public-key cryptographyprofs.scienze.univr.it/~merro/sicurezzadellereti/lec03-crypto-pk.pdf · the...

Public-Key Cryptography

Luca Viganò

Dipartimento di InformaticaUniversità di Verona

Sicurezza delle RetiA.A. 12/13Lecture 3

Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 1 / 86

Massimo Merro

1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution

Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme

5 Message integrity and cryptographic hashes6 Message authentication

Message authentication codesDigital signatures

7 Conclusions8 Appendix on number theory


Introduction to Public-Key Cryptography

Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution







Motivation

Public key cryptography was born in May 1975, the child of twoproblems: the key distribution problem and the problem of signa-tures. The discovery consisted not of a solution, but of the recog-nition that the two problems, each of which seemed unsolvableby definition, could be solved at all and that the solutions to bothcame in one package.

Whitfield Diffie, The first-ten years of public key cryptography ,1988

Let’s consider to what extent these problems are “solved”.



Public-key cryptography

Let {Ee | e 2 K} and {De | e 2 K} form an encryption schema.Consider transformation pairs (Ee, Dd) where knowing Ee it isinfeasible, given c 2 C to find an m 2M where Ee(m) = c. Thisimplies it is infeasible to determine d from e.) Ee constitutes a trap-door one-way function with trapdoor d .Public key as e can be public information:



Public-key cryptography: encryption/authentication

Plaintextinput

Bobs'spublic key

ring

Transmittedciphertext

PlaintextoutputEncryption algorithm

(e.g., RSA)Decryption algorithm(reverse of encryption

algorithm)

Figure 9.1 Public-Key Cryptography

Joy

Mike

Mike Bob

TedAlice

Alice's publickey

Alice 's privatekey

(a) Encryption

Plaintextinput

Transmittedciphertext

PlaintextoutputEncryption algorithm

(e.g., RSA)Decryption algorithm(reverse of encryption

algorithm)

Bob's privatekey

Bob's publickey

Alice'spublic key

ring

Joy Ted

(b) Authentication



Symmetric vs. Asymmetric (Public-Key) Encryption

Table 9.1 CONVENTIONAL AND PUBLIC-KEY ENCRYPTION

Conventional Encryption Public-Key Encryption

Needed to Work:

1. The same algorithm with the same key is used forencryption and decryption.

2. The sender and receiver must share the algorithm and thekey.

Needed for Security:

1. The key must be kept secret.

2. It must be impossible or at least impractical to decipher amessage if no other information is available.

3. Knowledge of the algorithm plus samples of ciphertext mustbe insufficient to determine the key.

Needed to Work:

1. One algorithm is used for encryption and decryption with apair of keys, one for encryption and one for decryption.

2. The sender and receiver must each have one of the matchedpair of keys (not the same one).

Needed for Security:

1. One of the two keys must be kept secret.

2. It must be impossible or at least impractical to decipher amessage if no other information is available.

3. Knowledge of the algorithm plus one of the keys plussamples of ciphertext must be insufficient to determine theother key.



Encryption using public-key cryptography

BobAlice

PassiveAdversary

mm

d

encryptionE (m) = ce D (c) = m

decryptiond

destinationplaintextsource

cunsecured channel

unsecured channele key

source

When Alice can determine the message authentity of e, public-keycryptography provides her a confidential (secret) channel to Bob.



Public-Key Cryptosystem: Secrecy

MessageSource

Cryptanalyst

Key PairSource

DestinationX X

^

Y

PRb

PUb

Figure 9.2 Public-Key Cryptosystem: Secrecy

EncryptionAlgorithm

DecryptionAlgorithm

PRb

X̂

Source A Destination B



Public-Key Cryptosystem: Authentication

MessageSource

Cryptanalyst

Key PairSource

DestinationX X

^

Y

PRa

PRa

PUa

Figure 9.3 Public-Key Cryptosystem: Authentication

EncryptionAlgorithm

DecryptionAlgorithm




Public-Key Cryptosystem: Secrecy and Authentication

MessageSource

MessageDest.

X

Figure 9.4 Public-Key Cryptosystem: Authentication and Secrecy

EncryptionAlgorithm

Key PairSource

PUb PRb


Key PairSource

PRa PUa

Y EncryptionAlgorithm

Z DecryptionAlgorithm

Y DecryptionAlgorithm

X



Requirements for Public-Key Cryptography

1 It is computationally easy for B to generate a pair (public key PUb,private key PRb).

2 It is computationally easy for sender A, knowing PUb and M, togenerate

C = E(PUb, M) .

3 It is computationally easy for receiver B to decrypt C using PRb torecover M:

M = D(PRb, C) = D(PRb, E(PUb, M)) .

4 It is computationally infeasible for an adversaryknowing PUb to determine PRb,knowing PUb and C to recover M.

5 (Useful, but not always necessary) The two keys can be applied ineither order:

M = D(PUb, E(PRb, M)) = D(PRb, E(PUb, M)) .



Requirements for Public-Key Cryptography (cont.)

These are difficult requirements.As a matter of facts only a few algorithms enjoying the aboverequirements have received widespread acceptance so far:

Encryption/

Algorithm Decryption Digital Signature Key Exchange

RSA Yes Yes YesElliptic Curve Yes Yes YesDiffie-Hellman No No YesDSS No Yes No



Trapdoor one-way functions

A function f : X ! Y is a one-way function, if f is “easy” tocompute for all x 2 X , but f�1 is “hard” to compute.

Example: Problem of modular cube roots.Select primes p = 48611 and q = 53993.Let n = pq = 2624653723 and X = {1, 2, . . . , n � 1}.Define f : X ! N by f (x) = x3 mod n.Example: f (2489991) = 1981394214. Computing f is easy.Inverting f is hard: find x which is cubed and yields remainder!

A trapdoor one-way function is a one-way function fk : X ! Ywhere, given extra information k (the trapdoor information) it isfeasible to find, for y 2 Im(f ), an x 2 X where fk (x) = y .

Example: Computing modular cube roots (above) is easy when pand q are known (basic number theory).



Public-key Cryptoanalysis

Brute-force attacks.

Countermeasure: use large keys!But tradeoff is necessary as complexity of encryption/decryptionmay not scale linerarly with the length of the key.In practice: public-key encryption is confined to key managementand digital signature.

Computing private key from public key.

No proof that this attack is unfeasible! (Even for RSA)Probable-message attack.

Suppose a short message M (e.g. a 56-bit DES key) is sentencrypted with PUa, i.e. C = E(PUa, M). The attacker computesall Yi = E(PUa, Xi) for all possible plaintext Xi for i = 1, . . . , 256

and stops as soon as Yi = C concluding that M = Xi (themessage sent).Solution: append some random bits to M.


Massimo Merro

Number Theory







Number Theory

Prime Factorization

Numbers: naturals N = {0, 1, 2, . . .}, integers Z = {0, 1,�1, . . .},primes = {2, 3, 5, 7, ...}.To factor a number n is to write it as a product of other numbers,e.g. n = a ⇤ b ⇤ c.Multiplying numbers is easy, factoring numbers appears hard.We cannot factor most numbers with more than 1024 bits.The prime factorization of a number a amounts to writing it as aproduct of powers of primes:

a = ⇧p2P pap = 2a2 ⇤ 3a3 ⇤ 5a5 ⇤ 7a7 ⇤ 11a11 ⇤ · · ·

where P is the set of prime numbers and ap 2 N.For example:

91 = 7 ⇤ 133600 = 24 ⇤ 32 ⇤ 52


Massimo Merro

Number Theory

Relatively prime numbers & gcd

Divisors: a 6= 0 divides b (written a |b ) if 9m. ma = b.Examples: 3 |6, 36 |7, 36 |10.Two numbers a, b are relatively prime if they have no commondivisors/factors apart from 1, i.e. if gcd(a, b) = 1.For instance, 8 and 15 are relatively prime since

factors of 8 are 1,2,4,8,factors of 15 are 1,3,5,15,and 1 is the only common factor.

Conversely we can determine the greatest common divisor bycomparing their prime factorizations and using least powers.For example, 150 = 21 ⇤ 31 ⇤ 52, 18 = 21 ⇤ 32 hencegcd(18, 150) = 21 ⇤ 31 ⇤ 50 = 6.

See appendix for more on number theory.


Number Theory

Modular Arithmetics

8a n.9q r . (a = q ⇤ n + r) where 0 r < n.

Here r is the remainder , which we write as r = a mod n .

a, b 2 Z are congruent modulo n, if a mod n = b mod n.

We write this as a =n b .

Properties:

(a • b) =n (a mod n) • (b mod n) for • 2 {+,�, ⇤}i.e., (a • b) mod n = [(a mod n) • (b mod n)] mod n

If a ⇤ b =n a ⇤ c and a relatively prime to n, then b =n c.

Modulo operator has following properties (of congruences):1 a =n a2 a =n b ) b =n a3 (a =n b ^ b =n c)) a =n c


Massimo Merro

Massimo Merro

Massimo Merro

Number Theory

Modular Arithmetics (cont.)

Examples:

2 = (5 ⇤ 6) mod 4= [(5 mod 4) ⇤ (6 mod 4)] mod 4= (1 ⇤ 2) mod 4

8 ⇤ 4 =3 8 ⇤ 1 ) 4 =3 1

Additional property of modulo: if a1 =n b1 and a2 =n b2, then

(a1 + a2) =n (b1 + b2) and (a1 ⇤ a2) =n (b1 ⇤ b2)

This can also be expressed as

[(a1 mod n) + (a2 mod n)] mod n = (a1 + a2) mod n

and

[(a1 mod n) ⇤ (a2 mod n)] mod n = (a1 ⇤ a2) mod n

Also: if a ⇤ b =n a ⇤ c and a relatively prime to n, then b =n c.Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 20 / 86

Number Theory

Modular Arithmetics (cont.)

Theorem

Suppose that a, b 2 Z are relatively prime. There is a c 2 Z satisfyingbc mod a = 1, i.e., we can compute b�1 mod a.

Proof: From Extended Euclidean Algorithm, there exist x , y 2 Z where

1 = ax + by

Since a|ax , we have by mod a = 1. Assertion follows with c := y .

Fermat’s little theorem

For a and n relatively prime and n prime

an�1 =n 1

Example: 46 mod 7 = 16 ⇤ 16 ⇤ 16 mod 7 = 2 ⇤ 2 ⇤ 2 mod 7 = 1.


Number Theory

Euler Totient Function

When doing arithmetic modulo n.Complete set of residues is 0, . . . , n � 1.Reduced set of residues consists of those numbers (residues)which are relatively prime to n.For instance, for n = 10:

complete set of residues is {0, 1, 2, 3, 4, 5, 6, 7, 8, 9},reduced set of residues is {1, 3, 7, 9}.

Number of elements in reduced set of residues is called the EulerTotient Function �(n).

In other words, �(n) is the number of positive integers less than nwhich are relatively prime to n.�(n) is the number of a 2 {1, 2, . . . , n � 1} with gcd(a, n) = 1.

n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15�(n) 1 1 2 2 4 2 6 4 6 4 10 4 12 6 8


Number Theory

Euler’s Totient Function and Euler’s Theorem

Properties:

�(1) = 1.�(p) = p � 1 if p is prime.

�(p ⇤ q) = �(p) ⇤ �(q) = (p � 1) ⇤ (q � 1) if p and q are prime(p 6= q).

So that Fermat’s little theorem (for a and n relatively prime and nprime) can be rewritten to

Euler’s Theorem

a�(n) =n 1 for all a, n such that gcd(a, n) = 1.

Examples:

If a = 3 and n = 10, then �(10) = 4 and 34 = 81 =10 1If a = 2 and n = 11, then �(11) = 10 and 210 = 1024 =11 1


The RSA Algorithm







The RSA Algorithm

The RSA Algorithm

Named after inventors: Rivest, Shamir, Adleman, 1978.

Published after 1976 challenge by Diffie and Hellman.

Security comes from difficulty of factoring large numbers.Keys are functions of a pairs of large, � 100 digits, primenumbers.

Most popular public-key algorithm.Used in many applications, e.g., PGP, PEM, SSL, ...


Massimo Merro

Massimo Merro

The RSA Algorithm

The RSA Algorithm

Let n be a number known by sender and receiver.Plaintext split in blocks of dlog2(n)e bits.Thus each block represents a number M such that M < n.Encryption and decryption are defined as follows:

C = Me mod nM = Cd mod n = (Me)d mod n = Med mod n

for some (properly chosen) values of e and d .It is a public-key encryption algorithm with

public key PU = {e, n} andprivate key PR = {d , n}.


The RSA Algorithm

The RSA Algorithm (cont.)

For the RSA algorithm to work, the following requirements must bemet:

1 It is possible to find values of e, d , and n such thatMed mod n = M for all M < n.

2 It is relatively easy to calculate Me mod n and Cd mod n for allvalues of M < n.

3 It is unfeasible to determine d given e and n.


The RSA Algorithm

Correctness of RSA

We must show that there exist e, d , and n such that

Med mod n = M

for all M < n.It can be shown that the above equation holds if e and d aremultiplicative inverses mod �(n), i.e. if

d =�(n) e�1

iffde =�(n) 1 iffed mod �(n) = 1

But this is true only if d (and hence e) is relatively prime to �(n), i.e. ifgcd(�(n), d) = 1.


The RSA Algorithm

Correctness of RSA


Med mod n = M


d =�(n) e�1 iffde =�(n) 1

iffed mod �(n) = 1



The RSA Algorithm

Correctness of RSA


Med mod n = M


d =�(n) e�1 iffde =�(n) 1 iffed mod �(n) = 1



(using Fermat’s little theorem)

The RSA Algorithm

RSA algorithms

Generate a public/private key pair:1 Generate two (large) distinct primes p and q.2 Compute n = pq and � = (p � 1)(q � 1).3 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.

Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n

2 Compute Ci = Mei mod n.

Decryption with key (d , n):1 Compute Mi = Cd

i mod n.


The RSA Algorithm

RSA algorithms: Example

Generate a public/private key pair:1 Generate two (large) distinct primes p and q.2 Compute n = pq and � = (p � 1)(q � 1).3 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.



Decryption with key (d , n) :1 Compute Mi = Cd

i mod n


The RSA Algorithm


Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq and � = (p � 1)(q � 1).3 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.




i mod n


The RSA Algorithm


Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.




i mod n


The RSA Algorithm


Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.




i mod n


The RSA Algorithm


Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Publish (e, n), keep (d , n) private, discard p and q.




i mod n


The RSA Algorithm


Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)




i mod n


The RSA Algorithm



Encryption with key (e, n) = (79, 3337)1 Break message M into blocks M1M2 · · · with Mi < n



i mod n


The RSA Algorithm



Encryption with key (e, n) = (79, 3337)1 Break message M into blocks, e.g. 688 232 687 966 668 · · ·2 Compute Ci = Me

i mod n.


i mod n


The RSA Algorithm



Encryption with key (e, n) = (79, 3337)1 Break message M into blocks, e.g. 688 232 687 966 668 · · ·2 Compute C1 = 68879 mod 3337 = 1570, C2 = ...


i mod n


The RSA Algorithm




Decryption with key (d , n) = (1019, 3337):1 Compute Mi = Cd

i mod n


The RSA Algorithm




Decryption with key (d , n) = (1019, 3337):1 Compute M1 = 15701019 mod 3337 = 688, M2 = ...


The RSA Algorithm

RSA Security

Computation of secret d given (e, n).As difficult as factorization. If we can factor n = pq then we cancompute � = (p � 1)(q � 1) and hence d = e�1 mod �.

No known polynomial time algorithm.But given progress in factoring, n should have at least 1024 bits.

Computation of Mi , given Ci , and (e, n).Unclear (= no proof) whether it is necessary to compute d , i.e., tofactorize n.

) Progress in number theory could make RSA insecure.


Massimo Merro

Massimo Merro

Asymmetric algorithms for secret key distribution








The key distribution problem

K1

K2K3

K4

K5

For n = 1000, we need 499,500 symmetric versus 2000asymmetric keys.Trust:What good would it do after all to develop impenetrablecryptosystems, if their users were forced to share their keyswith a key distribution center that could be compromised byeither burglary or subpoena?”

Whitfield Diffie, The first-ten years of public key cryptography, 1988Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 35 / 86



Use public key encryption algorithms to support (faster) symmetriccryptography.

We will see two approaches:Secret key distribution with RSA.Diffie-Hellman key exchange.


Asymmetric algorithms for secret key distribution Secret key distribution with RSA







Asymmetric algorithms for secret key distribution Secret key distribution with RSA

Secret key distribution with RSA

Encryption of m (with public key (e, n)):choose k randomly

c = (ke mod n, Ek (m))

Decryption (with private key (d , n))Split c into (c1, c2)

k = cd1 mod n m = Dk (c2)

Example: SSLAlice chooses a secret, encrypts it with Bob’s PK and rest of thesession is protected based on that secret.

Problem: if the private key (d , n) gets compromised, then k canbe recovered by an intruder from previously observed traffic.


Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange








Background on discrete logarithms

A primitive root s of a prime number p is a number whose powersgenerate 1, . . . , p � 1.So s mod p, s2 mod p, . . ., sp�1 mod p are distinct, i.e., apermutation of 1 through p � 1. Hence:

8b 2 Z.9i 2 {0, . . . , p � 1}. b = si mod p

Given b 2 Z, exponent i above is the discrete logarithm of b forbase s, mod p.Computing discrete logs appears infeasible.


Massimo Merro

(b < p)


Diffie-Hellman key exchange

1 Principals share prime q and primitive root ↵. Both may be public.2 A and B generate random numbers XA and XB (respectively) both

less than q.3 A computes YA = ↵XA mod q, B computes YB = ↵XB mod q.4 A and B exchange results.5 A computes KA = Y XA

B mod q, B computes KB = Y XBA mod q.

Keys are equal, i.e. KA = KB:

KA = Y XAB mod q

= (↵XB)XA mod q= (↵XA)XB mod q

= Y XBA mod q = KB

Security depends on difficulty of computing discrete logs.








KA = Y XAB mod q

= (↵XB)XA mod q

= (↵XA)XB mod q

= Y XBA mod q = KB









KA = Y XAB mod q


= Y XBA mod q = KB









KA = Y XAB mod q


= Y XBA mod q = KB

Security depends on difficulty of computing discrete logs.Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 41 / 86

(Xa & Xb)


Diffie-Hellman key exchange (cont.)

YA

YB

Figure 10.8 Diffie-Hellman Key Exchange

User A User B

Generate random XA < q;Calculate YA = aXA mod q Generate

random XB < q;Calculate YB = aXB mod q;Calculate K = (YA)XB mod q Calculate

K = (YB)XA mod q



Diffie-Hellman: strengths

The shared secret key is created out of nothing!

The shared secret key is at least as strong as the strongesthalf-key: neither A nor B can completely sabotage the resultingkey.

The shared secret key is never transmitted (not even in encryptedform).

) Perfect Forward Secrecy (PFS): a session key derived from aset of long-term public and private keys will not be compromised ifone of the (long-term) private keys is compromised in the future.

That is, if someone records the entire conversation and laterdiscovers Alice’s or Bob’s private keys, he/she won’t be able todecrypt anything (except for the data explicitly encrypted with thatprivate key)!



Diffie-Hellman: weaknesses

Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :

1 A transmits YA to B.

2 Z intercepts YA and transmits YZ to B.Z also calculates K1 = (YA)XZ mod q.

3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.

Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.

Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!





1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.

Z also calculates K1 = (YA)XZ mod q.

3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.








Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.

4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.








Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.

5 Z intercepts YB and transmits YZ to A.Z calculates K2 = (YB)XZ mod q.

6 A receives YZ and calculates K1 = (YZ )XA mod q.Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!






Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.

Z calculates K2 = (YB)XZ mod q.

6 A receives YZ and calculates K1 = (YZ )XA mod q.Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!








Now A and B think that they share a secret key,

but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!








Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .

Solution: sign the exponents. But this requires shared keys!



Diffie-Hellman: man-in-the-middle attack

A Z B

A “believes” that she shares key K1 = ↵XAXZ mod q with B.B “believes” that he shares key K2 = ↵XBXZ mod q with A.Z can use these two keys to read and relay “confidential” communicationsbetween A and B, or to impersonate one of them to the other.Can be prevented by mutual authentication between A and B.Typically: add an exchange of digitally signed identification (ID) tokens.



Group Diffie-Hellman (for three or more parties)

Given a Diffie-Hellman group (↵, q), three parties Alice, Bob and Carol cangenerate together a secret key K = ↵XAXBXC mod q by:

1 Alice chooses a random large integer XA and sends to Bob: YA = ↵XA mod q

2 Bob chooses a random large integer XB and sends to Carol YB = ↵XB mod q

3 Carol chooses a random large integer XC and sends to Alice: YC = ↵XC mod q

4 Alice sends to Bob Y 0C = Y XA

C mod q

5 Bob sends to Carol Y 0A = Y XB

A mod q

6 Carol sends to Alice Y 0B = Y XC

B mod q

7 Alice computes: K = Y 0B

XA mod q

8 Bob computes: K = Y 0C

XB mod q

9 Carol computes: K = Y 0A

XC mod q

Can be extended to more parties by adding more rounds of computations.


Asymmetric algorithms for secret key distribution ElGamal variant of Diffie-Hellman key exchange







Asymmetric algorithms for secret key distribution ElGamal variant of Diffie-Hellman key exchange

ElGamal variant

Setup: same as Diffie-Hellman. Public prime q and generator ↵.Moreover, let E be any symmetric encryption function.SchemaStep 1 B chooses XB and computes YB = ↵XB mod q.

B ! A: YB.Step 2 A chooses integer XA, computes YA = ↵XA mod q, and

computes key K = Y XAB mod q.

A! B: (E(M, K ), YA)

Step 3 B computes K = Y XBA mod q and uses K to decrypt

E(M, K ).Red parts are Diffie-Hellman.


Asymmetric algorithms for secret key distribution Massey-Omura scheme








Massey-Omura scheme

Encryption without shared keys based on discrete log problem.Principals share (public) prime p.u 2 {A, B} chooses (private) eu, du 2 Z such that

eudu mod (p � 1) = 1 .

So (p � 1)|(eudu � 1). So there is a k where eudu = k(p � 1) + 1.Hence, by Euler’s theorem, for all m 2 {1, . . . p � 1}

meudu mod p = mk(p�1)m mod p = m mod p = m


Massimo Merro

Massimo Merro


Massey-Omura Protocol

Step 1 A! B: meA mod p

Step 2 B ! A: meAeB mod p

Step 3 A! B: meAeBdA mod p (= meB )

Step 4 A! B: meAeBdAdB mod p (= m)


Message integrity and cryptographic hashes








Message Integrity

Sorry nottonight

Tonight atmy place

Message or data integrity is the property that data has not beenaltered in an unauthorized manner since the time it was created,transmitted, or stored by an authorized source.In operating systems, access control can be used to ensure dataintegrity. In open networks, one uses cryptographic means.



Cryptographic hash requirements

Motivation: create a data “fingerprint".A hash function h(x) (in the general sense) has the properties:

1 Compression: h maps an input x of arbitrary bit length to an outputh(x) of fixed bit length n.

2 Polynomial time computable.

Example (longitudinal redundancy check):Given m blocks of n-bit input b1, . . . , bm, form the n-bit checksum cfrom the bitwise xor of every block. I.e., (for 1 i n)

ci = bi1 � bi2 � . . .� bim

Cryptographic techniques can be seen as a refinement ofchecksum techniques to handle active forger.



Cryptographic hash requirements (cont.)

h(x) is a cryptographic hash function if it is additionally:One-way (or pre-image resistant).Given y , it is hard to compute an x where h(x) = y .And usually either2nd-preimage resistance: It is computationally infeasible to find a

second input that has the same output as any specified input,i.e., given x to find an x 0 6= x such that h(x) = h(x 0).

Collision resistance: It is difficult to find two distinct inputs x , x 0

where h(x) = h(x 0).

Hash value also called message digest or modification detectioncode.An application: password files.

For password p, store h(p) in password file.Requires only pre-image resistance. Why?Often combined with salt s, i.e., store pair (s, h(s, p)).



Message or data integrity is the property that data has not beenaltered in an unauthorized manner since the time it was created,transmitted, or stored by an authorized source.

Sorry nottonight

Tonight atmy place

Message integrity: modification detection code providescheckable fingerprint.

computesMDC = h(M’)MDC = h(M)

M M’

MDC(Authenticated)

verifies if

Requires 2nd-preimage resistance and authenticated MDC.Typical application: signed hashes.


Massimo Merro

Massimo Merro


Collision resistance and the birthday paradox

When attacker controls input to hash function, collision resistanceis important.Unimportant for password hashing. What about signing contracts?Birthday paradox

How many people must be in a room such that the probability p thatone has your birthday is p > .5?

The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.





How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.

How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.





How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5?

23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.





How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!

Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.





How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.



A birthday attack

One might think a 64 bit hash code is secure. Preimageresistance means, on average 263 messages must be tried.

Birthday attack for finding collisionsSuppose A is willing to sign a contract with B. Then B preparesversion x , good for A, and version y , which bankrupts her.

B generates “good” messages x1, . . ..Similarly he dovetails the generation of the “bad” y1, . . ..He stops when h(xi) = h(yj).

A signs h(xi). Later B uses signature for yj .

On average, work required is order of 232.So double your hash size if collision avoidance important!



A letter in 237 variations

Dear Anthony,⇢

This letter isI am writing

�to introduce

⇢you toto you

� ⇢Mr.

�Alfred

⇢P.

�

Barton, the⇢

newnewly appointed

� ⇢chief

senior

�jewellery buyer for

⇢ourthe

�Northern

⇢EuropeanEurope

� ⇢area

division

�. He

⇢will take

has taken

�

over⇢

the�

responsibility for⇢

allthe whole of

�our interests in

⇢watches and jewelleryjewellery and watches

�in the

⇢area

region

�. . . .



Constructing a cryptographic hash function

Simplest constructions use block chaining techniques (Rabin1978):

Divide message M into fixed size blocks b1, . . . bn.

Use symmetric encryption algorithm, e.g., DES

h0 = IV (initial value) and hi = Ebi (hi�1)

...b1 b2 bn

IV hnh1 h2Eb1

Eb2

Ebn

Similar to Cipher Block Chaining, but no secret key.

Modern algorithms are considerably more complex.MD5 (Rivest): 128 bit hashes. Known weakness.SHA (US Standard): 160 bit hashes. Assumed secure.


Message authentication







Message authentication Message authentication codes








Message authentication codes

Message authentication also called data-origin authentication.

Alice

Tonight atmy place,

Annmy place,Tonight at

Observe that message authentication implies message integrity.Contrast to entity (or user) authentication

Yes.

Is it you, Alice?

Message Authentication Codes (MACs) and digital signatures aretwo main techniques for establishing message authentication.


Massimo Merro


MACs

A MAC algorithm is a family of hash functions hk parameterized bya secret key k . The hk must be computation-resistant: given zeroor more MAC pairs (xi , hk (xi)), it is infeasible to compute(x , hk (x)) for any new input x 6= xi .Message authentication with MACs

M’, MAC’M, MAC

altersM and MAC

computesMAC = h (M) MAC’ = h (M’)K K

verifies if

hk any enciphering algorithm that returns fixed length output.Message authentication?

Yes, for verified messages.Non-repudiation? Not with symmetric cipher.Freshness? No detection of message replay.


Massimo Merro


MACs


M’, MAC’M, MAC

altersM and MAC


verifies if

hk any enciphering algorithm that returns fixed length output.Message authentication? Yes, for verified messages.Non-repudiation?

Not with symmetric cipher.Freshness? No detection of message replay.



MACs


M’, MAC’M, MAC

altersM and MAC


verifies if

hk any enciphering algorithm that returns fixed length output.Message authentication? Yes, for verified messages.Non-repudiation? Not with symmetric cipher.Freshness?

No detection of message replay.



MACs


M’, MAC’M, MAC

altersM and MAC


verifies if

hk any enciphering algorithm that returns fixed length output.Message authentication? Yes, for verified messages.Non-repudiation? Not with symmetric cipher.Freshness? No detection of message replay.



Constructing MACs (I)

Simplest realization based on cipher-block chaining.

K

Block cBlock m Block m Block m4 3 2 1f

c1 = EK (m1 � 0)

ci = EK (ci�1 �mi)

E is a block cipher, e.g., DES.cn is MAC. Alternatively i left-most bits can be used.


Message authentication Digital signatures








The digital signature problem

Alice

Tonight atmy place,

Annmy place,Tonight at

Problem of proof of data origin.How do we know, or prove, that a message originated from aparticular person?Public key cryptography supports both knowing and proving toothers (non-repudiation).Would this be possible using a shared key?



Digital signature requirements

Signature is fundamental in authentication and nonrepudiation.

Nomenclature and set-upM is set of messages that can be signed.

S is set of elements called signatures, e.g., n-bit strings.

SA : M! S, is a signing transformation for entity A, and keptsecret by A.

VA : M⇥ S ! {true, false} is a verification transformation for A’ssignature and is publicly known.

SA and VA provide digital signature scheme for A.


Massimo Merro

Massimo Merro


Signature schema (cont.)

Example

m1

m2

m3

s1

s2

s3

(m , s )1 1(m , s )1 2

(m , s )1 3(m , s )12(m , s )2 2

(m , s )2 3

(m , s )13

(m , s )3 3

(m , s )23

SA

VA

False

True

Signing procedure: A creates a signature for m 2M by:Compute s = SA(m) and transmit pair (m, s).Verification procedure. B verifies A’s signature of (m, s) by:Compute u = VA(m, s). Accept signature only if u = true.Secrecy requires:

it is hard for any entity other than A to find, forany m 2M, an s 2 S, where VA(m, s) = true.



Signature schema (cont.)

Example

m1

m2

m3

s1

s2

s3

(m , s )1 1(m , s )1 2

(m , s )1 3(m , s )12(m , s )2 2

(m , s )2 3

(m , s )13

(m , s )3 3

(m , s )23

SA

VA

False

True

Signing procedure: A creates a signature for m 2M by:Compute s = SA(m) and transmit pair (m, s).Verification procedure. B verifies A’s signature of (m, s) by:Compute u = VA(m, s). Accept signature only if u = true.Secrecy requires: it is hard for any entity other than A to find, forany m 2M, an s 2 S, where VA(m, s) = true.


Massimo Merro


Implementing digital signatures

Can be based on (reversible) public-key encryption systems.Consider Ee : M! C is a public-key transformation. Moreover,suppose that M = C. If Dd is the decryption transformationcorresponding to Ee, then since both are permutations

Dd(Ee(m)) = Ee(Dd(m)) = m for all m 2M.

A public-key encryption scheme of this type is called reversible.Construction for a digital signature schema

1 Let M and C be message and signature space, with M = C.2 Let (e,d) be a key pair for the public-key encryption scheme.3 Define signing function SA to be Dd . I.e., s = Dd (m).4 Define VA by

VA(m, s) =

⇢true, if Ee(s) = m,false, otherwise



Implementation (cont.)

Previous schema admits a forgery attack:1 Attacker B selects a random s 2 S and computes m = Ee(s).2 Since S = M, he can submit (m, s) as message with signature.3 Verification returns true even though A did not sign m!

Solution: let some subset M0 ⇢M constitute the signablemessages.Redefine verifier VA : S ! {true, false} as:

VA(s) =

⇢true, if Ee(s) 2M0

false, otherwise

Messages can be recovered since m = Ee(s).Secure when M0 is a sufficiently small subset of M.



Implementation (cont.)

RSA provides a realization of digital signatures:

Dd(Ee(m)) = Ee(Dd(m)) = m

Forgery prevented by signing messages with fixed structure, e.g.,Message names its sender, or (more typically).Cryptographic hash signed, sent with the message.

m’, D (h(m))m, D (h(m))d d

verifies ifh(m’) = E (D (h(m))de

Pair can additionally be encrypted for confidentiality.


Conclusions







Conclusions

Conclusions

Symmetric/asymmetric cryptography ensure confidentiality.Assuming (un)conditional security and properly distributed keys.

Asymmetric cryptography simplifies key distribution.Simplifies logistics, due to substantially reduced number of keys.But still need an authenticated channel to distribute keys.

Implements message authentication, once keys distributed.Public Key Infrastructures are clearly important.Information security as an art: designing mechanisms andinfrastructures appropriate for application/environment.


Appendix on number theory








Greatest Common Divisor

For a, b 2 N, gcd(a, b) denotes greatest common divisor.Example 60 = 22 ⇤ 3 ⇤ 5, 14 = 2 ⇤ 7, gcd(60, 14) = 2gcd can be computed quickly using Euclid’s algorithm.

gcd(60, 14) : 60 = 4 ⇤ 14 + 4gcd(14, 4) : 14 = 3 ⇤ 4 + 2gcd(4, 2) : 4 = 2 ⇤ 2

Extended Euclid’s algorithm computes x , y 2 Z such that

gcd(a, b) = xa + yb

Here 2 = 14� 3(60� 4 ⇤ 14) = �3 ⇤ 60 + 13 ⇤ 14a, b 2 N are relatively prime if gcd(a, b) = 1.



Euclid’s Algorithm

Euclid’s algorithm is based on the theoremgcd(a, b) = gcd(b, a mod b) for any nonnegative integer a andany positive integer b.

For example, gcd(55, 22) = gcd(22, 55 mod 22) = gcd(22, 11) = 11.The algorithm is

Euclid(a, b)1 if b = 02 then return a3 else return Euclid(b, a mod b)

Euclid(30, 21) = Euclid(21, 9) = Euclid(9, 3) = Euclid(3, 0) = 3.



Extended Euclid’s Algorithm

Extend the algorithm to compute the integer coefficients x and y suchthat

d = gcd(a, b) = ax + by

The algorithm is

Extended-Euclid(a, b)1 if b = 02 then return (a, 1, 0)3 (d 0, x 0, y 0) Extended-Euclid(b, a mod b)4 (d , x , y) (d 0, y 0, x 0 � ba/bcy 0)5 return (d , x , y)

where q = ba/bc is the quotient of the division (for a = qb + r ).



Extended Euclid’s Algorithm — ExampleExtended-Euclid(99, 78) = 3 = 99 ⇤ (�11) + 78 ⇤ 14

Extended-Euclid(a, b)1 if b = 02 then return (a, 1, 0)3 (d 0, x 0, y 0) Extended-Euclid(b, a mod b)4 (d , x , y) (d 0, y 0, x 0 � ba/bcy 0)5 return (d , x , y)

a b ba/bc d x y99 78 1 3 �11 1478 21 3 3 3 �1121 15 1 3 �2 315 6 2 3 1 �26 3 2 3 0 13 0 � 3 1 0

Each line shows one level of the recursion.Exercise: Use both Euclid’s algorithm and Extended Euclid’s algorithmto compute gcd(1970, 1066), showing all steps of the computations.Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 80 / 86


Fast Exponentiation

There is an efficient algorithm (cf. the literature!) for computingpowers modulo n in a monoid G = (H, �, e) (where H is a set, � isan associative operation on H, and e 2 H is a neutral elementsuch that e � a = a � e = a for all a 2 H).Let g 2 G and e be a positive integer with binary expansion

e =kX

i=0

ei2i (observe that the coefficients ei are either 0 or 1)

Then

ge = gPk

i=0 ei 2i=

kY

i=0

(g2i)ei =

Y

0ik , ei=1

g2i



Fast Exponentiation (cont.)

ge = gPk

i=0 ei 2i=

Qki=0(g

2i)ei =

Q0ik , ei=1 g2i yields the following

idea:1 Compute the successive squares g2i

for 0 i k .2 Determine ge as the product of those g2i

for which ei = 1.N.B.: we can compute g2i+1

= (g2i)2 from g2i by one squaring.

An example: 673 mod 100.Binary expansion of exponent: 73 = 1 + 23 + 26.Determine successive squares of 6:

62 = 36 622= 362 = �4 mod 100

623= 16 mod 100 624

= 162 = 56 mod 100625

= 562 = 36 mod 100 626= �4 mod 100

673 = 6 ⇤ 623 ⇤ 626= 6 ⇤ 16 ⇤ (�4) mod 100 = 16 mod 100.

Hence, 6 squares and 2 products instead of 72 multiplications modulo100.



Fermat Test

It is expensive to prove that a given positive integer is prime, but thereare efficient algorithms (primality tests) that prove the primality of apositive integer with high probability.The Fermat Test is a primality test based on Fermat’s theorem in thefollowing version:

if n is a prime number, then an�1 =n 1 for all positive integersa such that a and n are relatively prime (gcd(a, n) = 1).

Choose a positive integer a 2 {1, 2, . . . , n � 1}.Compute y = an�1 mod n (e.g. using fast exponentiation).If y 6= 1, then n is composite (by the above theorem).If y = 1, then we do not know whether n is prime or composite, asthe following example shows.



Fermat Test (cont.)

Consider n = 341 = 11 ⇤ 31. Although n is composite we have

2340 =341 1

Therefore, if we use Fermat Test with n = 341 and a = 2, then weobtain y = 1, which proves nothing.On the other hand, if we use Fermat Test with n = 341 and a = 3, thenn is proven composite as

3340 =341 56

N.B.: if the Fermat Test proves that n is composite, it does not find a divisorof n. It only shows that n lacks a property that all prime numbers have.Therefore, the Fermat Test cannot be used as a factoring algorithm.Exercise: Use Fermat Test to show that 1111 is not a prime number.Homework: Look up Miller-Rabin’s Test.



Correctness of RSA: more detailsSince ed mod � = 1, there exists k 2 N where ed = 1 + k�.Now consider whether or not gcd(m, p) = 1, i.e., whether p|m.Case 1: If gcd(m, p) = 1 then by Fermat’s theorem

mp�1 =p 1

Raising both sides to power k(q � 1) and multiplying by m yields

m1+k(p�1)(q�1) =p m

Case 2: If gcd(m, p) = p then last congruence is trivially valid sinceeach side is congruent to 0 mod p.Hence in both cases

med =p m

By the same argument med =q m and since p and q are distinctprimes, it follows that med =n m and hence

cd =n (me)d =n m.



Bibliography

William Stallings. Cryptography and Network Security . FourthEdition, Prentice Hall, 2006.

Dieter Gollmann. Computer Security . Wiley, 2000.

Bruce Schneier. Applied Cryptography. John Wiley & Sons, NewYork, 1996.

Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone.Handbook of Applied Cryptography . CRC Press, 1996. Availableonline.

Arthur E. Hutt, Seymour Bosworth, Douglas B. Hoyt. ComputerSecurity Handbook . John Wiley & Sons, 1995.


public-key cryptographyprofs.scienze.univr.it/~merro/sicurezzadellereti/lec03-crypto-pk.pdf · the...

Documents