assymtertic key introduction

Upload: amandeep651

Post on 03-Jun-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/12/2019 Assymtertic Key Introduction

    1/34

    Symmetric-KeyCryptography

  • 8/12/2019 Assymtertic Key Introduction

    2/34

    Objectives

    To distinguish between two cryptosystems:

    symmetric-key and asymmetric-key

    To introduce trapdoor one-way functions and their

    use in asymmetric-key cryptosystems

    To introduce the knapsack cryptosystem as one of

    the first ideas in asymmetric-key cryptography

    To discuss the RSA cryptosystem

    To discuss the Rabin cryptosystem

    To discuss the ElGamal cryptosystem

    To discuss the elliptic curve cryptosystem

  • 8/12/2019 Assymtertic Key Introduction

    3/34

    INTRODUCTION

    Symmetr ic and asymmetr ic-key cryptography wil l exist

    in parallel and continue to serve the community. We

    actually believe that they are complements of each

    other; the advantages of one can compensate for the

    disadvantages of the other.

    1 Keys2 General Idea

    3 Need for Both

    4 Trapdoor One-Way Function

    5 Knapsack Cryptosystem

  • 8/12/2019 Assymtertic Key Introduction

    4/34

    INTRODUCTION

    Symmetr ic and asymmetr ic-key cryptography wil l exist

    in parallel and continue to serve the community. We

    actually believe that they are complements of each

    other; the advantages of one can compensate for the

    disadvantages of the other.

    Symmetric-key cryptography is based on sharing secrecy;

    asymmetric-key cryptography is based on personal secrecy.

    Note

  • 8/12/2019 Assymtertic Key Introduction

    5/34

    Asymmetr ic key cryptography uses two separate keys: one

    private and one public.

    Keys

    Locking and unlocking in asymmetr ic-key cryptosystem

  • 8/12/2019 Assymtertic Key Introduction

    6/34

    General I dea

    General idea of asymmetr ic-key cryptosystem

  • 8/12/2019 Assymtertic Key Introduction

    7/34

    Plaintext/Ciphertext

    Unlike in symmetric-key cryptography, plaintext and

    ciphertext are treated as integers in asymmetric-key

    cryptography.

    C = f (Kpublic , P) P = g(Kprivate , C)

    Encryption/Decryption

  • 8/12/2019 Assymtertic Key Introduction

    8/34

    There is a very important fact that is sometimesmisunderstood: The advent of asymmetric-key

    cryptography does not el iminate the need for symmetr ic-

    key cryptography.

    Need for Both

  • 8/12/2019 Assymtertic Key Introduction

    9/34

    The main idea behind asymmetr ic-key cryptography is the

    concept of the trapdoor one-way function.

    Trapdoor One-Way Function

    Functions

    A function as rule mapping a domain to a range

  • 8/12/2019 Assymtertic Key Introduction

    10/34

    Trapdoor One-Way Function (TOWF)

    One-Way Function (OWF)

    1. f is easy to compute.

    2. f 1is diff icult to compute.

    3. Given y and a trapdoor, x can be

    computed easi ly.

  • 8/12/2019 Assymtertic Key Introduction

    11/34

    Example

    Example

    When nis large, n= p qis a one-way function. Given pand

    q, it is always easy to calculate n; given n, it is very difficult to

    compute pand q. This is the factorization problem.

    When nis large, the function y= xkmod n is a trapdoor one-

    way function. Given x, k, and n, it is easy to calculate y. Giveny, k, and n, it is very difficult to calculate x. This is the discrete

    logarithm problem. However, if we know the trapdoor, ksuch

    that k k= 1 mod f(n), we can use x = ykmod nto find x.

  • 8/12/2019 Assymtertic Key Introduction

    12/34

    RSA CRYPTOSYSTEM

    The most common public-key algor ithm is the RSA

    cryptosystem, named for its inventors (Rivest, Shamir,

    and Adleman).

    1 Introduction

    2 Procedure

    3 Some Trivial Examples4 Attacks on RSA

    5 Recommendations

    6 Optimal Asymmetric Encryption Padding (OAEP)

    7 Applications

  • 8/12/2019 Assymtertic Key Introduction

    13/34

    Complexi ty of operations in RSA

  • 8/12/2019 Assymtertic Key Introduction

    14/34

    Procedure

    Encryption, decryption, and key generation in RSA

  • 8/12/2019 Assymtertic Key Introduction

    15/34

    Two Algebraic Structures

    Encryption/Decryption Ring: R =

    Key-Generation Group: G =

  • 8/12/2019 Assymtertic Key Introduction

    16/34

  • 8/12/2019 Assymtertic Key Introduction

    17/34

    Encryption

  • 8/12/2019 Assymtertic Key Introduction

    18/34

    Decryption

  • 8/12/2019 Assymtertic Key Introduction

    19/34

    Proof of RSA

  • 8/12/2019 Assymtertic Key Introduction

    20/34

    Some Tr ivial ExamplesExample

    Bob chooses 7 and 11 as pand qand calculates n= 77. The

    value of f(n) = (7 1)(11 1) or 60. Now he chooses twoexponents, eand d, from Z60. If he chooses eto be 13, then d

    is 37. Note that e dmod 60 = 1 (they are inverses of each

    Now imagine that Alice wants to send the plaintext 5 to Bob.

    She uses the public exponent 13 to encrypt 5.

    Bob receives the ciphertext 26 and uses the private key 37 to

    decipher the ciphertext:

  • 8/12/2019 Assymtertic Key Introduction

    21/34

    Some Tr ivial ExamplesExample

    Bob receives the ciphertext 28 and uses his private key 37 to

    decipher the ciphertext:

    Now assume that another person, John, wants to

    send a message to Bob. John can use the same

    public key announced by Bob (probably on his

    website), 13; Johns plaintext is 63. John calculates

    the following:

  • 8/12/2019 Assymtertic Key Introduction

    22/34

    Example

    Suppose Ted wants to send the message NO to

    Jennifer. He changes each character to a number

    (from 00 to 25), with each character coded as twodigits. He then concatenates the two coded

    characters and gets a four-digit number. The plaintext

    is 1314. Figure 10.7 shows the process.

    Jennifer creates a pair of keys for herself. She

    chooses p = 397 and q = 401. She calculates

    n= 159197. She then calculates f(n) = 158400. She

    then chooses e = 343 and d = 12007. Show how Ted

    can send a message to Jennifer if he knows eand n.

  • 8/12/2019 Assymtertic Key Introduction

    23/34

    Encryption and decryption

    Att k RSA

  • 8/12/2019 Assymtertic Key Introduction

    24/34

    Attacks on RSA

    Taxonomy of potential attacks on RSA

    Att k RSA

  • 8/12/2019 Assymtertic Key Introduction

    25/34

    Attacks on RSA

    Factorization

    The security of RSA is based on the fact

    that modulus is so large that it is

    infeasible to factor it in reasonable time.

    To be secure, RSA requires that n will be

    300 decimal digits, then modulus must be

    at least 1024 digits.

    No factorization algorithm till date can

    factorize such a large number in

    reasonable amount of time.

  • 8/12/2019 Assymtertic Key Introduction

    26/34

    Att k RSA

  • 8/12/2019 Assymtertic Key Introduction

    27/34

    Attacks on RSAChosen-Ciphertext Attack

    1. Eve intercepts c a ciphertext message fromAlice.

    2. Eve chooses a random number r, r

  • 8/12/2019 Assymtertic Key Introduction

    28/34

    Attacks on Encryption Component of RSA

    To reduce encryption time, a low value of e

    is used sometimes.

    Coppersmith Theorem Attack:

    In a mod n polynomial f(x) of degree e, one

    can use an algorithm of complexity log n to

    find the roots if one of the roots is smaller

    than n^(1/e).

    Att k E ti C t f RSA

  • 8/12/2019 Assymtertic Key Introduction

    29/34

    Attacks on Encryption Component of RSA

    To reduce encryption time, a low value of e

    is used sometimes.

    Broadcast attack:

    If an entity sends the same message to a

    group of recipients with the same low

    encryption exponent.

    C1 = P^3 mod n1,C2 = P^3 mod n2

    C3 = P^3 mod n3

    By CRT, C = P^3 mod n1 n2 n3.

    Hence P^3 < n1 n2 n3, - C = P^3.

    Att k D ti E t f RSA

  • 8/12/2019 Assymtertic Key Introduction

    30/34

    Attacks on Decryption Exponent of RSA

    Revealed decryption component attack:

    If Eve knows the value of d, she can use a

    probabilistic algorithm to factor n and find

    the value of p and q.

    If Bob changes only the compromised

    decryption exponent, but keeps the same

    modulus n, then Eve will be able to decryptfuture messages because she has the

    factorization n.

    Ti i tt k

  • 8/12/2019 Assymtertic Key Introduction

    31/34

    Timing attack

    Attack is based on the fast-exponential

    algorithm.

    The algorithm uses only squaring if the

    corresponding bit in the decryption

    exponent is d is 0, else it uses both squaring

    and multiplication.

    Timing required for each iteration is longer ifthe corresponding bit in d is 1.

    The timing difference allows Eve to compute

    the bits in d one by one.

    Timing attack

  • 8/12/2019 Assymtertic Key Introduction

    32/34

    Timing attack

    Solutions:

    1. Add random delays duringexponentiation.

    2. Blinding:

    1. Select a secret random number r

    between 1 and n-1.

    2. Calculate C1=C r ^e mod n

    3. Calculate P1 = C1 ^d mod n4. Calculate P = P1 r -1 mod n.

    Power attack

  • 8/12/2019 Assymtertic Key Introduction

    33/34

    Power attack

    Similar to timing attack.

    Kocher showed that

    If Eve can measure the power consumed

    during decryption, then similar idea will be

    used.

    An iteration involving squaring andmultiplication requires more power.

    Timing attack

  • 8/12/2019 Assymtertic Key Introduction

    34/34

    Timing attack

    Attack is based on the fast-exponential

    algorithm.

    The algorithm uses only squaring if the

    corresponding bit in the decryption

    exponent is d is 0, else it uses both squaring

    and multiplication.

    Timing required for each iteration is longer ifthe corresponding bit in d is 1.

    The timing difference allows Eve to compute

    the bits in d one by one