Applied Cryptography Spring 2015 Asymmetric ciphers.

Applied Cryptography

Spring 2015

Asymmetric ciphers

Types of ciphers

Symmetric Asymmetric (public key

Block ciphers Stream ciphers

Symmetric vs. asymmetric cryptography

Symmetric ciphers – sender and recipient use the same key Dkey(Ekey(m)) = m

Substitution cipher is an example of a symmetric cipher

Impractical for big systems – number of keys is quadratic in the number of users

The solution – asymmtric algorithms. Think of a locked mailbox! Different keys for encryption and decryption Dprivate key(Epublic key(m)) = m

Asymmetric ciphers

[From Information Security Group, ICU]

Mathematical foundations for publickey cryptography

Traditionally used one-way functions:

FactoringGiven primes p and q, it is easy to compute n=pq, but itis hard to factor n

Discrete logarithm problemGiven prime p and g,x<p, it is easy to compute y = gx mod p, but it is hard to compute logg y in Z*p.

Square root problemGiven primes p,q, n=pq and x<n, it is easy to compute y = x2 mod n, but it is hard to compute sqrt(y) in Z*n.

Knapsack?

PKC schemes

[From Information Security Group, ICU]

What we will use from number theoryFermat's little Theorem

If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.

Complexity of modular operations

Addition, subtraction

Almost the same as without modulos, time complexity ( )

Multiplication:

for given a and b find x such that ab mod n = x

multiplication + division, i.e. time complexity ( 2)

What we will use from number theory

Extended Euclid's algorithm

d = gcd(a,b) - the greatest common divisor of integers a and b

ExtendedEuclid(a, b) if b = 0 then return (a,1,0)(d’,x’,y’) ExtendedEuclid(b, a mod b)(d,x,y) (d’,y’,x’ – a/b y’)return (d,x,y)

There exist integers x and y such that d = ax + by

Complexity of modular operations

Division:

for given a and b find x such that bx mod n = a

Not always such x exists - we should have gcd(b,n) | a

Extended Euclid's algorithm: finds x and y such that gcd(s,t) = su + tv

Take b = s and t = n and set x = ua/gcd(b,n)

Time complexity ( 3)

Complexity of modular operations

Exponentiation:

for given a and b find x such that ab mod n = x

Time complexity?

Modular Exponentiation

ModularExponentiation(base a, degree b, modulus n)let <bk,bk–1,...,b0> be the binary representation of b c 0d 1for i k downto 0 do

c 2 cd (d d) mod nif bi = 1 then

c c + 1d (d a) mod n

return d

Time complexity T() = ( 3)

Modular Exponentiation - example

ModularExponentiation(a, b, n)c 0; d 1for i k downto 0 do

c 2 cd (d d) mod nif bi = 1 then

c c + 1d (d a) mod n

return d

[Adapted from T.Cormen, C.Leiserson, R. Rivest]

What we will use from number theory

Chinese reminder theorem

Suppose n1, n2, …, nk are integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences:

Furthermore, all solutions x to this system are congruent modulothe product N = n1n2…nk.

Merkle's puzzles (around 1974)

Bob:

220 messages: "this is puzzle number x. This is the secret key y"

Alice:

decirpts random message, sends Bob pair: (Ey(P),x)

Knapsack algorithms

First generalized public key encryption algorithm

[Merkle, Hellman, 1979]

Knapsack problem

Knapsack problem

[From B.Schneier]

Knapsack algorithms

Encryption - ok, Decryption ?

[From B.Schneier]

Knapsack algorithms

[From B.Schneier]

Knapsack algorithms

[From B.Schneier]

Knapsack algorithms

[From B.Schneier]

Knapsack algorithms

[From B.Schneier]

Knapsack algorithms

[From B.Schneier]

Knapsack algorithms

What sizes of keys to use?

Numbers in (superincreasing sequence) 200 to 400 bitsmodulus m 100 to 200 bits

Unfortunately Merkle-Hellman (and quite a number of other)knapsack schemas are already broken...

Few knapsack variations (Chor-Rivest) still are not broken, butprobably can not be particularly recommended...

Diffie-Hellman (key-exchange algorithm)

First public-key algorithm ever invented (1976)

n - prime, g - number such that gcd(g,n) =1

Alice: chooses random large x, sends X = gx mod nBob: chooses random large y, sends Y = gy mod nAlice, Bob: compute k = Yx mod n and k' = Xy mod n

RSA

Asymmetric cryptographic algorithm published in 1978

The most popular asymmetric algorithm used today Now free to use – patent expired in 2000 Relies on the hardness of factoring a number

consisting of two primes

Actually invented by Cocks (from UK) in 1973,

unfortunately the work was classified...

RSA

RSA

RSA - The authors

[From Information Security Group, ICU]

The RSA public-key cryptosystem

p,q - two large primes (100 digits or more)n = pqe - small odd integer that is relatively prime to

(p – 1)(q – 1)d - integer such that de 1 (mod (p – 1)(q – 1))

(it can be shown that it always exists)

P = (e,n) - public keyS = (d,n) - secret key

Encoding: P(M) = Me (mod n)Decoding: S(C) = Cd (mod n)

It works!

RSA - Correctness

n = pqe - odd and relatively prime to (p – 1)(q – 1)d - such that de 1(mod (p – 1)(q – 1))P(M) = Me (mod n), S(C) = Cd (mod n)

P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)

M 0 (mod p) Med M(Mp–1)k(q–1) (mod p) M(1)k(q–1) (mod p) M (mod p)

M 0 (mod p) Med M (mod p)

RSA - Correctness

Med M (mod p)

Med M (mod q)

Thus Med M (mod n)

RSA - Complexity

Encoding: P(M) = Me (mod n)

Decoding: S(C) = Cd (mod n)

RSA - Speed

[From B.Schneier]

RSA - Speed

[From B.Schneier]

RSA - Speed

[From B.Schneier]

Attacks on RSA

RSA Challange

[From Information Security Group, ICU]

RSA Challange

[From wikipedia.org]

Security assumptions for “textbook algorithms”

Attacks on RSA – “small” messages

• Finding m is trivial, if c = me mod n = me.

• If m is known to have a small finite set of values (e.g. 4 digit PIN),The value of m can be found by trying all possible values

Attacks on RSA – “small” messagesl

E.g., what happens if wewill directly encrypt 56 bit DES key ?

[From W.Mao]

Attacks on RSA

Common modulus attack

Don’t sign with encryption key

Attacks on RSA

RSA - Choice of p and q

[From Information Security Group, ICU]

r - a prime factor of p

CS519, © A.Selcuk

Encryption: (PKCS #1 v1.5, RFC 2313)

first 0: to guarantee x < n 2: indicates encryption second 0: indicates end of padding

Protects against: guessable message attacks (e.g., a yes/no message) cube root problem, for e = 3 broadcast problem, for e = 3

random non-zero octets00 02 00 data

1 byteeach

1 byte≥ 8 bytes

RSA and PKCS standard

RSA and PKCS standard

PKCS #1 v2.2RSA EME-OAEP mode

Bit security of RSA

The following two problems are equally hard:

1. given the RSA encryption of a message, retrieve the message

2. given the RSA encryption of a message, retrieve the leastsignificant bit of the message

ElGamal

[From B.Schneier]

ElGamal

[From B.Schneier]

Elliptic Curve Cryptography

Fq - a finite field (q = pm)

a,b Fq

Consider all pairs (x,y) such that

y2 = x3 + ax + b

The number of such points lies between (q1/21)2 and (q1/2+1)2

This set of point is a group (with a bit tricky to define group operation :)

The best known algorithms for discrete logarithm problem in such groups require time q1/2

Elliptic Curve Cryptography

[From E.Savas]

Emerging public key cryptography standard for constrained devices.

160 bit key length is equivalent in cryptographic strength to 1024-bit RSA. 313 bit ECC is equivalent to 4096 bit RSA

As algebraic/geometric entities have been studied extensively for the past 150 years. Rich and deep theory suitable to cryptography

First proposed for cryptographic usage in 1985 independently by Neal Koblitz and Victor Miller

Rabin's scheme

Michael Rabin 1979

The Rabin cryptosystem is an asymmetric cryptographic technique,whose security, like that of RSA, is related to the difficulty of factorization. However the Rabin cryptosystem has the advantage that the problem on which it relies has been proved to be as hard as integer factorization, which is not currently known to be true of the RSA problem. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a ciphertext, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext.

[From www.wikipedia.org]

Rabin's scheme

Rabin's scheme

Choose two large distinct primes p and q.

One may choose Blum integers to simplify the computation of squareroots modulo p and q. But the scheme works with any primes.

Let n=p*q. Then n is the public key.

The primes p and q are the private key.

To encrypt a message only the public key n is needed. To decrypt a ciphertext the factors p and q of n are necessary.

[From www.wikipedia.org]

Rabin's scheme

Rabin's scheme

Rabin's scheme

For the same reason decryption assistance immediately factors n (Chosen plaintext attack)

Rabin's schemeEncryption:

C = M2 mod n

Decryption?

Decryption:

m1 = C(p+1)/4 mod pm2 = (p C(p+1)/4)mod pm3 = C(q+1)/4 mod qm4 = (q C(q+1)/4) mod q

a = q (q1 mod p), b = p (p1 mod q)a + b = kq + lp = 1 (mod n)

M1 = (am1+bm3)mod nM2 = (am1+bm4)mod nM3 = (am2+bm3)mod nM4 = (am2+bm4)mod n

Rabin's scheme