lecture 1: introduction to public key cryptography · lecture 1: introduction to public key...

Lecture 1: Introduction to Public key cryptography

Thomas Johansson

T. Johansson (Lund University) 1 / 44

Key distribution

Symmetric key cryptography: Alice and Bob share a common secretkey.Some means of distributing a copy of the secret keyphysical distribution.


Network example

Assume that n users are connected in a network and any two of themmay want to communicateThis would require each user to securely store n− 1 differentsymmetric keys (one for each other user), resulting in a total ofn(n− 1)/2 keys.If the network is connecting 2000 university students, then there willbe roughly 2 million different keys.A huge key management problem with questions like; How do you addadd a new user to the system? What if a user’s key is compromised?How long should a key be considered valid and how should we refreshthem?


Key distribution

A better solution to the key distribution problem is obtained if we usesymmetric key distribution protocols.A trusted third party (TTP). Each user has a unique secret key sharedwith the TTP.When two users would like to communicate, they establish a sharedsecret key, usually called a session key, by interacting with the TTP.There are still drawbacks that can be serious problems in certainsituations. For example, we need access and trust to a TTP and westill need to distribute one key shared with the TTP for each user.


Public-key cryptography

an extremely elegant solution...

We assume two different keys, one for encryption of a plaintextmessage and another for decryption of a ciphertext message.Allow the encryption key to be public!Anyone with access to the public encryption key to send an encryptedplaintext to the receiver.


One-way functions and trapdoor one-way functions

Informal definition.

DefinitionA one-way function f(x) is a function from a set X to a set Y such thatf(x) is easy to compute for all x ∈ X , but for “essentially all” elementsy ∈ Y it is “computationally infeasible” to find any x ∈ X such thatf(x) = y.

“easy” and “computationally infeasible”“essentially all elements”


Example

X = Y = Z29 and consider f : X 7→ Y described by

f(x) = 2x mod 29.

a) Roughly, how many operations do you need need to calculate f(5) = 25?

Calculate 22 = 2 · 2 = 4, then 24 = 4 · 4 = 16 and finally multiplying with2, i.e., 25 = 16 · 2 = 3. This procedure required 3 multiplications.


Example

b) Roughly, how many operations do you need need to find an x ∈ X suchthat f(x) = 5?

One way would be to calculate 21 = 2, 22 = 4, 23 = 8, . . . until we reach2x = 5. We find . . . , 222 = 5 and this procedure resulted in 21multiplications.


Example 2

A function that looks like a one-way functions is the function f : Zn 7→ Zn,with

f(x) = x3 mod n,

where n is the number

n = 2799783391122132787082946763872260162107044678695542853756000992932612840010760934567105295536085606

1822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983.


Trapdoor one-way function

DefinitionA trapdoor one-way function f(x) is a one-way function f : X 7→ Y suchthat if one knows some specific information T , called the trapdoorinformation, then f(x) is computationally easy to invert f , i.e., for anyy ∈ Y it is easy to find a x ∈ X such that f(x) = y. For anyone withoutknowledge of the trapdoor information T , f(x) is a one-way function.


Example 2 again

The function f(x) = x3 mod n we had before is a trapdoor one-wayfunction.We said that the function looked like a one-way function. However,there is some secret information about this number that can be used.The number n is in fact the product of two large prime numbers. Thetrapdoor information T is in this case these two prime numbers.Knowing them, you can easily invert the f function.


Example 2 again

The RSA-200 number n above was factored in 2003 and the factors are

3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349

and

7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467

It took time equivalent to more than 55 years on a single modern PC tofactor this number.


Public-key encryption scheme

DefinitionA public-key encryption scheme is a set of encryption transformations{Ee : e ∈ K} and a set of decryption transformations {Dd : d ∈ K}. Foreach e ∈ K there is a corresponding d ∈ K such that Dd(Ee(M)) = M ,∀M . Furthermore, after choosing such a pair (e, d), the public key e (or thepublic parameter) is made public, while the associated secret key d is keptsecret. For the scheme to be secure, it must be computationally infeasibleto compute d as well as computing E−1

e (C), knowing the public value e.

constructed through a set of trapdoor one-way functions {fi(x)}.


Complexity

The concepts brought forward in this section can only be realizedunder assumptions of computational limitations.We can never have unconditional security in a public-key cryptosystem.Some assumption is required to be true for the scheme to be secure.We assume that the opponent cannot solve a certain (computationallydifficult but solvable) problem. For example, factor a given very largenumber.


he RSA public-key encryption scheme

DefinitionThe RSA public-key encryption scheme works as follows. Let n = pq,where p and q are two large primes. Let M = C = Zn. Pick a number erelatively prime to φ(n) and calculate a number d such thated = 1 mod φ(n). The public key is the two numbers (n, e) and the(public) encryption transformation E(M) is

E(M) = M e mod n.

The secret key is the number d (as well as p, q and φ(n)) and the secretdecryption transformation D(C) is

D(C) = Cd mod n.


Verify that decrypting a ciphertext returns the encrypted plaintext.

D(C) = Cd = (M e)d = M ed mod n.

Now we note that ed = 1 mod φ(n), which means that we can write

ed = 1 + t · φ(n),

for some integer t. S we can continue

D(C) = M ed = M (1+t·φ(n)) = M ·M t·φ(n) mod n.

From Euler’s formula we know that xφ(n) = 1 for any x ∈ Z∗n. So assuming

that M is invertible we have

D(C) = M ·M t·φ(n) = M · 1 mod n.


Example

Let p = 47 and q = 167 be two primes. Their product is n = pq = 7849.

Compute φ(n) = (p− 1)(q − 1) = 7636. Next, we must choose a value esuch that gcd(e, φ(n)) = 1. We can check that e = 25 is such a value.

When gcd(e, φ(n)) = 1 we know that e = 25 has a multiplicative inverse inZφ(n). We use Euclidean algorithm and Bezout’s lemma to find the inversed = 2749, i.e.,

e · d = 25 · 2749 = 1 mod 7636.

We publish our public key (n, e) = (7849, 25).


Example

Anyone with access to our public key can now send us an encryptedmessage M ∈ Z7849, by calculating

C = M e mod n.

Alice sends message M = 2728. She then computes

C = 272825 = 2401 mod 7849.

When Bob receives the ciphertext C, he computes

M = Cd = 24012749 mod n

and, as by magic, M = 24012749 = 2728 mod n so he recover the correctmessage.


Security of the RSA cryptosystem

If we can factor n then we can compute φ(n) and d.

RSA relies on the factoring problem.

This does not mean that breaking RSA is equivalent to solving afactorization problem. It is not known whether RSA can be broken withoutfactoring n.


Implementation

Examine the implementation of the RSA operation, i.e., computing

M e mod n.

We need L = dlog2 ne bits to store a value in Zn.

A good idea to reduce modulo n as soon as one receives an intermediatevalue outside the interval [0, n− 1].


Example

Calculating 27283 mod 7849 is done by first computing

27282 = 7441984,

then computing7441984 mod 7849 = 1132.

Continuing,1132 ∗ 2728 = 3088096

and finally3088096 mod 7849 = 3439.

So 27283 mod 7849 = 3439.


Exponentiation

How can we do exponentiation in a fast way, i.e., computing M e mod n.

The square and multiply algorithm:

First rewrite e as a sum of powers of 2, i.e.,

e = e0 + e1 · 2 + e2 · 22 + · · ·+ eL−12L−1,

where ei ∈ {0, 1}, 0 ≤ i ≤ L− 1. We then perform L− 1 squarings of M ,computing the values

M2,M4 = (M2)2,M8 = (M4)2, . . . ,

in Zn. Finally we perform at most L− 1 multiplications by computing M e

asM e = M e0 · (M2)e1 · (M4)e2 · · · (M2L−1

)eL−1 .


Example

Compute 272825 in Zn using the square and multiply algorithm.

We rewrite 25 as 25 = 16 + 8 + 1 and get

272825 = 2728 · 27288 · 272816.

Performing a number of squarings we get

27282 = 1132, 27284 = (1132)2 = 2037, 27288 = (2037)2 = 5097,

272816 = (5097)2 = 7068.

Performing the multiplications we get

272825 = 272816+8+1 = 2728 · 5097 · 7068 = 2401.


Primality testing

How to check whether a given number m is a prime or not?

Naive approach: test by trial division, i.e., we check if x|m for all integersx, where 2 ≤ x ≤

√m.

The problem is that if m is a 1024 bit number then√

m is of size 512 bitsand 2512 tests is not possible.


Probabilistic algorithms for testing primality.

Fermat’s Little Theorem states that

am−1 = 1 mod m,

if m is a prime and a such that 1 ≤ a ≤ m− 1.

When m is not a prime we cannot really know what we will receive whencomputing am−1.

But if am−1 6= 1 mod m we know for certain that m is not a prime number.


Algorithm

while (k not big enough) {

1. Select a random a and compute A = am−1.

2. If A 6= 1 we know that m is composite and we end.

3. k = k + 1

}

Assume m prime.


Performance

The error probability after repeating the test k time would then be lessthan 1/2k.

A composite m such that am−1 = 1 mod m is said to be a pseudo-primeto the base a.

If a composite m is such that it is a pseudo-prime for every base a withgcd(a,m) = 1, the the number is called a Carmichael number.

The smallest Carmichael number is 561.


Miller-Rabin test:

Randomly choose a base a.Write m− 1 = 2b · q, where q is odd.If aq = 1 mod m or a2c·q = −1 mod m for any c < b then return “mprobably prime” and go back and choose a new base, otherwise return“m definitely not prime”.

One can prove that P (“m probably prime”|m not prime) < 1/4.


Factoring

The difficulty of factoring ?

Some algorithms apply to numbers of special form.

Others are general, i.e., that they can factor any number.


Pollard’s (p− 1)-method

Let n = pq and let p− 1 factor as

p− 1 = q1q2 · · · qk,

where each qi is a prime power.

Condition: each qi < B, where B is a predetermined “bound”.

Algorithm:

Compute a = 2B! mod n and compute the unknown prime p as

p = gcd(a− 1, n).


Pollard’s (p− 1)-method

Assuming that every unknown prime power qi < B, we have

(p− 1)|B!.

We compute a = 2B! mod n. Now let a′ = 2B! mod p. Since p|n we musthave a mod p = a′. Fermat’s little theorem states that

2p−1 = 1 mod p

and since (p− 1)|B! we also have a′ = 1 mod p leading to a = 1 mod p.So p|(a− 1) and since p|n we have p = gcd(a− 1, n).


Pollard’s: Important conclusion

The primes p and q must then be chosen such that p− 1 and q − 1 eachcontains a large prime in their factorisation.

A usual approach is to generate a random bprime p1 and then test whetherp = 2p1 + 1 is a prime number. If so, we choose p.


Modern factoring algorithms

Quadratic sieve, Number field sieve, elliptic curve factorization, Pollard’srho algorithm method,...

See project 1.


The computational complexity of factoring

We often use the function

LN (α, β) = exp((β + o(1)(log N)α(log log N)1−α.

An algorithm with complexity O(LN (α, β)) for 0 < α < 1 is said tohave sub-exponential behaviour.Number Field Sieve: This is currently the most successful method fornumbers with more than 100 decimal digits. It can factor numbers ofthe size of 2512 and has complexity LN (1/3, 1.923).It is recommended that one takes N of size around 1024 bits to ensuremedium-term security. For long-term security one would need to takea size of over 2048 bits.


Public Key Cryptography

Some basic cryptographic primitives:

Public key encryption: A message is encrypted with a recipient’spublic key and cannot be decrypted by anyone except the recipientpossessing the private key.Digital signatures: A message signed with a sender’s private key canbe verified by anyone who has access to the sender’s public key,thereby proving that the sender signed it and that the message has notbeen tampered with (authenticity and nonrepudiation).Key exchange: is a cryptographic protocol that allows two partiesthat have no prior knowledge of each other to jointly establish ashared secret key.



A major problem is linking a public key to an entity or principal,The main tool in use today is the digital certificate. A special trustedthird party, called a certificate authority, or CA, is used to vouch forthe validity of the public keys.



A CA based system works as follows:

All users have a trusted copy of the public key of the CA. For example,embedded in your browser when you buy your computer.The CA sign data strings containing the following information

(Alice, ..., Alice’s public key, CA’s signature).

This data string, and the associated signature is called a digitalcertificate. The CA will only sign this data if it truly believes that thepublic key really does belong to Alice.When Alice now sends you her public key, contained in a digitalcertificate, you now trust that the public key is that of Alice, since youtrust the CA and you checked the signature.


The Discrete Logarithm Problem

Let (G, ∗) be an abelian group.Discrete Logarithm Problem: Given g, h ∈ G, find an x (if it exists)such that gx = h.The difficulty of this problem depends on the group G

Very easy: polynomial time algorithm, e.g. (ZN ,+)Hard: sub-exponential time algorithm, e.g. (F∗

p).Very hard: exponential time algorithm, e.g. elliptic curve groups.


Diffie Hellman Key Exchange

allows two parties to agree a secret key over an insecure channel withouthaving met before.

G = F∗p and g ∈ F∗

p

The basic message flows for the Diffie Hellman protocol

Alice selects secret a, Bob selects secret b.Alice sends A = ga to Bob. Bob sends B = gb to Alice.Alice computes K = Ba. Bob computes K = Ab. NoteBa = Ab = gab = K.

Man in the middle attack


Example DH key exchange

Domain parameters be given by p = 2147483659 and g = 2.

Alice Boba = 12345 b = 654323A = ga = 428647416 A = 428647416B = 450904856 B = gb = 450904856

Bob computes Ab = 428647416654323(modp) = 1333327162, Alicecomputes Ba = 45090485612345(modp),= 1333327162.


Digital Signatures

The basic idea behind public key signatures is as follows:Message + Alice’s private key = Signature,Message + Signature + Alice’s public key = YES/NO.

(signature scheme with appendix)

three important security properties:message integrity the message has not been altered in transit,message origin the message was sent by Alice,non-repudiation Alice cannot claim she did not send the message.


Cryptographic hash functions - more later

A cryptographic hash function h is a function which takes arbitrarylength bit strings as input and produces a fixed length bit string asoutput, the hash value.

Preimage Resistant: It should be hard to find a message with a givenhash value.Second Preimage Resistant: Given one message it should be hard tofind another message with the same hash value.Collision Resistant: It should be hard to find two messages with thesame hash value.


Signatures with RSA

Message m for signing, we first compute h(m) and then apply the RSAsigning transform to h(m), i.e.

s = h(m)d mod N.

Transmit (m, s).

Verifying: Recover h’, i.e.

h′ = se mod N.

Then compute h(m) from m and check whether h′ = h(m).

If they agree accept the signature as valid, otherwise reject.


Security assumptions for Signatures

Key-only attack: Eve knows the public key and verificationalgorithm.Known message attack: Eve knows also a list of signed messages.Chosen message attack: Eve gets a list of messages of her choicesigned.

Adversarial goals:

Total break: Find the secret signing key.Selective forgery: Try to get a valid signature on a given messagenot signed before.Existential forgery: Try to get a valid signature on a any messagenot signed before.


lecture 1: introduction to public key cryptography · lecture 1: introduction to public key...

Documents