public key crypto - ntu.edu.sg · 270 chapter 9 / public-key cryptography and rsa in addition, some...

CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA

Anwitaman DATTA SCSE, NTU Singapore

PUBLIC KEY CRYPTO


Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William Stallings


PUBLICKEY

CRYPTO

⌘ Use case: key distribution, digital signatures

⌘ Public key cryptosystems: RSA, ECC


System modelA tale of two keys

Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke

Alice creates a private/public key pair- Knowing just the public key, one cannot

infer the private key- Data is encrypted with one key but it can

be decrypted only with the other key (andnot with the encryption key!

So then, knowing plain/cipher-text pair initself should also not compromise the cipher(e.g., by disclosing the private key).


System model

- Alice keeps the private key

- Everyone and their cat can have the public key

A tale of two keys


Confidential communication

270 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA

In addition, some algorithms, such as RSA, also exhibit the following characteristic.

• Either of the two related keys can be used for encryption, with the other usedfor decryption.

A public-key encryption scheme has six ingredients (Figure 9.1a; comparewith Figure 2.1).

Plaintextinput

Bobs'spublic key

ring

Transmittedciphertext

PlaintextoutputEncryption algorithm

(e.g., RSA)Decryption algorithm

Joy

Mike

Mike Bob

Ted

Alice

Alice's publickey

Alice's privatekey

(a) Encryption with public key

Plaintextinput




Bob's privatekey

Bob

Bob's publickey

Alice'spublic key

ring

JoyTed

(b) Encryption with private key

X

X

PUa

PUb

PRa

PRb

Y = E[PUa, X]

Y = E[PRb, X]

X =D[PRa, Y]

X =D[PUb, Y]

Alice

Bob Alice

Figure 9.1 Public-Key Cryptography

Confidential infoPublicly known info

Assuming a mechanism to guarantee thise.g., trusted PKI

Receiver’s Public Key


Authentication

270 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA

In addition, some algorithms, such as RSA, also exhibit the following characteristic.

• Either of the two related keys can be used for encryption, with the other usedfor decryption.

A public-key encryption scheme has six ingredients (Figure 9.1a; comparewith Figure 2.1).

Plaintextinput

Bobs'spublic key

ring




Joy

Mike

Mike Bob

Ted

Alice

Alice's publickey

Alice's privatekey

(a) Encryption with public key

Plaintextinput




Bob's privatekey

Bob

Bob's publickey

Alice'spublic key

ring

JoyTed

(b) Encryption with private key

X

X

PUa

PUb

PRa

PRb

Y = E[PUa, X]

Y = E[PRb, X]

X =D[PRa, Y]

X =D[PUb, Y]

Alice

Bob Alice

Figure 9.1 Public-Key Cryptography

Confidential infoPublicly known info

The described process does not provide confidentiality of plaintext. Why?

Sender’s Private Key

Note: Not all public-key cryptosystems support use of either key for encryption, and the other for decryption.


AuthenticationA more efficient variation

For confidentiality:- Need to encrypt the whole

digitally signed data as the plaintext.

- Four encrypt/decrypt operations!


A pragmatic solution

message messagehash

encrypt/sign withsender’s private key

append signed hashwith message

encrypt with the session key

encrypt the session key w/ receiver’s public key

append and transmit

Authentication and confidentiality: both together, efficiently

generate a (symmetric crypto) session key


A pragmatic solution

message messagehash

encrypt/sign withsender’s private key

append signed hashwith message

encrypt with the session key

encrypt the session key w/ receiver’s public key

append and transmit

Authentication and confidentiality: both together, efficiently

generate a (symmetric crypto) session key

How

do w

e know?

PKI


Public key cryptosystems: Wish list

It is easy- for a party X to generate its

public and private keys PUx and PRx respectively- for sender S to encrypt message M, knowing PUx

C=E(PUx,M)- for receiver X (knowing PRx) to decrypt message

M=D(PRx,C)=D(PRx,E(PUx,M))

Optionally: either key can be used in either order- M=D(PRx,E(PUx,M))=D(PUx,E(PRx,M))

It is computationally infeasible for anyone to- determine PRx knowing PUx- determine M knowing C and PUx


Trapdoor functions

Trapdoor functions- Easy to compute in one direction - Difficult to compute in other direction (finding the inverse)

but easy to compute, with some special information (trapdoor)

Source: https://en.wikipedia.org/wiki/Trapdoor_function


The RSA algorithm

Ron Rivestborn in 1947

Adi Shamirborn in 1952

Leonard M. Adlemanborn in 1945

- Excerpt from ACM news release on

2002 Turing award


RSA overview

RSA cryptosystem- plaintext and ciphertext are (represented as) integers- between 0 and n-1 for some n- block cipher with bock size b, such that 2b < n ≤ 2b+1

keys- public key PU=(e,n)- private key PR=(d,n)

encryption & decryption

assuming:

- The encryption and decryption computations are relatively easy- It is infeasible to determine d given e and n

Assumes: factorization of the product of two large primes & discrete logarithm are hard


RSA overview

assuming:

claim:- with semiprime n=pq, where p and q are prime numbers- e and d, with ed mod 𝜙(n) =1satisfies the property Med mod n = M

Equivalent to say:ed ≡1 (mod 𝜙(n))d ≡e-1 (mod 𝜙(n))

True iff e (and thus d) are relatively prime with 𝜙(n)There is no formal proof of “hardness”. It’s just that right now

no efficient, non-quantum integer factorization algorithm is (publicly) known.

caveat


RSA cryptosystem

9.2 / THE RSA ALGORITHM 281

We now look at an example from [HELL79], which shows the use of RSAto process multiple blocks of data. In this simple example, the plaintext is analphanumeric string. Each plaintext symbol is assigned a unique code of twodecimal digits (e.g., a = 00, A = 26).6 A plaintext block consists of four decimaldigits, or two alphanumeric characters. Figure 9.7a illustrates the sequenceof events for the encryption of multiple blocks, and Figure 9.7b gives a specificexample. The circled numbers indicate the order in which operations areperformed.

6The complete mapping of alphanumeric characters to decimal digits is at this book’s Website in thedocument RSAexample.pdf.

Plaintext P

Decimal string

Sender

Receiver

(a) General approach (b) Example

Blocks of numbers

Transmit

P1, P2,

P1 = C1d mod n

P2 = C2d mod n

Ciphertext C

C1 = P1e mod n

C2 = P2e mod n

Recovereddecimal text

n = pq

Random numbergenerator

e, p, q

Private keyd, n

Public keye, n

How_are_you?

33 14 22 62 00 17 04 62 24 14 20 66

Sender

Receiver

Transmit

P1 = 3314 P2 = 2262 P3 = 0017P4 = 0462 P5 = 2414 P6 = 2066

C1 = 331411 mod 11023 = 10260C2 = 226211 mod 11023 = 9489C3 = 1711 mod 11023 = 1782C4 = 46211 mod 11023 = 727C5 = 241411 mod 11023 = 10032C6 = 200611 mod 11023 = 2253

P1 = 102605891 mod 11023 = 3314P2 = 94895891 mod 11023 = 2262P3 = 17825891 mod 11023 = 0017P4 = 7275891 mod 11023 = 0462P5 = 100325891 mod 11023 = 2414P6 = 22535891 mod 11023 = 2006

11023 = 73 151

5891 = 11–1 mod 1080010800 = (73 – 1)(151 – 1)11023 = 73 51


e = 11n = 11023

d = 5891n = 11023

e = 11p = 73, q = 151

1

2

6

3

4

5

7

1

2

6

3

4

5

7

d = e–1 mod φ(n)φ(n) = (p – 1)(q – 1)

n = pq

Figure 9.7 RSA Processeing of Multiple Blocks

PKI280 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA

For decryption, we calculate M = 1123 mod 187:

1123 mod 187 = [(111 mod 187) × (112 mod 187) × (114 mod 187) × (118 mod 187) × (118 mod 187)] mod 187

111 mod 187 = 11

112 mod 187 = 121

114 mod 187 = 14,641 mod 187 = 55

118 mod 187 = 214,358,881 mod 187 = 33

1123 mod 187 = (11 × 121 × 55 × 33 × 33) mod 187 = 79,720,245 mod 187 = 88

Figure 9.5 The RSA Algorithm

Key Generation Alice

Select p, q p and q both prime, p Z q

Calculate n = p * qCalcuate f(n) = (p - 1)(q - 1)

Select integer e gcd (f(n), e) = 1; 1 < e < f(n)

Calculate d d K e-1 (mod f(n))

Public key PU = {e, n}

Private key PR = {d, n}

Encryption by Bob with Alice’s Public Key

Plaintext: M 6 n

Ciphertext: C = Me mod n

Decryption by Alice with Alice’s Public Key

Ciphertext: C

Plaintext: M = Cd mod n

Encryption

Plaintext88

Plaintext88

Ciphertext11

88 mod 187 ! 11

PU ! 7, 187

Decryption

711 mod 187 ! 88

PR ! 23, 187

23

Figure 9.6 Example of RSA Algorithm

Encryption and Decryption

A 3rd party web demo (worksheet): https://www.cs.drexel.edu/~jpopyack/IntroCS/HW/RSAWorksheet.html

Assuming: it is infeasible to determine d given e and n


RSA computation

recipient knows:- PR={23,187} // d=23, n=187- 187=17×11 // p=17, q=11- ɸ(n)=(p-1)(q-1)=160 // check: 7×23 mod 160=1

sender knows:- PU={7,187} // e=7, n=187- plaintext to encrypt: M=88 // 88 < 187

Example


RSA computation

sender knows:- PU={7,187}- plaintext to encrypt: M=88 // 88 < 187

Example: Encryption

Encryptionciphertext


RSA computationExample: Decryption

Decryption

recipient knows:- PR={23,187}- 187=17×11 // p=17, q=11- ɸ(n)=(p-1)(q-1)=160 // check: 7×23 mod 160=1- receives cipher text: 11

plaintext


RSA: concluding remarks

Source: http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

9.2 / THE RSA ALGORITHM 281

We now look at an example from [HELL79], which shows the use of RSAto process multiple blocks of data. In this simple example, the plaintext is analphanumeric string. Each plaintext symbol is assigned a unique code of twodecimal digits (e.g., a = 00, A = 26).6 A plaintext block consists of four decimaldigits, or two alphanumeric characters. Figure 9.7a illustrates the sequenceof events for the encryption of multiple blocks, and Figure 9.7b gives a specificexample. The circled numbers indicate the order in which operations areperformed.

6The complete mapping of alphanumeric characters to decimal digits is at this book’s Website in thedocument RSAexample.pdf.

Plaintext P

Decimal string

Sender

Receiver

(a) General approach (b) Example

Blocks of numbers

Transmit

P1, P2,

P1 = C1d mod n

P2 = C2d mod n

Ciphertext C

C1 = P1e mod n

C2 = P2e mod n

Recovereddecimal text

n = pq


e, p, q

Private keyd, n

Public keye, n

How_are_you?

33 14 22 62 00 17 04 62 24 14 20 66

Sender

Receiver

Transmit

P1 = 3314 P2 = 2262 P3 = 0017P4 = 0462 P5 = 2414 P6 = 2066

C1 = 331411 mod 11023 = 10260C2 = 226211 mod 11023 = 9489C3 = 1711 mod 11023 = 1782C4 = 46211 mod 11023 = 727C5 = 241411 mod 11023 = 10032C6 = 200611 mod 11023 = 2253

P1 = 102605891 mod 11023 = 3314P2 = 94895891 mod 11023 = 2262P3 = 17825891 mod 11023 = 0017P4 = 7275891 mod 11023 = 0462P5 = 100325891 mod 11023 = 2414P6 = 22535891 mod 11023 = 2006

11023 = 73 151

5891 = 11–1 mod 1080010800 = (73 – 1)(151 – 1)11023 = 73 51


e = 11n = 11023

d = 5891n = 11023

e = 11p = 73, q = 151

1

2

6

3

4

5

7

1

2

6

3

4

5

7

d = e–1 mod φ(n)φ(n) = (p – 1)(q – 1)

n = pq

Figure 9.7 RSA Processeing of Multiple Blocks


Key measure: Encryption strength

Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Bits of Security Symmetric Key Algorithm

Corresponding RSA Key Size

Corresponding ECC Key Size

80 Triple DES (2 keys) 1024 160112 Triple DES (3 keys) 2048 224128 AES-128 3072 256192 AES-192 7680 384256 AES-256 15360 512

NIST recommendations


Elliptic curve cryptography (ECC)

Web resources:Certicom’s tutorial on ECC: https://www.certicom.com/content/certicom/en/ecc-tutorial.htmlVery nice 3rd party web demo (and tutorial): https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html

Not such a new kid in town!

Victor S. Millerborn in 1947

Neal Koblitzborn in 1948

ECC invented (independently):- 1985- wide-scale adoption circa 2005

barrier to adoption: patent/license protections


Elliptic curves

Point addition over the elliptic curve y2 = x3 - 1x + 2 in ℝ. Point addition over the elliptic curve y2 = x3 - 1x + 2 in 𝔽23. The curve has 30 points (including the point at infinity).

These plots were generated using the following (3rd party) web demo:https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html


Elliptic curves over finite fields

For applications to cryptography, - we are interested in curves over finite fields

variables and coefficients restricted to elements of a finite field- Binary curves over GF(2m)- Prime curves Ep(a,b) over Zp

(this is the one we shall study in this course)

Example: (4,5) ∈ E23(9,17)


Prime curves: Ep(a,b) over Zp

claim: Finite abelian group if (4a3+27b2) mod p ≠ 0 mod p- addition (algebraic interpretation)

we will use the results “as is”, without derivation/proof∀P, Q ∈Ep(a,b)i. P+0=P Remark: Point at Infinity is the new zeroii. If P=(xP,yP) then –P=(xP,-yP)iii. For P=(xP,yP), Q=(xQ,yQ), when P ≠ -Q, R=P+Q is computed as:



- multiplicationusing repeated addition10P=P+P+P+P+P+P+P+P+P+P

= (((P+P)+(2P))+4P)+2Pnote the trick to reduce the number of actual operations!



exercise - Consider P,Q∈E23(9,17), with P=(16,5), Q=(4,5).

Determine k such that Q=kP.

recall


Discrete log: prime-field elliptic curvesExample with P∈E23(9,17)

n n×P1 (16,5)2 (20,20)3 (14,14)4 (19,20)5 (13,10)6 (7,3)7 (8,7)8 (12,17)

P=(16,5)

n n×P9 (4,5)10 (3,18)11 (5,7)12 (18,10)13 (1,21)14 (10,7)15 (15,10)16 (17,0)

n n×P17 (15,13)18 (10,16)19 (1,2)20 (18,13)21 (5,16)22 (3,5)23 (4,18)24 (12,6)

n n×P25 (8,16)26 (7,20)27 (13,13)28 (19,3)29 (14,9)30 (20,3)31 (16,18)32 (inf,inf)

-P

P=(16,5), Q=(4,5). Determine k such that Q=kP. 9P=Q, i.e. k=9

033 (16,5) 1×P

Recall:Point at Infinity

is the new zero


Elliptic curve public key cryptography

global information:- Eq(a,b) :elliptic curve with parameters a, b and q;

where q is a prime of integer of the form 2m

- G : point on the elliptic curve whose order is a large value n

public/private key pair (of user X):- select private key nX: nX < n- calculate public key PX: PX=nX×G

Encryption: to send a message M (to user X), C={kG,M+kPX}

Decryption: M+kPX-nXkG = M+knXG-nXkG = M

Security derived from hardness of discrete logarithm: computing x, given G and xG

Known to sender only


Concluding remarks

RSA:- Plain RSA not semantically secure:

known ciphertext attack- Remedy: padding

Optimal Asymmetric Encryption Padding (OAEP)

Further reading:- Diffie Hellman

key exchange- ElGamal encryption

Public key infrastructure:- Verification of identity: levels- Revocation of keys- Single point of breach: Certification

agency’s own private keye.g. Dutch certificate authority DigiNotar

ECC: popular these days, but- Particularly vulnerable to side-

channel attacks- Easier (than RSA) to break by a (still

hypothetical) quantum computer- Backdoor in NIST standards?

Dual_EC_DRBG cryptotrojan

public key crypto - ntu.edu.sg · 270 chapter 9 / public-key cryptography and rsa in addition, some...

Documents