asymm crypto
Post on 14-Apr-2018
233 Views
Preview:
TRANSCRIPT
-
7/27/2019 Asymm Crypto
1/35
Asymmetric Cryptography
Mahalingam Ramkumar
Department of CSE
Mississippi State University
-
7/27/2019 Asymm Crypto
2/35
Mathematical Preliminaries
CRT Chinese Remainder Theorem Euler Phi Function
Fermat's Theorem Euler-Fermat's Theorem
-
7/27/2019 Asymm Crypto
3/35
CRT
Recall Basic Theorem of Arithmetic
m=i=0
n
pi
ei=i=0
n
mi
mi,mj=1 ijConsider any number in aZm
aa1 mod m1aa
2mod m
2
aan mod mn
Now given a1an can we find a ?
Is a unique?
-
7/27/2019 Asymm Crypto
4/35
CRT
Example180=22325=495233 mod4
235 mod9233 mod5Is there any other number (apart from 23)which satisfies these equations?
Answer - no!So we could represent 23 as (3,5,3)
4,9,5 are orthogonal axes(3,5,3) are projections of 23 on those axes!
-
7/27/2019 Asymm Crypto
5/35
CRT
xa1 mod m1xa2 mod m2
xan mod mn
xy mod m,m=i=1n
mi, mi,mj=1, ij
Let Mi=m/mi,Ni=Mi1
mod mi
xyi=1n
aiM
iN
imod m
Check : x mod miai
MiNi mod mi1,MiNi mod mj0, ij
-
7/27/2019 Asymm Crypto
6/35
CRT - Example
x5 mod13x6 mod11x9 mod17
x4 mod19m=13.11.17.19=46189,
M1=46189 /13=3553, N
1=3553141 mod1310 mod13
M2=46189 /11=4199,N1=4199181 mod117 mod11
M3=46189 /17=2717, N1=27171141 mod1711 mod17
M4=46189 /19=2431,N1=24311181 mod1918 mod19
xi=1
4
aiMiNi mod46189
x5.3553.106.4199.79.2717.114.2431.18 mod46189x12810 mod46189
-
7/27/2019 Asymm Crypto
7/35
CRT A Useful Relationship
xa mod m1xa mod m2
xa mod mn
then xa mod m
-
7/27/2019 Asymm Crypto
8/35
Euler Phi Function
How many numbers in Zm
are relatively prime
to m?
Or how many numbers in Zm havemultiplicative inverses?
m=
i=1n
pi
ei
m=i=1n
{pi
eipi
ei1}
-
7/27/2019 Asymm Crypto
9/35
Euler Phi Function
Special Cases m is prime; say m=p (m) = (p) = p-1 (all numbers 1 to m-1 are relatively prime
to a prime number!)
m = p1*p2 (m) = (p
1-1)(p
2-1)
Check equation with e1
= e2
= 1
(m = p1p
2) = m {p
1+ p
2- 1} exclude numbers which
are multiples of p1 or p2 p
1multiples of p
2
p2
multiples of p1
{0 1 2 3 4 5 6 7 8 9 10 11 12 13 14} (15 = 5x3)
m=i=
1
n
pie
i
m=i=1n
{pi
eipi
ei1}
-
7/27/2019 Asymm Crypto
10/35
Fermat's Theorem
aZp,ap11 mod p
Zp={0,1,2,,p2,p1}
Consider aZp and0i , j ,p
1
Can two terms of aZp, say i , j be equal?
If iaja0 mod p then pija
No two terms can be equal!aZp is a permutation of Zp
Either p ij or pa
Only possible ifij=0 or i=j
-
7/27/2019 Asymm Crypto
11/35
Fermat's Theorem - Continued
Verify for p = 7, 31 (assignment 3)
aZp,ap11 mod p
Product of all terms in Zp and aZp
should be identical (neglecting 0)p1 !ap1p1! mod p
1ap1 mod p
-
7/27/2019 Asymm Crypto
12/35
Euler - Fermat's Theorem
Proof for m = pe by induction
Can extend proof for any m due to themultiplicative property of (m) Verify for m = 25 = 52 (assignment 3) Verify for m = 12 = 22*3 (assignment 3)
am1 mod m if aZm anda ,m=1,
-
7/27/2019 Asymm Crypto
13/35
-
7/27/2019 Asymm Crypto
14/35
Square and Multiply Algorithm
How do we efficiently calculate yax mod nLet b
rb
r1b
1b0
be binary representation of x
x=i=0r bi2i
ax=
i=0
r
abi2
i
=abr2r
abr12r1
a2b1ab0
z=1
for i=r downto0
z=z2 mod nifb
i=1z=za mod n endif
endfor
yz
-
7/27/2019 Asymm Crypto
15/35
Square and Multiply Algorithm
Example36
43mod87
x=43=101011b; r=5 ;a=36 ;
z=1 ;b5=1 ;z=1 ;z=z2a mod8736 mod87
b4=0 ;z=36; z=z2 mod8778 mod87
b3=1;z=78;z=z2a mod8745 mod87
b2=0; z=45; z=z2
mod8724 mod87b1=1; z=24;z=z
2a mod8730 mod87
b0=1; z=30;z=z2a mod8736 mod87
-
7/27/2019 Asymm Crypto
16/35
Primality Testing
How do we check if a number n is a prime? A prime number does not have any factors
No prime smaller than n is a factor So check all primes smaller than n?
Impractical say n is a hundred digit prime How many prime numbers less than n?
Roughly n / log(n) For a hundred digit number log(n) is less than
250 So the number of primes less than n is of the
order of 10
97
Prime numbers are dense
-
7/27/2019 Asymm Crypto
17/35
Primality Checking
Uses Fermat's theorem We know if a number n is prime
If n is not prime can the above equation hold
for some a? - Yes. How does this help? Do we need to check all
possible a? We do not. If the equation does not hold for
even one value of a then it will not hold for
at least half the values of a
an1
mod n1a,n=1
-
7/27/2019 Asymm Crypto
18/35
Probabilistic Primality Checking
We have n For k = 1 to N
Choose a number a < n randomly Check if a | n
if so n is not prime. Quit Check if a(n-1) = 1 mod n.
If test fails n is not prime. Quit. Continue
End for If test passes N checks probability that n is
not prime is (1/2)
N
-
7/27/2019 Asymm Crypto
19/35
Observations
Choosing large primes randomly is not difficult Choose a large odd number Check if it is a prime
Probabilistic primality testing If not prime increment number by 2 and check again Remember primes are dense we'll eventually find one
for hundred digit numbers the mean search length is only
125 numbers! Modular exponentiation is trivial with square and
multiply algorithm If pand qare two large primes, and if n=pq
determining pand qgiven n is extremely difficult! No known polynomial complexity algorithm for
factorization.
-
7/27/2019 Asymm Crypto
20/35
RSA (Rivest-Shamir-Adelman)
Choose two large primes p,q. Let n=pqWe known=p1q1Choose eZn such thate,n=1
Calculate de1 modnNow e is the public encryption key
and d is the private decryption keyRemember ed1 modn or ed=kn1
For any an,aed
a mod n. From Euler-Phi TheoremThrow away p,q, andn
Encryption CPemod n
Decryption PCdmod n
Check C
d
Ped
Pkn1
Pn
k
P1
k
PP mod n
-
7/27/2019 Asymm Crypto
21/35
Strength of Public Key
Cryptography If modulus is 64 bit value is PKC as strong as
symmetric cryptography with key length of 64 bits? No very easy to factorize / calculate discrete logs
in such small domains Typically need modulus of the order of 1024 bits! Computationally much more expensive than
symmetric cryptography about 3 order of
magnitudes more Usually used only for establishing shared
symmetric keys
-
7/27/2019 Asymm Crypto
22/35
Exponential Ciphers
Exponential Ciphers Diffie-Helman El Gamal
HASH Functions Signature Schemes
-
7/27/2019 Asymm Crypto
23/35
Order of a number
Let Zp={0,1,,p1}
What is the order of a number aZpThe minimum value of x such that a
x1 mod p
Example - order of 1 is 1Order of p1 is2 (Why?)Order of any number dividesp1Or order of any number is of the formp1/dHow many numbers of order p1 ? p1=p
How many numbers of order p1/d ? p1 /dLet p=7. Orders of numbers 1 to 6 are
Element 1 2 3 4 5 6
Order 1 3 6 3 6 2
A number of full order is called a GENERATOR
-
7/27/2019 Asymm Crypto
24/35
Diffie Helman Key Exchange
Large prime p, and g preferably a generator
Alice chooses aZp
and calculatesga mod p
Bob chooses bZp and calculatesgb
mod pPublic values p,g
Shared secret between Alice and Bob is Kgab mod p
Alice can calculate Kagab mod p
Bob can calculate Kb
gba
mod p
-
7/27/2019 Asymm Crypto
25/35
El Gamal Cryptosystem
Large prime p, and g preferably a generatorPublic values p,g
Alice chooses aZp and calculatesga
mod p
Alice's public key
, private key a
Message from Bob to Alice, PBob chooses a random kZpBob calculatesgk mod p,CPk mod pBob sends,C to AliceAlice calculatesa mod p and PC1 mod p
C1Pka1Pgakgka1Pgakgak1P mod p
Bob masks message P with gak
Sends a cluegk mod p for unmaskingCaution - should use different k every time!
-
7/27/2019 Asymm Crypto
26/35
RSA vs El Gamal
For RSA every node uses a different
modulus Each node has to generate two primes
generating primes is much more computationally
intensive than exponentiation For El Gamal all nodes can use the same p,g
Easy to choose private key! Extra bandwidth needed for mask Usually as asymmetric crypto is used just for
transmitting a single value El Gamal needs
twice the bandwidth of RSA
-
7/27/2019 Asymm Crypto
27/35
Hash Functions
h = H(M) M can be of any size
h is always of fixed size Typically h
-
7/27/2019 Asymm Crypto
28/35
Birthday Paradox
50 people in a room what is the probability that
two people have the same birthday? Extremely high about 0.977
A message M hashes to N bits say h. What is theprobability that another message M
1hashes to h?
1/2N we need to search 2N to see a hit. What is the probability that two messages have the
same hash? We need to search only 2N/2 messages
64 bit hash is not strongly collision resistant Normally we use 160 bit hash functions
-
7/27/2019 Asymm Crypto
29/35
MD5 128 bit hash
Message length K Pad message with P bits such that K+P is 448 mod
512 (64 bits less than a multiple of 512)
Padding is done even if K is already 448 mod 512! Padding is 1 followed by P-1 zeros Length of padding is at least 1. Maximum value is
512
Append length as a 64 bit value. Total length is L x 512 Output h initialized to four fixed 32 bit quantities
A,B,C,D
-
7/27/2019 Asymm Crypto
30/35
MD5
HMD5 HMD5 HMD5IV
Block 1 Block 2 Block L
128 bit 128 bit 128 bit 128 bit 128 bit
512 bit 512 bit 512 bit
Each HMD5 block involves 64 rounds of data mangling4 stages of 16 rounds eachEach stage has different compression functions F,G,H,I
Each round uses an entry from a fixed Table of length 64Every bit of the hash code is a function of every bit of input
Other hash functions SHA, SHA-1, RIPEMD-160
-
7/27/2019 Asymm Crypto
31/35
Digital Signatures
Signer and verifier Anyone should be able to verify a signature DS with public key cryptography
Signer encrypts message with his private key Verifier checks (decrypts) with signer's public
key
Usually only message hash is signed!
-
7/27/2019 Asymm Crypto
32/35
RSA Signature scheme
Message M h = H(M) Alice signer. Private key d, public key e,
modulus n. Signature s = hd mod n Signed message M | s
Verification Verifier calculates h = H(M) Checks if se mod n equals h
-
7/27/2019 Asymm Crypto
33/35
El Gamal Signature Scheme
Large prime p, and g preferably a generatorPublic values p,g
Message M.
Message hash h=HMAlice chooses aZp and calculatesg
amod p
Alice's public key , private key aTo sign h Alice chooses1kp2 and calculates
gk mod phak1 modp1
Send M
Verificationgagkhak1
gaghagh mod p
-
7/27/2019 Asymm Crypto
34/35
El Gamal Signature - Example
p=79,g=7Alice's private key a=43
ga mod p74348 mod79Let hash of a message be12
Alice chooses k=5,k1 mod p147 mod78
gk mod p7559
hak11243594741 mod p1
4859 59418 mod79
Check gh
mod p712 mod798 mod79
-
7/27/2019 Asymm Crypto
35/35
Schnorr Signature Scheme
Large prime p, and smaller prime q such that qp1Typically p is 1024 bits and q is 160 bitsA number gq of order q
Public values p,q,gq
Alice chooses aZp and calculatesgqa
mod p
Alice's public key , private key aMessage M. Hash function H .To sign a message
HMgqk ,1kq1
ka mod qBoth and are 160 bit quantities!Verification
H Mg H Mgkag a HMgk mod p
top related