Plan
1. Introduction to public-key cryptography
2. Diffie-Hellman key exchange
3. Trapdoor one-way permutations
How to distribute the cryptographic keys?
• If the users can meet in person beforehand – it’s simple.
• But what to do if they cannot meet?
(a typical example: on-line shopping)
A naive solution:
P5
P1
P3
P2
P4
K13K12
K14
K15
give to every user Pi a separate key Kij to communicate with every Pj
P5
P1
P3
P2
P4
In general:a quadratic number of keys is needed
Problems:
• Someone (a Key Distribution Center, KDC) needs to “give the keys”
– feasible if the users are e.g. working in one company
– infeasible on the internet– relies on the honesty of KDC– KDC needs to be permanently available– ...
• The users need to store large numbers of keys in a secure way
The solution:
Public-Key Cryptography
Whitfield Diffie and Martin Hellman (1976)Ralph Merkle (1974)
A little bit of history
• Diffie and Hellman were the first to publish a paper containing the idea of the public-key cryptography:
W.Diffie and M.E.Hellman, New directions in cryptographyIEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654.
• A similar idea was described by Ralph Merkle:– in 1974 he described it in a project proposal for a Computer
Security course at UC Berkeley (it was rejected)
– in 1975 he submitted it to the CACM journal (it was rejected)(see http://www.merkle.com/1974/ )
• It 1997 the GCHQ (the British equivalent of the NSA) revealed that they new it already in 1973.
The ideaInstead of using one key K, • use 2 keys (e,d), where
– e is used for encryption,– d is used for decryption,
or– d is used for computing a tag,– e is used for verifying correctness of the tag.
Moreover: e can be public, and only d has to be kept secret!
That’s why it’s called: public-key cryptography
this will be called “signatures”
Sign – the signing algorithm
Anyone can send encrypted messages to anyone else
P5
P1
P3P2
P4
e1
e2
e3
e4
e5
2. reads e3
1. P1 wants to send m to P3
3. sends E(e 3
,m)
public register:
d3
4. P3 computes D(d3,m)
Anyone can verify the signatures
P5
P1
P3P2
P4
e1
e2
e3
e4
e5
1. Sign(d 3
,m)
public register:Sign(d3,m)
Sig
n(d
3,m
)
2. reads e3
d3
3. computes Vrfy(e3,m)
Things that need to be discussed
• Who maintains “the register”?
• How to contact it securely?
• How to revoke the key (if it is lost)?
• ...
We will discuss this things later
(when we will be talking about the Public-Key
Infrastructure)
anyone can lock it
But is it possible?In “physical world”: yes!
Examples:
1. “normal” signatures
2. padlocks:
the key is needed to unlock
Diffie and Hellman (1976)
• Diffie and Hellman proposed the public key cryptography in 1976.
• They just proposed the concept, not the implementation.
• But they have shown a protocol for key-exchange.
listens
Key exchange
Alice Bob
initially they share no secret
key k key k
Eve should have no information about k
We will formalize it later.Let’s first show the protocol.
The Diffie-Hellman Key exchangeG – a group, where discrete log is hardq = |G|g – a generator of G
Alice Bob
x ← Zqh1 = gx
y ← Zq
h2 = gy
output:kA=(h2)x
output:kB=(h1)y
equal to:gyx
equal to:gxy
equal!
Security of the Diffie-Hellman exchange
Eve
h1 = gx h2 = gyG,g
knows
Eve should have no information about gyx
gyx ?
Is it secure?
If the discrete log in G is easy then the DH key exchange is not secure.
(because the adversary can compute x and y from
gx and gy)
If the discrete log in G is hard, then...
it may also not be completely secure
Example: G = Zp*
Alice Bob
x ← Zqh1 = gx
y ← Zq
h2 = gy
x is even iff h1 is a QR
y is even iff h2 is a QR
Therefore: gyx is a QR iff (h1 is a QR) or (h2 is a QR)
So, Eve can compute some information about gyx
(namely: if it is a QR, or not).
gyx ?
Is it a problem, or not?
We need to
1. formalize what we mean by secure key exchange,
2. identify the assumptions needed to prove the security.
Alice Bob
key k key k
“transcript” T: the sequence of exchanged messages:
interactiverandomized
Turing machine A
interactiverandomized
Turing machine B
A protocol is a pair (A,B) of randomized Turing machines.
Informal definition:(A,B) is secure if no “efficient adversary” can distinguish k from random, given T,with a “non-negligible advantage”.
key k
T
random string of the same length
?
How to formalize it?
A B
key k є {0,1}n
security parameter 1n
key k є {0,1}n
T
We say (A,B) is secure a secure key-exchange protocol if• the output of A and B is always the same, and
A
polynomial-time Mthat outputs 0 or 1
|Prob [M(1n,T,k) = 1] - Prob [M(1n,T,r) = 1] | is negligible in n
r is random and |r| = n
How does the protocol look now?
It needs to be defined for any parameter 1n.
Therefore we need an algorithm H that
• on input 1n
• outputs:– a description of G of order q, such that |q| = n,– a generator g of G.
How does the protocol look now?
Alice Bob
x ← Zq
y ← Zq
h2 = gy
security parameter 1n
(G,g),q, h1 = gx
(G,g) ← H(1n)
output:kA=(h2)x
output:kB=(h1)y
(Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.)
If such a key exchange protocol is secure, we say that:
the Decisional Diffie-Hellman (DDH) problem is hard with respect to H)
An example of H where DDH is believed to be hard
QR(p)H(1n):
1. generate a random strong prime p of length n+1.2. set q := (p-1)/2.
3. choose any x є Zp* such that x ≠ ±1 (mod p) .
4. set g := x2 mod p.5. output (p,g).
Other groups are also used (e.g. groups based on the elliptic curves).
Practical considerations
1. It is common to chose any Zp* (for prime p), instead of QR(p).
2. In some standards p is fixed, for example the RFC3526 document specifies the primes of following lengths: 1536, 2048, 3072, 4096, 6144, 8192.This is the 1536-bit prime:
FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF.
the generator is: 2.
A problem
The protocols that we discussed are secure only against a passive adversary (that only eavesdrop).
What if the adversary is active?
She can launch a man-in-the-middle attack.
Man in the middle attack
Alice Bob
key k key k’key k key k’
I am Bob I am Alice
A very realistic attack!
So, is this thing totally useless?No! (it is useful as a building block)
Two questions remain
• How to construct the public-key encryption?
• How to construct the signature schemes?
turns out: these questions are related
The observation of Diffie and Hellman:
plaintexts ciphertexts
(e,d) – the key pair
E(e,x)
D(d,y)
easy only if one knows d
tags(“signatures”) messages
Vrfy(e,x)
Tag(d,y)
easy only if one knows d
public-key encryption:
signature schemes:
Looks similar...
Trapdoor permutations
X X
easy
• easy: one can compute Ee-1
if one knows a trapdoor d• hard (otherwise)
Ee
this is denoted
Dd
A family of permutations indexed by pairs (e,d):
{E : X → X}(e,d) є keys
such that:
How to encrypt a message m
messages plaintexts
m := Dd(c)
c := Ee(m)
one can compute it only if one knows d
encryption
decryption:
Warning: in general it’s not that simple. We will explain it later.
How to sign a message m
signatures messages
Dd(m)
Ee(m)
one can compute it only if one knows d
signing:
verifying:
Warning: in general it’s not that simple. We will explain it later.
Do such functions exist?
Ron Rivest, Adi Shamir, and Leonard Adleman (1977)
yes!
RSA function is a trapdoor permutation!
The RSA functionN = pq, such that p and q are large primese is such that gcd(e,d) = 1d is such that ed = 1 (mod φ(N))
Ee: ZN* → ZN
* is defined as:E(m) = me mod N.
Dd: ZN* → ZN
* is defined as:D(c) = cd mod N.
Does it work?D(E(m)) = md mod N.
we get
Dd(Ee(m)) = (me)d = med = m1 mod φ(N)
φ(N)) = (p-1)(q-1).
public key:(N,e)
private key:(N,d)
Is it a trapdoor permutation?
• If one can factor large integers → no!
(because one can compute φ(N))
• Is there an implication in the opposite direction?
nobody knows...
What can be shown
1. Computing φ(N) is as hard as factoring(we have shown it a week ago).
2. Computing d from (e,N) is as hard as factoring.