Public Key Encryption CS461/ECE422 Spring 2012 Nikita Borisov — UIUC 1
Feb 07, 2016
Nikita Borisov — UIUC 1
Public Key EncryptionCS461/ECE422Spring 2012
Nikita Borisov — UIUC 2
Reading Material Text Chapters 2 and 21 Handbook of Applied Cryptography,
Chapter 8 http://www.cacr.math.uwaterloo.ca/hac/
Nikita Borisov — UIUC 3
Symmetric keys & Distribution Every pair of people must share a
secret key E.g.: Alice, Bob, Carol, David:KAB, KAC, KAD,KBC, KBD, KCD
How do you keep track of them all? O(N2) keys for N people
How do you exchange them? Must use a secure, out-of-band channel
Nikita Borisov — UIUC 4
Public Key Cryptography Cryptographers to
the rescue! Two keys:
Private key known only to owner
Public key available to anyone
One key pair per person ▪ O(N) keys
Merkle, Hellman, Diffie
Nikita Borisov — UIUC 5
Public Cryptography Functionality Public key encryption
Use public key to encrypt, private key to decrypt
RSA, ElGamal, ECIES Public key signatures (similar to
MAC) Use private key to sign, public key to
verify RSA, DSA, ECDSA
Symmetric key distribution Agree on a secret symmetric key over a
public channel Diffie-Hellman, ECDH, MQV, ECMQV
Nikita Borisov — UIUC 6Slide #9-6
Public-Key Cryptography
Nikita Borisov — UIUC 7Slide #9-7
General Facts about Public Key Systems Public Key Systems are much slower than
Symmetric Key Systems RSA 100 to 1000 times slower than DES.
10,000 times slower than AES? Generally used in conjunction with a symmetric
system for bulk encryption Public Key Systems are based on “hard”
problems Factoring large composites of primes, discrete
logarithms, elliptic curves Only a handful of public key systems
perform both encryption and signatures
Nikita Borisov — UIUC 8
Diffie-Hellman The first public key algorithm A key exchange algorithm, not for
encryption or decryption Set up: p prime, g is coprime with p Alice -> Bob: gx (mod p), x random Bob -> Alice: gy (mod p), y random Alice and Bob compute:
(gx)y = (gy)x
Establish a secret key over a public channel
Nikita Borisov — UIUC 9
Example: p=23, g=5 Alice picks x=6, sends Bob
56 mod 23 = 8 Bob picks y=15, sends Bob
515 mod 23 = 19 Alice computes:
196 mod 23 = 2 Bob computes:
815 mod 23 = 2
Nikita Borisov — UIUC 10
Diffie-Hellman Security Charlie has gx, gy needs to find gxy
Called “Diffie-Hellman Problem” Fastest way: find x given gx
I.e. take logg gx (mod p) Discrete Logarithm Problem Fastest known way is super-polynomial
Nikita Borisov — UIUC 11
Real public DH values For IPSec and SSL, there are a small
set of g's and p's published that all standard implementations support. Group 1 and 2▪ http://tools.ietf.org/html/rfc2409
Group 5 and newer proposed values▪ http://tools.ietf.org/html/draft-ietf-ipsec-ike-m
odp-groups-00
Nikita Borisov — UIUC 12
Diffie-Hellman and Man-in-the-Middle
Alice Bob
Eve
Nikita Borisov — UIUC 13Slide #9-13
RSA by Rivest, Shamir& Adleman of MIT in 1977 best known & widely used public-key
scheme based on exponentiation in a finite (Galois)
field over integers modulo a prime nb. exponentiation takes O((log n)3) operations
(easy) uses large integers (eg. 1024 bits) security due to cost of factoring large
numbers nb. factorization takes O(elog n log log n) operations
(hard)
Nikita Borisov — UIUC 14
Modular Arithmetic a mod b = x if for some k >= 0, bk +
x = a Associativity, Commutativity, and
Distributivity hold in Modular Arithmetic
Inverses also exist in modular arithmetic a + (-a) mod n = 0 a * a-1 mod n = 1
Nikita Borisov — UIUC 15
Modular Arithmetic Reducibility also holds
(a + b) mod n = (a mod n + b mod n) mod n
a * b mod n = ((a mod n) * b mod n) mod n
Fermat’s Thm: if p is any prime integer and a is an integer, then ap mod p = a Corollary: ap-1 mod p = 1 if a != 0 and a
is relatively prime to p
Nikita Borisov — UIUC 16Slide #9-16
Background Totient function (n)
Number of positive integers less than n and relatively prime to n▪ Relatively prime means with no factors in
common with n Example: (10) = ?
4 because 1, 3, 7, 9 are relatively prime to 10
Example: (p) = ? where p is a prime p-1 because all lower numbers are
relatively prime (pq) = (p-1)(q-1) when p, q are both
prime
Nikita Borisov — UIUC 17
Background Euler generalized Fermat’s Theorem
for composite numbers. Fermat's Thm ap-1=1 mod p if a != 0 Euler’s Thm: x(n)=1 mod n
Works for any n
Nikita Borisov — UIUC 18Slide #9-18
RSA Algorithm Choose two large prime numbers p,
q Let n = pq; then (n) = (p–1)(q–1) Choose e < n such that e is relatively
prime to (n). Compute d such that ed mod (n) = 1
Public key: (e, n); private key: d Encipher: C = Me mod n Decipher: M = Cd mod n Generically: F(V, x) = Vx mod n
Nikita Borisov — UIUC 19
Working through the equations C = RSA(M, e) = Me mod n M’ = RSA-1(C, d) M’ = (Me mod n)d mod n M’ = Med mod n
ed mod (n) = 1 ed = k* (n) + 1
M’ = (M mod n * Mk (n) mod n) mod n By Euler’s theorem (Mk)(n) mod n = 1
M’ = M mod n
Nikita Borisov — UIUC 20
Example p = 11, q = 17
n = 187, (n) = 10*16 = 160 Let e = 3, then d = 107 (107 * 3 =
321) (can find this using Euclidian algorithm)
M = 29 C = 293 = 24389 = 79 (mod 187) M’ = 79107 =
111198458817782001560345203757362612455385730171461711652460776161878666503078037332114481897840666397054046667342677228042126488058019906317675811153792810865237482705174079886893643689363009468423234159 = 29 (mod 187)
Nikita Borisov — UIUC 21
Modular Exponentiation Don’t need to compute huge
numbers 293 (mod 187) = (292 mod 187) * 29
mod 187 = (841 mod 187) * 29 mod 187 = 93*29 mod 187 = 2697 mod 187 = 79
Even better: square/multiply M11 = ((M2)2*M)2*M
This is reasonably fast Only 1000 or so times slower than DES
Nikita Borisov — UIUC 22
RSA security Charlie knows e, n, and receives Me (mod
n) How to find M?
Best known way is to factor n▪ Find p and q, find (n), find d▪ No proof that there isn’t a faster way
Factoring n is believed to be hard▪ Best algorithm is GNFS▪ Complexity is sub-exponential but superpolynomial▪ Largest factored number had 768 bits▪ (About 2000-CPU years on an 2.2 GHz Opteron)
▪ Current recommendations are to use 1500-2000 bits
Nikita Borisov — UIUC 23
RSA Security Note: RSA as described is insecure!
Why? Deterministic encryption: Me = M’e if
and only if M=M’ Even worse than in the symmetric case
because Charlie can try many possibilities for M
Semantic security Adversary picks m1 and m2 and is
provided with Encrypt(mi), must guess i Requires randomized encryption
Nikita Borisov — UIUC 24
Padding Introduce randomness to message
P = r || M, where r is random Encryption: Pe
Decryption: (Pe)d, discard random prefix (Actually, still not quite secure, see
RSA-OAEP for proper usage)
Nikita Borisov — UIUC 25
Hybrid Encryption How do we encrypt messages longer
than 1024 bits? Break into blocks, use RSA on each block
(slow, potentially insecure) Use a hybrid between RSA and AES
Pick random key K Send: RSAEncrypt(K), AES-CBC-
Encrypt(K, M) Must ensure K is random!
Nikita Borisov — UIUC 26
RSA Signatures RSA is symmetric
RSADec(RSAEnc(M)) = RSAEnc(RSADec(M)) = Med (mod n) = M
To “sign” a message, Alice computes S = Md (mod n) Bob verifies that Se = Med = M (mod n)
No one other than Alice could have generated S Not even Bob Bob can show S to third parties (non-
repudiation)
Nikita Borisov — UIUC 27
Hash functions How do we sign messages longer
than 1024 bits? Use a hash function
Nikita Borisov — UIUC 28
Hash functions in signatures Alice sends RSASign(h(M)) Bob computes h(M), verifies
signature Security:
Bob cannot generate a signature because:▪ He can’t produce a signature on a chosen
message▪ He can’t solve h(M) = S’e for M because h is
one way Alice is nevertheless committed to her
signature▪ Cannot find M1, M2 such that h(M1) = h(M2)
Nikita Borisov — UIUC 29
Key Points Public Key systems enable multiple
operations Confidentiality (key encryption) Integrity and nonrepudiation Symmetric key exchange
Slower than symmetric crypto, but still practical Especially in hybrid modes
Must be careful how they are used Padding, hash functions