lecture 7 - donald bren school of information and …keldefra/teaching/fall2016/uci...24 rsa...

1

Lecture 7

PublicKeyCryptography(Diffie-HellmanandRSA)

• Asymmetric cryptography• Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-

Adleman)• Two keys: private (SK), public (PK)

– Encryption: with public key; – Decryption: with private key– Digital Signatures: Signing by private key; Verification by public key. i.e.,

“encrypt” message digest/hash -- h(m) -- with private key• Authorship (authentication)• Integrity: Similar to MAC • Non-repudiation: can’t do with secret key cryptography

• Much slower than conventional cryptography• Often used together with conventional cryptography, e.g., to encrypt session keys

2

PublicKeyCryptography

PublicKeyCryptography

3

plaintextmessage, m

ciphertextencryptionalgorithm

decryption algorithm

Bob’s public key

plaintextmessagePK (m)

B

PK BBob’s privatekey

SK B

m = SK (PK (m))BB

4

KeyPre-distribution:Diffie-Hellman“NewDirectionsinCryptography”1976

*p

System wide parameters :p large prime,

a generator in Z

−

−

−

Alice's secret: v, public: mod

Bob's secret: w, public: mod

va

wb

y a p y a p

=

=

Alice has: mod

Bob has: mod

( ) mod

( ) mod

wb

vav

ab b

wba a

y a py a p

K y p

K y p

=

=

=

=

=

5

PublicKeyPre-distribution:Diffie-Hellman

SecurecommunicationwithKab

AlicecomputesKab

BobcomputesKab=Kba

Eveknows:p,a,ya andyb

6

PublicKeyPre-distribution:Diffie-Hellman

*

Diffie Hellman Problem:

:

mod mod

: mod

Discrete Log Problem::

mod:

p

v wa b

vw

va

p large prime, a generator in Z

Given

y a p and y a p

FIND a p

Given

y a p FIND v

−

− −

= =

=

7

PublicKeyPre-distribution:Diffie-HellmanDecision DH Problem:

mod , mod:

mod

v wa b

vwab

p large prime, a generatorGiven :

y a p y a pDistinguish

K a pfrom a random number!

− −

= =

=

• DHAssumption:DHproblemisHARD(notP)• DLAssumption:DLproblemisHARD(notP)• DDHAssumption:solvingDDHproblemisHARD(notP)

8

Interactive(Public)KeyExchange:Diffie-Hellman

Eveispassive…

pay va mod=


Chooserandomv

pay wb mod= Choose

randomw,Compute

pyK waba mod)(=

Compute( ) modv

ab bK y p=

9

TheMan-in-the-Middle(MitM)Attack(assumeEveisanactiveadversary!)

pay va mod=


Chooserandomv

pay wb mod=

Chooserandomw,Compute

pyK waba mod)(=

Compute( ) modv

ab bK y p=

10

RSA(1976-8)Let n = pq where p,q − large primese,d ∈R Zn and ed ≡ 1 mod Φ(n)

where : Φ(n)= (p−1)(q−1)= pq− p− q−1

Secrets : p,q,d

Publics : n,e

Encryption : message =m < n

E(x) = y =me mod nDecryption : ciphertext = y

D( y) = x ' = yd mod n

11

Whydoesitallwork?

x ∈ Zn*

xed = x1modΦ(n) mod n =

xc*Φ(n)+1 mod n = x

But, recall that: gΦ(n) =1 mod n (Lagrange)

12

Howdoesitallwork?

Example:p=17q=13n=221(p-1)(q-1)=192=34*2

picke=5,d=77Canwepick16?9?27?185?

x=5,E(x)=3125mod221=31

D(y)=3177=

6.83676142775442000196395599558e+114mod221=5

Example:p=5q=7n=35(p-1)(q-1)=24=3*23

picke=11,d=11

x=2, E(x)=2048mod35=18=y

y=18, D(y)=6.426841007923e+13mod35=2

13

WhyisitSecure?

Why:nhasuniquefactorsp,q

Givenpandq,computing(p-1)(q-1)iseasy:

UseextendedEuclidian!

Conjecture:breakingRSAispolynomiallyequivalenttofactoringn.Recallthatnisvery,verylarge!

)(1 n mod ed Φ≡

14

ExponentiationCosts

• Integermultiplication-- O(b2)wherebisbitsizeofbasem

• Modularreduction-- O(b2)

• Thus,modularmultiplication-- O(b2)

• Modularexponentiation-- me modn

• Naïvemethod:e-1modularproducts-- O(b2*e)

• BUTwhatifeislarge,(almost)aslargeasn?

• LetL=|e|(e.g.,L=1024for1024-bitRSAexponent)

• WecanassumebandLareclose

• Square-and-multiplymethodworksinO(b3)time…O(b2*2L)

15

Square-and-Multiply

}}

n;temp% mtemp {

e[i] if n% temp

temptemp* { i0 i 1li for

1tempnsizeofl

=

=

=

=

−−>=−=

=

=

−−−−−−−−−−−−

;*)(

;;

);;(;

);(

n mod m compute :goal e

•Example1:e=100•Example2:e=10000000•Example3:e=11111111

Fromlefttorightine

16

SpeedingupRSADecryption

: C - RSA ciphertextmod( 1)

mod( 1)

compute:

mod

mod

and solve:mod

mod

p

q

p

q

dp

dq

p

q

Letd d pd d q

M C p

M C q

M M pM M q

= −

= −

=

=

=

=

)mod()]mod(

)mod([1

1

pqqppM

pqqMM

q

p

−

−

+

=

17

MoreonRSA• Modulusnisuniqueperuserà cannotsharen• WhathappensifAliceandBobsharethesamemodulus?

– Alicehas(e’,d’,n)andBob– (e”,d”,n)– Alicewantstocomputed”(Bob’sprivatekey)– Sheknowsthat:e’*d’=1modphi(n)– So:e’*d’=k*phi(n)+1 and:e’*d’- 1=k*phi(n)– Alicejustneedstocomputeinverseofe”modX

• whereX=e’*d’– 1=k*phi(n)• let’scallthisinversed’”• andrememberthat:d”’*e”=k’*k*phi(n)+1• canwebesurethat:d”’=d”?

– Isitpossiblethate”hasnoinversemodX?• Yes,ife”=phi(n)orgcd(e”,k)>1butthisisvery,veryUNLIKELY!

– Foralldecryptionpurposes,d”’isEQUIVALENTtod”– SupposeEveencryptedforBob:C=(m)e” modn– Alicecomputes:

Cd”’ modn=me”d”’ modn=(m)k’ *k*phi(n)+1 modn=m

18

Lecture 8

PublicKeyCryptography:Encryption+Signatures

19

ElGamalPKCryptosystem(83)

mpmbbckm' pk compute

pk compute :Decryption

c}{k,ciphertext pmbpmyc : compute

pbk compute Zr random generate

Encryption

x :secretsybppublics

ZZCZP

pby residue publicyexponent privatex

generator element, primitive base, bprime largep

xrrxx

x

x

xrr

rp

pp

p

x

===

===

=∈

×==

≡−−−−

−−

−

−

mod)(.3mod)(.2

mod.1

.4modmod.3

mod:.2.1

:

,,:

mod;

1

1

1

**

*

20

ElGamal(Example)

11mod132412*212mod13112

12mod13910

:Decryption

{10,2}ciphertext2mod13105*11c

10mod13102k

10r11m

:Encryption

5mod1392y

9x2b13p

≡=

=−

=

=

==

==

=

=

==

=

=

=

21

DigitalSignaturesIdidnothaveintimaterelationswiththatwoman,…,Ms.Lewinsky

• Integrity• Authentication• Non-Repudiation• Time-Stamping• Causality• Authorization

Ifyoulikeyourcurrenthealthinsuranceplan,youcankeepit!

22

DigitalSignatures

Asignaturescheme:

(P,A,K,Sign,Verify)

P- plaintext(msgs)

A - signatures

K- keys

Sign - signingfunction:(P*K)->A

Verify - verificationfunction:(P*A*K)à {0,1}

Usuallymessagehash

23

RSASignatureScheme

???)(:),(:onVerificati

:)(:Signing

,:,,:

mod1 andmod and primes (large) twoare qp wherepqnLet

1*)(

e

d

n

ymmyVerifyysignature

n mod mymSignmmessage

enPublicsdqpSecrets

1)1)(q(p(n)Φ(n) edΦ(n) deZe

=

==

=

--=F

º=Î

¹=-

F

Usethefactthat,inRSA,encryptionreverses“decryption”

24

RSASignatureScheme(contd)• TheGood:• Verificationcanbecheap(likeRSAencryption)• MechanicallysameasRSAdecryptionfunction• SecuritybasedonRSAencryption• Signingisharderbut#verify-s>1…• Deterministic

• TheBad:• RecallthatRSAismalleable:signaturescanbe“massaged”• Phony“random”signatures

• computeY=RSA(e,X)=Xe modn• XisasignatureofYbecauseYd=Xmodn

• TheUgly:• Signingrequiresintegrity!• Howtosignmultipleblocks?• Deterministic– needsadditionalrandomization!

25

ElGamalSignatureScheme

mxbmxbrxkrmrxbck

mck

rp

pp

p

x

bbbbkythat notice

pbpkyVerifying

c}{k,e signaturprxkmc : compute


Signing


ZZAZP


generator base, bprime largep

rrr

===

=

=−−=

=∈

×==

≡−−−−

−+−

−

−

)//(

1

1

**

*

)(:

???modmod:

.41mod)(.3

mod:.2.1

:

,,:

mod;

26

ElGamalPKCryptosystem

mpmbbckm' pk compute

pk compute :Decryption

c}{k,ciphertext pmbpmyc : compute


Encryption


ZZCZP


generator element, primitive base, bprime largep

xrrxx

x

x

xrr

rp

pp

p

x

===

===

=∈

×==

≡−−−−

−−

−

−

mod)(.3mod)(.2

mod.1

.4modmod.3

mod:.2.1

:

,,:

mod;

1

1

1*

**

*

mxbmxbrxkrmrxbck

mck

rp

pp

p

x

bbbbkythat notice

pbpkyVerifying



Signing


ZZAZP



rrr

===

=

=−−=

=∈

×==

≡−−−−

−+−

−

−

)//(

1

1*

**

*

)(:

???modmod:

.41mod)(.3

mod:.2.1

:

,,:

mod;

ElGamalSignatureScheme

27

ElGamalSignatureScheme(contd)

Thegood:• Signingischeap(er)• Designedasasignaturefunction• Non-deterministic(randomized)

Thebad:• NeedGOODsourceofrandomnumbers• Randomizerscannotberevealed(trace)• Randomizerscannotbereused

28

TheDigitalSignatureStandard(DSS)

• WhyDSS?

• RSAissues:patents,malleability,etc.

• AvariantofElGamal

• Originallyfor|p|=512bits,nowupto1024

• Optimizedforsignaturesize(320- vs.1024-bit)

• Signing- 1exp,verification- 2exps

• Noattacksthusfar

29

DSS(contd)

???modmod:

.41mod)(.3

mod:.2.1

:

,,:,

mod;

1

1*

***

pbpkyVerifying



Signing

x :etsy secrbppublicsZZAZP



mck

rp

ppp

x

=

=−−=

=∈

×==≡−

−−−

−

−

p− 512− bit primeq− 160 − bit prime, (p−1)%q = 0

b − base, bq ≡1mod p (b = δ ( p−1)/q )x − private exponent

y− public residue; y ≡ bxmod p

P = Zp*,A = Zq × Zq

publics : p,q,b, y secrets : x

Signing :1. generate random r ∈ Z *

q−1

2. compute : k = (brmod p)modq

3. compute : c = (m+ xk)r−1modq4. signature = {k,c}

Verifying :

(bmc−1kkc−1 mod p)modq = bk mod p ???

notice that :

bmc−1ykc−1 = bmr/(m+xbr ) (bx )(brr/(m+xbr )

= b(mr+xbrr )/(m+xbr ) = br

30

Identification

• PublickeycryptographycanbealsousedforIDENTIFICATION

• Identificationisaninteractiveprotocolwherebyoneparty:“prover”(whoclaimstobe,say,Alice)convincestheotherparty:“verifier”(Bob)thatsheisindeedAlice

• Identificationcanbeaccomplishedwithpublickeydigitalsignatures

• However,signaturesrevealinformation…• Also,signaturesare“transferable”,i.e.,anyonecanverifythem

31

TheCaveAnalogyofZero-Knowledge

PointB

PointA:entry

Lockeddooronbothsides

(P)roverClaimstohavethekey

VcannotfollowPintothecave

(V)erifierClaustrophobic

andafraidofthedark

32

:The Protocol

1) V asks someone he trusts to check that the door is locked on both sides.

2) P goes into the maze past point B (heading either right or left)

3) V looks into the cave (while standing at point A)

4) V randomly picks right or left

5) V shouts (very loudly!) for P to come out from the picked direction

6) If P doesn’t come out from the picked direction, V knows that P is a liar and protocol terminates

REPEAT (2)-(6) n TIMES

Point B

Point A

TheCaveAnalogyofZero-Knowledge

33

Fiat-ShamirIdentificationScheme

• InFiat-Shamir,proverhasanRSAmodulusn=pq(factorizationissecret).

• Factorsthemselvesarenotusedintheprotocol.

• UnlikeRSA,atrustedcentercangenerateaglobaln,usedbyeveryone,aslongasnobodyknowsitsfactorization.Trustedcentercan“forget”thefactorizationaftercomputingn.

34


• SecretKey:Prover(P)choosesarandomvalue1<S<n(toserveasthekey)suchthatgcd(S,n)=1

• PublicKey:PcomputesI=S2 modn,publishes(I,n)ashispublickey.

• Purposeoftheprotocol:Phastoconvinceverifier(V)thatheknowsthesecretScorrespondingtothepublickey(I,n),– i.e.,toprovethatheknowsasquarerootofImodn,withoutrevealingS

oranyportionthereof

35

Fiat-ShamirProver(Alice)

Verifier(Bob)

n, I,SnpickrandomR;

setx=R2 modn I,x

query =01

RR*Smod n

Checkthat:R2=xmodn(RS)2=xImodn

36


VwantstoauthenticateidentityofP,whoclaimstohaveapublickeyI.Thus,VasksPtoconvincehimthatPknowsthesecretkeyScorrespondingtoI.

1. Pchoosesatrandom1<R<nandcomputes:X=R2modn

2. PsendsXtoV

3. VrandomlyrequestsfromPoneoftwothings(0or1):(a) R

or

(b) RSmodn

4. Psendsrequestedinformation

37

Fiat-ShamirZKIdentificationScheme

5.Vchecksthecorrectanswer:a) R2 ?=X(modn)

or

b)(R*S)2 ?=X*I(modn)

6.Ifverificationfails,VconcludesthatPdoesnotknowS

7.Protocolisrepeatedt(usually20,30,orlogn)times,and,ifeachonesucceeds,VconcludesthatPistheclaimedparty.

38

WhatifProverknowsthechallengeaheadoftime:Case0

n, I(doesn’tknowS)npickrandomR;

setx=R2 modn I,x

query =0

R Checkthat:R2=xmodn

39

WhatifProverknowsthechallengeaheadoftime:Case1

n, I(doesn’tknowS)npickrandomR;

setx=R2*Imodn I,x=R2*I

query =1

R*Imod n(Insteadof:R*Smod n)

Checkthat:(R*I)2=x*Imodn

40


CLAIM: ProtocoldoesnotrevealANYinformationaboutSor

ProtocolisZERO-KNOWLEDGE

Proof:WeshowthatnoinformationonSisrevealed:

• Clearly,whenPsendsXorR,hedoesnotrevealanyinformationonS.

• WhenPsendsRSmodn:– RSmodnisrandom,sinceRisrandomandgcd(S,n)=1.

– IfadversarycancomputeanyinformationonSfrom

I,n,XandRSmodnhecanalsocomputethesameinformationonSfromIandn,sincehecanchoosea

randomT=R’Smodnandcompute:

X’=T2I-1=(R’)2S2I-1=(R’)2

41

Security

Clearly,ifPknowsS,thenVisconvincedofhisidentity.

IfPdoesnotknowS,hecaneither:1. knowR,butnotRSmodn.SinceheischoosingR,he

cannotmultiplyitbytheunknownvalueSor

2. chooseRSmodn,andthuscananswerthesecondquestion:RSmodn.But,inthiscase,hecannotanswerthefirstquestionR,sinceheneedstodividebytheunknownS.

42

Security• Inanycase,adversarycannotanswerbothquestions,sinceotherwise

hecancomputeSastheratiobetweenthetwoanswers.

• But,weassumedthatcomputingSishard,equivalenttofactoringn.

• SincePdoesnotknowinadvance(whenchoosingRorRSmodn)whichquestionthatVwillask,hecannotforeseetherequiredchoice.HecansucceedinguessingV’squestionwithprobability1/2foreachquestion.

• TheprobabilitythatVfailstocatchPinallrunsisthus:2-t(e.g.,1in1,000,000,000fort=20)

lecture 7 - donald bren school of information and …keldefra/teaching/fall2016/uci...24 rsa...

Documents