Chapter 6 Public-Key Cryptography - PowerPoint PPT Presentation

1 / 52
About This Presentation
Title:

Chapter 6 Public-Key Cryptography

Description:

Title: Chapter 4 Public-Key Cryptology Last modified by: nej Created Date: 1/1/1601 12:00:00 AM Document presentation format: Other titles – PowerPoint PPT presentation

Number of Views:290
Avg rating:3.0/5.0
Slides: 53
Provided by: ceyCsAuE
Category:

less

Transcript and Presenter's Notes

Title: Chapter 6 Public-Key Cryptography


1
Chapter 6Public-Key Cryptography
  • Public-Key Cryptosystem
  • RSA Algorithm
  • Key Management
  • Diffie-Hellman Key Exchange
  • Elliptic Curve Cryptography

2
Milestones in Cryptology
  • 1917 Edward Hugh Hebern developed the first
    rotor machine
  • 1971 IBM Lucifer project
  • 1975 DES standard announced
  • 1976 Diffie and Hellman presented public-key
    concept

3
  • Both rotor machines and DES still relied on the
    bread-and-butter tools of substitution and
    permutation.
  • Public key algorithms are based on mathematical
    functions rather than on substitution and
    permutation.
  • Public key cryptography is asymmetric
  • involving the use of two separate keys
  • in contrast to symmetric conventional encryption
    which use only one key.

4
  • The use of two keys in public key algorithm has
    profound in the areas of
  • confidentiality
  • key distribution
  • authentication

5
Three Misconceptions on Public Key
  • It is MORE secure than conventional encryption.
  • Security is based on key length and computational
    cost.
  • There is no such principle that one is better
    than the other.
  • It is a general-purpose technique and has made
    the conventional encryption obsolete.
  • Due to the computational overhead of current
    public-key schemes, the conventional ones are not
    abandoned.

6
  • Its key distribution is trivial!
  • Also involves a central agent.
  • No simpler, nor more efficient, than conventional
    ones.
  • This chapter provides an overview of public-key
    encryption
  • conceptual framework
  • RSA algorithm, the most important
    encryption/decryption algorithm that has been
    shown to be feasible for public-key encryption.
  • Key distribution and management for public-key
    system (Diffie-Hellman key exchange)

7
Diffies Goals in Designing Public Key
  • Key distribution
  • Diffie and Hellman observed that ...What good
    would it do after all to develop impenetrable
    cryptosystems, if their users were forced to
    share their keys with a KDC that could be
    compromised by either burglary or subpoena?...

8
  • Digital Signature
  • Electronic messages and documents need the
    equivalence of signatures used in paper ones.
  • In 1976, Diffie and Hellman came up with a method
    satisfying both goals.

9
6.1 Public-Key Cryptosystem
  • There are two keys
  • encryption key (public key)
  • decryption key (private key)
  • Characteristic of public-key systems
  • It is computationally infeasible to determine the
    decryption key, even if the cryptographic
    algorithm and encryption key are know.
  • Either of the two keys can be used for
    encryption, and the other decryption.
  • If so, authentication can be done.
  • Some algorithms do not enjoy the second property.

10
Public-Key Encryption Procedure
  • Fig (a)
  • Each system generates a pair of public and
    private keys.
  • The public key is placed in a public register or
    file.
  • If A wishes to send a message to B, it encrypts
    the message using Bs public key.
  • When B receives the message, B decrypts it using
    Bs private key.

11
Characteristics of Public-Key System
  • The private key can be computed locally.
  • The private key is NEVER transmitted on the net.
  • At any time, a system can change its
    public-private keys pair.
  • Applications
  • confidentiality
  • authentication
  • confidentiality authentication

12
Public-Key System for Confidentiality
13
Fig. 6.2
  • Source A produces message XX1,X2,,XM
  • M elements of X are letters in some finite
    alphabet.
  • B generates a related pair of keys
  • A public key Kub, publicly available
  • A private key KRb, only known to B
  • A form the cipher text YY1,Y2,,YM by
  • Y E KUb(X)
  • The receiver uses private key to decipher
  • X E KRb(Y)

14
Conventional and Public-Key Encryption
  • Conventional Encryption
  • Needed to Work
  • 1. The same algorithm with the same key is used
    for encryption and decryption
  • 2. The sender and receiver must share the
    algorithm and the key
  • Public-Key Encryption
  • Needed to Work
  • 1. One algorithm is used for encryption and
    decryption with a pair of keys, one for
    encryption and one for decryption
  • 2. The sender and receiver must each have one of
    the matched pairs of keys (not the same one)

15
  • Conventional Encryption
  • Needed for Security
  • 1. The key must be kept secret.
  • 2. It must be impossible or at least impratical
    to decipher a message if no other information is
    available.
  • 3. Knowledge of the algorithm plus samples of
    cipher text must be insufficient to determine the
    key.
  • Public-Key Encryption
  • Needed for Security
  • 1. One of the two keys must be kept secret.
  • 2. It must be impossible or at least impractical
    to decipher a message if no other information is
    available.
  • 3. Knowledge of the algorithm plus one of the
    keys plus samples of cipher text must be
    insufficient to determine the other key.

16
Public-Key System for Authentication
  • If the key pair has the symmetric property, then
    authentication can be done.
  • I.e., the private key can also be used for
    encryption.
  • Fig. (b)
  • Use the private key for encryption, and the
    public key for decryption.

17
Public-Key Authentication
  • NO confidentiality!
  • Its only safe from alternation.

18
Fig 6.1(b) and 6.3
  • The use of public-key encryption to provide
    authentication
  • Source A produce YEKRa(X)
  • Destination B XEKUa(Y)
  • A prepares a message to B and encryps it using
    As private key before transmitting it.
  • B can decrypt the message using As public key.
  • The entire encrypted message serves as a digital
    signature.
  • The message being sent is safe from alteration
    but not from eavesdropping

19
Confidentiality Authentication
  • Using two pairs of public-private keys.

20
Fig. 6.4 Secrecy and Authentication
  • Source A
  • ZEKUbEKRa(X)
  • Destination B
  • XDKUaDKRb(Z)
  • The final cipher text can be decrypted only by
    the intended receiver, who alone has the matching
    private key.
  • The disadvantage is that the public-key algorithm
    is complex.

21
Summary of Public-Key System
  • Applications of public-key algorithm
  • encryption/decryption
  • digital signature
  • key exchange such as exchange session keys
    (shared)
  • Comparison of some Public-Key Systems

22
Requirement of Public-Key Cryptography(Proposed
by Diffie and Hellman)
  • computationally easy for receiver B to generate
    the key pair(public key KUb, private key KRb).
  • computationally easy for sender A to encrypt the
    plaintext CEKUb(M)
  • computationally easy for receiver B to decrypt
    the cipher MDKRb(C)
  • computationally infeasible for an opponent to
    determine the private key KRb, given the public
    key KUb

23
  • computationally infeasible for an opponent to
    determine the plaintext, given the public key KUb
    and ciphertext C
  • encryption and decryption algorithms can be used
    interchangeably, i.e., MEKUb(DKRb(M))DKRb(EKUb(M
    )).
  • The order is optional!!
  • e.g., RSA gt (Me)d (Md)e

24
Trapdoor One-Way Function
  • one-way function
  • map a domain to a range such that every function
    value has a unique inverse
  • with condition
  • the calculating of the function is easy
  • calculating the inverse is infeasible
  • Y f(X) easy
  • X f-1(Y) infeasible
  • Easy is defined by solved in polynomial time, in
    class P (e.g., input is n bits, computational
    cost is na for some constant a).

25
  • Infeasible cost grows faster than polynomial
    time (e.g., 2n)
  • Traditional complexity analysis is on worst
    cases.
  • In cryptoanalysis, the cost should be applied to
    virtually ALL inputs.
  • Trapdoor one-way function
  • is a one-way function
  • easy to calculate in one direction
  • infeasible to calculate in the other direction,
    unless some additional information is known

26
  • Y fk(X) easy, if k and X are known
  • X fk-1(Y) easy, if k and Y are known
  • X fk-1(Y) infeasible, if Y is known
  • but k is unknown
  • The public-key scheme depends on discovery of a
    suitable trapdoor one-way function!!
  • The key size must be large enough to make
    brute-force attack impractical but small enough
    for practical encryption and decryption.

27
  • In practice, the key sizes that have been
    proposed do make brute-force attack impractical
    but result in encryption speed that are too slow
    for general purpose use.
  • Instead, as was mentioned earlier, public-key
    encryption is currently confined to key
    management and signature applications.

28
Crisis of Public-Key Scheme
  • vulnerable to brute-force attack (any one has
    this problem)
  • solution use LARGER keys
  • as key size increases, most trapdoor functions
    increase complexity more than linearity
  • However, this will result in very SLOW
    encryption/decryption.
  • This is why public-key encryption is currently
    confined to key management and signature
    applications.

29
6.2 RSA Algorithm
  • In 1978, Rivest, Shamir, and Adleman at MIT first
    published a solution called RSA, which becomes
    the only widely accepted and implemented
    public-key encryption.
  • RSA
  • block cipher both plaintext and ciphertext are
    between 0 and n-1
  • some number theory background is needed

30
RSA Description
  • Plaintext (M) is encrypted in blocks.
  • The binary value of M lt n.
  • Encryption and Decryption
  • C Me mod n // cihper
  • M Cd mod n (Me)d mod n Med mod n
  • Public key KUe, n
  • Private key KRd, n
  • Requirements
  • There exist e, d, n such that M Med (mod n)
    for all M lt n.
  • It is easy to calculate Me and Cd for all Mltn.
  • It is infeasible to find d given e and n.

31
  • One potential solution Eulers Theorem
  • given the followings
  • two primes p and q
  • two integers n and m
  • such that n pq and 0ltmltn
  • an arbitrary integer k
  • the equation holds mkf(n)1 mk(p-1)(q-1)1 m
    (mod n), where
  • f(n)
  • Euler totient function
  • the number of integers less than n and
    relatively prime to n
  • n pq and we know that p and q are primes.
  • f(n) 1, 2, , n p, 2p, 3p, ,qp q,
    2q, 3q, , pq
  • pq p q 1
  • (p-1)(q-1)

32
  • To apply the Eulers theorem, recall that we want
    the equation Med M (mod n)
  • We can let ed k f(n) 1
  • ltgt ed 1 (mod f(n) (p-1)(q-1))
  • ltgt e d-1 (mod f(n) (p-1)(q-1))
  • According to the rules of modular arithmetic,
    this holds true only if d (and thus e) is
    relatively prime to f(n).
  • That is, gcd(d, f(n)) 1.
  • If so, (Me)d M (mod n).

33
RSA Outline
  • Parameters
  • p and q are two primes (private, chosen)
  • n pq (public, calculated)
  • e, with gcd(f(n), e)1 (public, chosen)
  • d e-1 mod f(n) (private, calculated)
  • encryption with public key CMe (mod n)
  • decryption with private key M Cd (mod n)
  • See Fig. 6.5

34
(No Transcript)
35
(No Transcript)
36
An RSA Example
  • 1. Select two prime numbers, p7, q17
  • 2. Calculate n pq 119
  • 3. Calculate f(n) (p-1)(q-1) 96
  • 4. Select e such that e is relatively prime to
    f(n) 96 and less than f(n) in this case, e5
  • 5. Determine d such that de1 mod 96 and dlt96.
    The correct value is d77, because
    7753854961
  • . gt KU5, 119, KR77,119
  • 6. Let plain M19 gt cipher66
  • gt after decrypt 19

37
(No Transcript)
38
Computational Cost of RSA
  • Encryption
  • the power Me is typically gargantuan
  • fortunately, with mod n, we have
  • (a mod n)(b mod n) mod n ab mod n,
  • so we can reduce the intermediate value!!
  • the exponent e is also large ...
  • M93 M x M x M x ... x M // 93
    multiplications
  • fortunately, we have good solution from algorithm
    class ...
  • M20 M16 M4 M2
  • Can you give an O(log e) algorithm?
  • Decryption
  • Md, which is similar!!

39
Efficiency of exponentiation
  • x16xxxxxxxxxxxxxxx
  • 15 multiplications can be reduced to four
    multiplications
  • x2, x4, x8, x16.
  • If we wish to find the value am, let m be a
    binary number bkbk-1b0
  • m?bi?02i

40
  • Algorithm for compute ab mod n
  • c0 d1
  • for i k down to 0
  • c2c
  • d(d d) mod n
  • if bi1 then
  • cc1
  • d(da) mod n
  • return d

41
  • Key Generation Concern
  • (I) construct the primes p and q
  • As n is available, p and q should be reasonably
    large to avoid a brute-force attack.
  • At present, there are NO useful techniques that
    yield arbitrarily large primes
  • Randomization algorithm to generate probable
    primes KNUT81 Miller-Rabin algorithm
  • 1. pick an odd integer n at random
  • 2. pick an integer a lt n at random
  • 3. test the primality of n against a
  • if n fails, reject n and go back to step 1.
  • if n passes a sufficient number of tests, accept
    notherwise go back to step 2.

42
  • Some properties of prime numbers
  • Primes near are spaced by approximately (ln N)
    integers.
  • Thus, only (ln N) guesses in average are needed.
  • Excluding even numbers only (ln N)/2 guesses!!
  • You can even include multiples of 3, 5, etc.
  • Ex when N2200, ln2200/2 70 trials
  • Key Generation Concern
  • (II) construct d and e
  • randomly choose d and test against f(n) for
    relative primality
  • the probability that two random numbers are
    relative prime is about 0.6 (see Problem 7.1)
  • calculate e d-1
  • extended Euclid algorithm (later in Chapter 7)

43
Possible Attacks on RSA
  • Attack 1 brute force (which is quite impossible)
  • Attack 2 factoring n (which is used in most
    studies)
  • Factor n into two primes p and q.
  • Calculate f(n) (p-1)(q-1).
  • Determine d e-1 (mod f(n) ).
  • Currently, no reasonable algorithm is known to
    factor the product of two primes which is large.
  • The best one takes time

44
  • Attack 3 determine f(n) directly, without
    knowing p and q, then determine d.
  • Attack 4 determine d directly, without knowing
    f(n).
  • Attack 5 timing attack

45
Factoring a Large Number
  • Determining f(n) given n is equivalent to
    factoring n.
  • Determining d given e and n, appears to be at
    least as time-consuming as the factoring problem
  • Thus, we can use factoring performance as a
    benchmark against which to evaluate the security
    of RSA

46
  • MIPS-year
  • the work that can be done by a million-instruction
    s-per-second processor running for one year
  • EX 200-MHz Pentium is about a 50-MIPS-year
    machine.
  • Currently best factoring costs (achieved by
    different algorithms)

47
  • Before RSA-129 challenge, the most widely used
    algorithm is quadratic sieve.
  • A shocking attack to RSA-130 challenge is by GNFS
    (generalized number field sieve), which can
    factor RSA-130 faster than RSA-129 at only 10 of
    the computing effort.
  • Note as the key length increases, the cost to
    encrypt/decrypt also increases.
  • GNFS can be further improved to SNFS (special
    number field sieve).
  • Costs of GNFS and SNFS

48
(No Transcript)
49
  • Attack 3 (determining f(n) given n) and Attack 4
    (determining d given e and n) are at least as
    time-consuming as Attack 2.
  • To avoid n being factored, it is suggested
  • p and q differ by only a few digits (say, both
    75100 digits)
  • (p-1) and (q-1) both contain a large prime factor
  • gcd(p-1, q-1) should be small

50
Timing Attack
  • KOCH96
  • If a snooper can keep track of how long a
    computer takes to decipher a message, the private
    key may be compromised.
  • Ex to perform Cd, such that d 1001001
  • When we use the exponential algorithm, we will
    compute
  • C0 C3 C6
  • The computing time will somehow reflect value of
    d.

51
Countermeasures to Timing Attack
  • Constant running time for all exponential
    calculation
  • Ex C1001 and C1100111 take about the same amount
    time.
  • Random delay
  • Add some random delay to confuse the timing
    attack.

52
  • Blinding
  • Multiply the Ciphertext by a random number before
    performing exponentiation.
  • Ex RSA Data Security
  • r a random number between 0 and n-1
  • at encryption C Cre Mere (mod n)
  • at decryption M (C)d
  • M M r-1 (C)d r-1 Medred r-1
    M1r1 r-1
  • note red r (mod n)
Write a Comment
User Comments (0)
About PowerShow.com