1
Lecture 7
PublicKeyCryptography(Diffie-HellmanandRSA)
• Asymmetric cryptography• Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-
Adleman)• Two keys: private (SK), public (PK)
– Encryption: with public key; – Decryption: with private key– Digital Signatures: Signing by private key; Verification by public key. i.e.,
“encrypt” message digest/hash -- h(m) -- with private key• Authorship (authentication)• Integrity: Similar to MAC • Non-repudiation: can’t do with secret key cryptography
• Much slower than conventional cryptography• Often used together with conventional cryptography, e.g., to encrypt session keys
2
PublicKeyCryptography
PublicKeyCryptography
3
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessagePK (m)
B
PK BBob’s privatekey
SK B
m = SK (PK (m))BB
4
KeyPre-distribution:Diffie-Hellman“NewDirectionsinCryptography”1976
*p
System wide parameters :p large prime,
a generator in Z
−
−
−
Alice's secret: v, public: mod
Bob's secret: w, public: mod
va
wb
y a p y a p
=
=
Alice has: mod
Bob has: mod
( ) mod
( ) mod
wb
vav
ab b
wba a
y a py a p
K y p
K y p
=
=
=
=
=
5
PublicKeyPre-distribution:Diffie-Hellman
SecurecommunicationwithKab
AlicecomputesKab
BobcomputesKab=Kba
Eveknows:p,a,ya andyb
6
PublicKeyPre-distribution:Diffie-Hellman
*
Diffie Hellman Problem:
:
mod mod
: mod
Discrete Log Problem::
mod:
p
v wa b
vw
va
p large prime, a generator in Z
Given
y a p and y a p
FIND a p
Given
y a p FIND v
−
− −
= =
=
7
PublicKeyPre-distribution:Diffie-HellmanDecision DH Problem:
mod , mod:
mod
v wa b
vwab
p large prime, a generatorGiven :
y a p y a pDistinguish
K a pfrom a random number!
− −
= =
=
• DHAssumption:DHproblemisHARD(notP)• DLAssumption:DLproblemisHARD(notP)• DDHAssumption:solvingDDHproblemisHARD(notP)
8
Interactive(Public)KeyExchange:Diffie-Hellman
Eveispassive…
pay va mod=
SecurecommunicationwithKab
Chooserandomv
pay wb mod= Choose
randomw,Compute
pyK waba mod)(=
Compute( ) modv
ab bK y p=
9
TheMan-in-the-Middle(MitM)Attack(assumeEveisanactiveadversary!)
pay va mod=
SecurecommunicationwithKab
Chooserandomv
pay wb mod=
Chooserandomw,Compute
pyK waba mod)(=
Compute( ) modv
ab bK y p=
10
RSA(1976-8)Let n = pq where p,q − large primese,d ∈R Zn and ed ≡ 1 mod Φ(n)
where : Φ(n)= (p−1)(q−1)= pq− p− q−1
Secrets : p,q,d
Publics : n,e
Encryption : message =m < n
E(x) = y =me mod nDecryption : ciphertext = y
D( y) = x ' = yd mod n
11
Whydoesitallwork?
x ∈ Zn*
xed = x1modΦ(n) mod n =
xc*Φ(n)+1 mod n = x
But, recall that: gΦ(n) =1 mod n (Lagrange)
12
Howdoesitallwork?
Example:p=17q=13n=221(p-1)(q-1)=192=34*2
picke=5,d=77Canwepick16?9?27?185?
x=5,E(x)=3125mod221=31
D(y)=3177=
6.83676142775442000196395599558e+114mod221=5
Example:p=5q=7n=35(p-1)(q-1)=24=3*23
picke=11,d=11
x=2, E(x)=2048mod35=18=y
y=18, D(y)=6.426841007923e+13mod35=2
13
WhyisitSecure?
Why:nhasuniquefactorsp,q
Givenpandq,computing(p-1)(q-1)iseasy:
UseextendedEuclidian!
Conjecture:breakingRSAispolynomiallyequivalenttofactoringn.Recallthatnisvery,verylarge!
)(1 n mod ed Φ≡
14
ExponentiationCosts
• Integermultiplication-- O(b2)wherebisbitsizeofbasem
• Modularreduction-- O(b2)
• Thus,modularmultiplication-- O(b2)
• Modularexponentiation-- me modn
• Naïvemethod:e-1modularproducts-- O(b2*e)
• BUTwhatifeislarge,(almost)aslargeasn?
• LetL=|e|(e.g.,L=1024for1024-bitRSAexponent)
• WecanassumebandLareclose
• Square-and-multiplymethodworksinO(b3)time…O(b2*2L)
15
Square-and-Multiply
}}
n;temp% mtemp {
e[i] if n% temp
temptemp* { i0 i 1li for
1tempnsizeofl
=
=
=
=
−−>=−=
=
=
−−−−−−−−−−−−
;*)(
;;
);;(;
);(
n mod m compute :goal e
•Example1:e=100•Example2:e=10000000•Example3:e=11111111
Fromlefttorightine
16
SpeedingupRSADecryption
: C - RSA ciphertextmod( 1)
mod( 1)
compute:
mod
mod
and solve:mod
mod
p
q
p
q
dp
dq
p
q
Letd d pd d q
M C p
M C q
M M pM M q
= −
= −
=
=
=
=
)mod()]mod(
)mod([1
1
pqqppM
pqqMM
q
p
−
−
+
=
17
MoreonRSA• Modulusnisuniqueperuserà cannotsharen• WhathappensifAliceandBobsharethesamemodulus?
– Alicehas(e’,d’,n)andBob– (e”,d”,n)– Alicewantstocomputed”(Bob’sprivatekey)– Sheknowsthat:e’*d’=1modphi(n)– So:e’*d’=k*phi(n)+1 and:e’*d’- 1=k*phi(n)– Alicejustneedstocomputeinverseofe”modX
• whereX=e’*d’– 1=k*phi(n)• let’scallthisinversed’”• andrememberthat:d”’*e”=k’*k*phi(n)+1• canwebesurethat:d”’=d”?
– Isitpossiblethate”hasnoinversemodX?• Yes,ife”=phi(n)orgcd(e”,k)>1butthisisvery,veryUNLIKELY!
– Foralldecryptionpurposes,d”’isEQUIVALENTtod”– SupposeEveencryptedforBob:C=(m)e” modn– Alicecomputes:
Cd”’ modn=me”d”’ modn=(m)k’ *k*phi(n)+1 modn=m
18
Lecture 8
PublicKeyCryptography:Encryption+Signatures
19
ElGamalPKCryptosystem(83)
mpmbbckm' pk compute
pk compute :Decryption
c}{k,ciphertext pmbpmyc : compute
pbk compute Zr random generate
Encryption
x :secretsybppublics
ZZCZP
pby residue publicyexponent privatex
generator element, primitive base, bprime largep
xrrxx
x
x
xrr
rp
pp
p
x
===
===
=∈
×==
≡−−−−
−−
−
−
mod)(.3mod)(.2
mod.1
.4modmod.3
mod:.2.1
:
,,:
mod;
1
1
1
**
*
20
ElGamal(Example)
11mod132412*212mod13112
12mod13910
:Decryption
{10,2}ciphertext2mod13105*11c
10mod13102k
10r11m
:Encryption
5mod1392y
9x2b13p
≡=
=−
=
=
==
==
=
=
==
=
=
=
21
DigitalSignaturesIdidnothaveintimaterelationswiththatwoman,…,Ms.Lewinsky
• Integrity• Authentication• Non-Repudiation• Time-Stamping• Causality• Authorization
Ifyoulikeyourcurrenthealthinsuranceplan,youcankeepit!
22
DigitalSignatures
Asignaturescheme:
(P,A,K,Sign,Verify)
P- plaintext(msgs)
A - signatures
K- keys
Sign - signingfunction:(P*K)->A
Verify - verificationfunction:(P*A*K)à {0,1}
Usuallymessagehash
23
RSASignatureScheme
???)(:),(:onVerificati
:)(:Signing
,:,,:
mod1 andmod and primes (large) twoare qp wherepqnLet
1*)(
e
d
n
ymmyVerifyysignature
n mod mymSignmmessage
enPublicsdqpSecrets
1)1)(q(p(n)Φ(n) edΦ(n) deZe
=
==
=
--=F
º=Î
¹=-
F
Usethefactthat,inRSA,encryptionreverses“decryption”
24
RSASignatureScheme(contd)• TheGood:• Verificationcanbecheap(likeRSAencryption)• MechanicallysameasRSAdecryptionfunction• SecuritybasedonRSAencryption• Signingisharderbut#verify-s>1…• Deterministic
• TheBad:• RecallthatRSAismalleable:signaturescanbe“massaged”• Phony“random”signatures
• computeY=RSA(e,X)=Xe modn• XisasignatureofYbecauseYd=Xmodn
• TheUgly:• Signingrequiresintegrity!• Howtosignmultipleblocks?• Deterministic– needsadditionalrandomization!
25
ElGamalSignatureScheme
mxbmxbrxkrmrxbck
mck
rp
pp
p
x
bbbbkythat notice
pbpkyVerifying
c}{k,e signaturprxkmc : compute
pbk compute Zr random generate
Signing
x :secretsybppublics
ZZAZP
pby residue publicyexponent privatex
generator base, bprime largep
rrr
===
=
=−−=
=∈
×==
≡−−−−
−+−
−
−
)//(
1
1
**
*
)(:
???modmod:
.41mod)(.3
mod:.2.1
:
,,:
mod;
26
ElGamalPKCryptosystem
mpmbbckm' pk compute
pk compute :Decryption
c}{k,ciphertext pmbpmyc : compute
pbk compute Zr random generate
Encryption
x :secretsybppublics
ZZCZP
pby residue publicyexponent privatex
generator element, primitive base, bprime largep
xrrxx
x
x
xrr
rp
pp
p
x
===
===
=∈
×==
≡−−−−
−−
−
−
mod)(.3mod)(.2
mod.1
.4modmod.3
mod:.2.1
:
,,:
mod;
1
1
1*
**
*
mxbmxbrxkrmrxbck
mck
rp
pp
p
x
bbbbkythat notice
pbpkyVerifying
c}{k,e signaturprxkmc : compute
pbk compute Zr random generate
Signing
x :secretsybppublics
ZZAZP
pby residue publicyexponent privatex
generator base, bprime largep
rrr
===
=
=−−=
=∈
×==
≡−−−−
−+−
−
−
)//(
1
1*
**
*
)(:
???modmod:
.41mod)(.3
mod:.2.1
:
,,:
mod;
ElGamalSignatureScheme
27
ElGamalSignatureScheme(contd)
Thegood:• Signingischeap(er)• Designedasasignaturefunction• Non-deterministic(randomized)
Thebad:• NeedGOODsourceofrandomnumbers• Randomizerscannotberevealed(trace)• Randomizerscannotbereused
28
TheDigitalSignatureStandard(DSS)
• WhyDSS?
• RSAissues:patents,malleability,etc.
• AvariantofElGamal
• Originallyfor|p|=512bits,nowupto1024
• Optimizedforsignaturesize(320- vs.1024-bit)
• Signing- 1exp,verification- 2exps
• Noattacksthusfar
29
DSS(contd)
???modmod:
.41mod)(.3
mod:.2.1
:
,,:,
mod;
1
1*
***
pbpkyVerifying
c}{k,e signaturprxkmc : compute
pbk compute Zr random generate
Signing
x :etsy secrbppublicsZZAZP
pby residue publicyexponent privatex
generator base, bprime largep
mck
rp
ppp
x
=
=−−=
=∈
×==≡−
−−−
−
−
p− 512− bit primeq− 160 − bit prime, (p−1)%q = 0
b − base, bq ≡1mod p (b = δ ( p−1)/q )x − private exponent
y− public residue; y ≡ bxmod p
P = Zp*,A = Zq × Zq
publics : p,q,b, y secrets : x
Signing :1. generate random r ∈ Z *
q−1
2. compute : k = (brmod p)modq
3. compute : c = (m+ xk)r−1modq4. signature = {k,c}
Verifying :
(bmc−1kkc−1 mod p)modq = bk mod p ???
notice that :
bmc−1ykc−1 = bmr/(m+xbr ) (bx )(brr/(m+xbr )
= b(mr+xbrr )/(m+xbr ) = br
30
Identification
• PublickeycryptographycanbealsousedforIDENTIFICATION
• Identificationisaninteractiveprotocolwherebyoneparty:“prover”(whoclaimstobe,say,Alice)convincestheotherparty:“verifier”(Bob)thatsheisindeedAlice
• Identificationcanbeaccomplishedwithpublickeydigitalsignatures
• However,signaturesrevealinformation…• Also,signaturesare“transferable”,i.e.,anyonecanverifythem
31
TheCaveAnalogyofZero-Knowledge
PointB
PointA:entry
Lockeddooronbothsides
(P)roverClaimstohavethekey
VcannotfollowPintothecave
(V)erifierClaustrophobic
andafraidofthedark
32
:The Protocol
1) V asks someone he trusts to check that the door is locked on both sides.
2) P goes into the maze past point B (heading either right or left)
3) V looks into the cave (while standing at point A)
4) V randomly picks right or left
5) V shouts (very loudly!) for P to come out from the picked direction
6) If P doesn’t come out from the picked direction, V knows that P is a liar and protocol terminates
REPEAT (2)-(6) n TIMES
Point B
Point A
TheCaveAnalogyofZero-Knowledge
33
Fiat-ShamirIdentificationScheme
• InFiat-Shamir,proverhasanRSAmodulusn=pq(factorizationissecret).
• Factorsthemselvesarenotusedintheprotocol.
• UnlikeRSA,atrustedcentercangenerateaglobaln,usedbyeveryone,aslongasnobodyknowsitsfactorization.Trustedcentercan“forget”thefactorizationaftercomputingn.
34
Fiat-ShamirIdentificationScheme
• SecretKey:Prover(P)choosesarandomvalue1<S<n(toserveasthekey)suchthatgcd(S,n)=1
• PublicKey:PcomputesI=S2 modn,publishes(I,n)ashispublickey.
• Purposeoftheprotocol:Phastoconvinceverifier(V)thatheknowsthesecretScorrespondingtothepublickey(I,n),– i.e.,toprovethatheknowsasquarerootofImodn,withoutrevealingS
oranyportionthereof
35
Fiat-ShamirProver(Alice)
Verifier(Bob)
n, I,SnpickrandomR;
setx=R2 modn I,x
query =01
RR*Smod n
Checkthat:R2=xmodn(RS)2=xImodn
36
Fiat-ShamirIdentificationScheme
VwantstoauthenticateidentityofP,whoclaimstohaveapublickeyI.Thus,VasksPtoconvincehimthatPknowsthesecretkeyScorrespondingtoI.
1. Pchoosesatrandom1<R<nandcomputes:X=R2modn
2. PsendsXtoV
3. VrandomlyrequestsfromPoneoftwothings(0or1):(a) R
or
(b) RSmodn
4. Psendsrequestedinformation
37
Fiat-ShamirZKIdentificationScheme
5.Vchecksthecorrectanswer:a) R2 ?=X(modn)
or
b)(R*S)2 ?=X*I(modn)
6.Ifverificationfails,VconcludesthatPdoesnotknowS
7.Protocolisrepeatedt(usually20,30,orlogn)times,and,ifeachonesucceeds,VconcludesthatPistheclaimedparty.
38
WhatifProverknowsthechallengeaheadoftime:Case0
n, I(doesn’tknowS)npickrandomR;
setx=R2 modn I,x
query =0
R Checkthat:R2=xmodn
39
WhatifProverknowsthechallengeaheadoftime:Case1
n, I(doesn’tknowS)npickrandomR;
setx=R2*Imodn I,x=R2*I
query =1
R*Imod n(Insteadof:R*Smod n)
Checkthat:(R*I)2=x*Imodn
40
Fiat-ShamirIdentificationScheme
CLAIM: ProtocoldoesnotrevealANYinformationaboutSor
ProtocolisZERO-KNOWLEDGE
Proof:WeshowthatnoinformationonSisrevealed:
• Clearly,whenPsendsXorR,hedoesnotrevealanyinformationonS.
• WhenPsendsRSmodn:– RSmodnisrandom,sinceRisrandomandgcd(S,n)=1.
– IfadversarycancomputeanyinformationonSfrom
I,n,XandRSmodnhecanalsocomputethesameinformationonSfromIandn,sincehecanchoosea
randomT=R’Smodnandcompute:
X’=T2I-1=(R’)2S2I-1=(R’)2
41
Security
Clearly,ifPknowsS,thenVisconvincedofhisidentity.
IfPdoesnotknowS,hecaneither:1. knowR,butnotRSmodn.SinceheischoosingR,he
cannotmultiplyitbytheunknownvalueSor
2. chooseRSmodn,andthuscananswerthesecondquestion:RSmodn.But,inthiscase,hecannotanswerthefirstquestionR,sinceheneedstodividebytheunknownS.
42
Security• Inanycase,adversarycannotanswerbothquestions,sinceotherwise
hecancomputeSastheratiobetweenthetwoanswers.
• But,weassumedthatcomputingSishard,equivalenttofactoringn.
• SincePdoesnotknowinadvance(whenchoosingRorRSmodn)whichquestionthatVwillask,hecannotforeseetherequiredchoice.HecansucceedinguessingV’squestionwithprobability1/2foreachquestion.
• TheprobabilitythatVfailstocatchPinallrunsisthus:2-t(e.g.,1in1,000,000,000fort=20)