and M. Hellman (1976)
Key agreement protocol
Based on discrete logarithm problem
given prime p, integer g, integer y, find integer
x such that
y gx mod p
hard for sufficiently large p
High security against eavesdroppers
Also called exponential key agreement

11
Diffie-Hellman key agreement 2

System parameters p, g
p is a prime
g generates large set of powers
gx mod p (base)

12
Diffie-Hellman key agreement 3

Alice
Generates integer xA at random (private value)
Computes yAgxA mod p
Sends yA (public value) to Bob
Bob
Generates integer xB at random
Computes yBgxB mod p
Sends yB to Alice

13
Diffie-Hellman key agreement 4

Alice computes zA yBxA mod p
Bob computes zB yAxB mod p
Value zA zB is now a shared secret
(agreed-upon key)
zB yAxB (mod p)
(gxA)xB (mod p)
(gxB)xA (mod p)
(yB)xA (mod p)
zB (mod p)

14
Diffie-Hellman key agreement 5

Alice and Bobs work is easy
compute ygx mod p, zyx mod p,
Eavesdroppers work is hard
solves discrete logarithm-like problem
given
yA gxA mod p, yB gxA mod p,
find z gxAxB mod p
no efficient solutions known
Security is considered superpolynomial in size
of prime
Using the complementation property a brute force
attack requires only 255 DES operations
How expensive is exhaustive search

15
Trapdoor function model

W. Diffie and M. Hellman (1976)
Theoretical framework based on trapdoor one-way
functions
easy to compute
hard to invert, except with trapdoor
information
Privacy and authentication without prior secrets
public-key cryptosystems
digital signature scheme

16
Trapdoor function model 2

Notes
key agreement not in this model - no trapdoors
some public-key cryptosystems in variant of this
model involving randomization
most digital signature schemes in irreversible
variant-authentication only
main contribution trapdoors

17
Trapdoor function model 3

Public key f
Private key f-1
where
f is a trapdoor one-way function
f-1 is the inverse function
f, f-1 generated together

18
Public key cryptosystem

Alice wants to send message m to Bob privately
Bob has a public key f, private key f-1
Alice
Computes cf(m), i.e. encrypts m under Bobs
public key
Sends c (ciphertext) to Bob
Bob computes mf-1 (c), i.e. decrypts c under his
private key

19
Public key cryptosystemm 2

Alices work is easy
compute one-way function f
Bobs work is easy
compute inverse function f-1
Attackers work is hard
inverts one-way function f
No prior secrets

20
Digital signature scheme

Alice wants assure Bob a message m from her is
authentic
Alice has public key f, private key f--1
Alice
Computes sf-1(m), i.e., encrypts m under her
private key
Sends s (signature) to Bob
Bob computes mf(s), i.e., decrypts s under
Alices public key

21
Digital signature scheme 2

Alices work is easy
Bobs work is easy
Attackers work hard
inverts one-way function f
No prior secrets

22
Digital signature scheme 3

Existential forgery
s is a signature for f(s)
message structure overcomes this

23
Practical issues

Hybrid cryptography
public-key and secret-key techniques
message encrypted under secret key for speed
secret key encrypted under public key for
convenience
Hash functions
Key certification
certification authority (CA) signs Alices name,
public key
if Bob trusts CAs public key, he can trust
Alices key
hot lists revoke keys prematurely

24
Knapsacks

R. Merkle and M. Hellman (1977, pub. 1978)
Public-key cryptosystems
Based on knapsack problem
High speed, no security
Digital signatures with some adjustments

25
Knapsacks 2

Knapsack problem
given sequence a1,,an and integer S, find
subsequence whose sum is S
xi ?
0,1
hard in general- NP-complete
easy if elements of A are superincreasing, i.e.,
each element is greater than sum of smaller
elements

26
Knapsacks 3

Public key A
Private keyA, m, w
where
A is a superincreasing sequence (a1,,an)
m is an integer (modulus)
w is an integer
A is a sequence (a1,,an) defined as
aiwai mod m

27
Knapsacks 4

Alice wants to send a message m to Bob privately
Alice
Represents message as bits m1,,mn
Sums selected elements of Bobs public key
Sends c (ciphertext) to Bob

28
Knapsacks 5

Bob
Converts ciphertext to superincreasing form
cw-1c mod m
Solves for message bits

29
Knapsacks 6

Alices, Bobs work is easy
add or subtract selected elements
Attackers work is easy too
solves special case of knapsack problem
turns out to be easy, shown by Shamir
improvements broken by Adlemen and others
Chor-Rivest knapsack, based on different
techniques, still stands

30
RSA

R. Rivest, A. Shamir, L. Adleman (1977, pub.
1978)
Public-key cryptosystem and digital signature
scheme
Based on factoring problem
given composite integer n, find primes p and q
such that npq
hard for sufficiently large n
Also based on root extraction problem
Moderate speed, high security

31
RSA 2

Public key n, e
Private key d
where
n is a composite integer (modulus)
e is an integer (public exponent)
d is an integer (private exponent)
such that
ed ? 1 (mod (p-1)(q-1))
where p, q are prime factors of n

32
RSA 3

Alice
Raises m to the eth power, i.e., encrypts m under
Bobs public key
c me mod n
Sends c (ciphertext) to Bob
Bob raises c to the dth power, I.e., decrypts c
under his private key
m cd mod n

33
RSA 4

Alices work is easy
computes as few as two modular multiplications
Bobs work is easy
computes about 1.5 logn modular multiplications
four times faster given primes p, q

34
RSA 5

Attackers work is hard
solves factoring problem, or root extraction
no efficient solutions known
Security considered superpolynomial in size of
modulus

35
McEliece

R. McEliece (1978)
Public-key cryptosystem
Based on coding theory
High speed, less examined security, randomization
Digital signature scheme later

36
McEliece 2

Public key G
Private key G, S, P
where
G is a Goppa error-correcting code matrix
(details omitted)
S is an invertible matrix
P is a permutation matrix
G is a matrix defined as
GSGP

37
McEliece 3

Encryption
Multiply message m by matrix G
Add correctable errors z to get ciphertext c
Decryption
Multiply ciphertext by inverse permutation matrix
P-1
Correction errors according to Goppa code
Multiply result by inverse matrix S-1

38
Goldwasser-Micali

S. Goldwasser and S. Micali (1984) also called
probabilistic encryption
Public-key cryptosystem
Based on quadratic residuosity problem
given composite integer n, integer x, determine
whether integer x is a square mod n
hard in general
easy given prime factors of n
Moderate speed, provable bit security,
randomization

39
Goldwasser-Micali 2

Public key n, y
Private key p, q
where
n is a composite integer (modulus)
p, q are prime factors of n
y is a nonsquare mod p and q

40
Goldwasser-Micali 3

Encryption
cixi2ymi mod n
where
mi is message bit
xi is random integer
ci is ciphertext block
(n, y) is public key
Decryption mi is 0 if ci is a square mod p and
mod q,
1 otherwise

41
ElGamal

T. ElGamal (1984)
Public-key cryptosystem
Based on discrete logarithm problem variant of
Diffie-Hellman key agreement
Moderate speed (slower than RSA), high security,
randomization
Separate digital signature scheme

42
ElGamal 2

Public key p, g, y
Private key x
where
p is a prime
g generates large set of powers gx mod p (base)
x is an integer
y is an integer defined as
y gx mod p

43
ElGamal 3

Encryption
y gr mod p
c m? yr
where
m is message
r is random integer
(y, c) is ciphertext
(p, g, y) is public key
Decryption
m c? (y)x mod p
where x is private key

44
Other systems

Elliptic curves
Miller (1985), Koblitz (1987), Koyama et al
(1991)
variants of Diffie-Hellman, RSA, etc. based on
elliptic curve operations instead of modular
multiplication
elliptic logarithm problem potentially harder
than discrete logarithm problem
Galois fields, Lucas sequences
Other hard problems

45
Research areas