session 4 asymmetric ciphers. contents definition of asymmetric (public key) ciphers applications of...
Post on 19-Dec-2015
220 Views
Preview:
TRANSCRIPT
Session 4
Asymmetric ciphers
Contents
• Definition of asymmetric (public key) ciphers
• Applications of asymmetric ciphers• The public key encipherment
procedure• The RSA public key cipher system
2/61
Asymmetric cipher definition
• The general cryptographic procedure:
3/61
A
Plaintext
KEY
decipher
decrypt
Cryptanalysis
Ciphertextencipher
Plaintext
KEY
B
Asymmetric cipher definition
• In a symmetric cipher system, the same key is delivered to both participants in advance, via a secure channel.
• If there are n participants, the keys have to be distributed pairwise, i.e.– Each participant is given n -1 different keys– The total number of keys is n (n -1)/2.
• Consequence: problems with distribution, storage and updating of keys.
4/61
Asymmetric cipher definition
• An alternative key distribution system is needed, or a different cipher system.– There is not much flexibility left within a
symmetric cipher system to distribute the keys in a better way.
– Then we need a cipher system that would NOT use the secure channel to distribute the keys.
5/61
Asymmetric cipher definition
• How can we define such a system?• Does such a system exist?• If such a system exists in theory, can
we realize it in practice?• What is the security of such a
system?
6/61
Asymmetric cipher definition
• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (1):– Let {K } be a finite key space and let {M
} be a finite message space.– A public key cipher system is a pair of
families of transformations and representing irreversible transformations:
7/61
KKKE KKKD
MMEK :
MMDK :
Asymmetric cipher definition
• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (2):– In such a system, the following holds:
1. For every K{K }, EK is the inverse of DK
2. For every K{K } and M{M }, the algorithms EK and DK are easy to compute
3. For almost every K{K }, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK
4. For every K{K }, it is feasible to compute inverse pairs EK and DK from K.
8/61
Asymmetric cipher definition
• From the property 3, EK can be made public, without compromising DK
• From the property 4, there is a guarantee that there is a feasible way of computing corresponding pairs of inverse transformations EK and DK.
9/61
Asymmetric cipher definition
• Given a system of this kind, the problem of key distribution is vastly simplified:– Each participant generates a pair of
inverse transformations, E and D.– The deciphering transformation D must be
kept secret but need not be transmitted by any channel – we do not need a secure channel.
– The enciphering transformation E can be made public – placed in a public directory.
10/61
Asymmetric cipher definition
• But we still do not know whether such a cipher system is (theoretically) possible.
• One of the possibilities to theoretically well define such a system is through so called one-way functions.
11/61
Asymmetric cipher definition
• A function y =f (x ) is a one-way
function if
– For any x, it is feasible to compute f (x )
– For almost all y in the range of f, it is
computationally infeasible to solve the
equation x =f -1(y ), for any x in the
domain.
12/61
Asymmetric cipher definition
• The function f is not invertible from
the computational point of view.
• A special class of one-way functions
is of interest in the public key context
– trap-door one-way functions.
13/61
Asymmetric cipher definition
• A trap-door one-way function
– A simply computed inverse exists
– But given f, it is conditionally
computationally infeasible to find a
simply computed inverse
– Only through knowledge of certain trap-
door information can easily computed
inverse be found. 14/61
Asymmetric cipher definition
• The problem
– Strictly mathematically speaking, the
existence of (trap-door) one-way
functions has not been proved yet.
• There are functions that have
properties similar to these functions –
we believe that they are candidates
for (trap-door) one-way functions.15/61
Asymmetric cipher definition
• Rivest-Shamir-Adleman’s (RSA’s)
definition of an asymmetric (public
key) cipher system (1977) (1):
– Let E be an encipherment
transformation and let D be the
corresponding decipherment
transformation.
16/61
Asymmetric cipher definition
• RSA’s definition of an asymmetric
(public key) cipher system (1977)
(2):
– The properties of E and D
1. D (E (M ))=M
2. Both E and D are feasible to compute
3. Publicly revealing E does not reveal a
feasible way to compute D
4. E (D (M ))=M 17/61
Asymmetric cipher definition
• A function E satisfying the properties
1-3 is a trap-door one-way function.
• A function E satisfying the properties
1-4 is a trap-door one-way
permutation (one-one and onto).
18/61
Applications of asymmetric ciphers
• Confidentiality
• Integrity – digital signatures
• Authentication – hash functions
• Key exchange
19/61
The public key encipherment procedure
• The participants in the
communication are usually given
names, such as Alice and Bob.
• Alice uses the transformation EA for
encipherment and DA for
decipherment
• Bob uses the transformation EB for
encipherment and DB for
decipherment.
20/61
The public key encipherment procedure
• Illustration-confidentiality: Alice
sends an enciphered message to Bob
21/61
The public key encipherment procedure
• Alice takes EB from a public directory
• DB is kept secret by Bob. It is not
transmitted by any means – no
secure channel is needed.
22/61
The public key encipherment procedure
• The confidentiality protocol
23/61
The RSA public key cipher system
• The prerequisites: each participant
does the following (1):
– Generates two large distinct random
primes p and q, approximately of the
same size (if encoded in bits)
– Computes n =pq and (n )=(p -1)(q -1)
– Selects a random integer e, 1<e < (n ),
such that (e, (n ))=124/61
The RSA public key cipher system
• The prerequisites: each participant
does the following (2):
– Computes the unique integer d, 1<d < (n ) such that ed 1 (mod (n )). This can
be done by means of the extended
Euclidean algorithm.
– The public key is (n,e ) and the private
key is d.25/61
The RSA public key cipher system
• Encipherment: Alice enciphers a
message for Bob
– Obtains Bob’s authentic public key
(nB,eB)
– Represents the message in a form of an
integer m on the segment [0,nB -1]
– Computes
– Sends c to Bob. 26/61
Be nmc B mod
The RSA public key cipher system
• Decipherment: Bob deciphers the
message enciphered by Alice
– Bob uses his private key dB to compute
–m is converted to a meaningful text.
27/61
Bd ncm B mod
The RSA public key cipher system
• The security of the RSA cipher
system lies in the hope that the
encipherment function is
a one-way function.
• The trap-door is the knowledge of the
factorization of n. This knowledge
allows Bob to decipher.
28/61
nmc e mod
The RSA public key cipher system
• To realize RSA in practice we need (1)
– Random primes
• Generating random numbers
• Primality testing
– Euler’s function (n )
29/61
The RSA public key cipher system
• To realize RSA in practice we need (2)
– Extended Euclidean algorithm
–Multiplicative inverse
–Modular exponentiation – to compute
powers with large exponents
30/61
Random primes
• Random primes generation
1. Generate a random integer m
2. If m is even, replace m by m +1
3. Test if m is prime
4. If m is not prime, test if m +2 is prime,
etc.
31/61
Random primes
• Theorem (the prime number
theorem)
– If m is chosen at random, the probability
that m is prime is approximately 1/ln m.
• Consequence: we can expect to test
ln m numbers for primality.
32/61
Random primes
• Example: if m can be represented
with 512 bits, (i.e. the maximum
representable integer is 2256-1) then
ln m 177, which means that we have
to test approximately 177 integers
before we find a prime of that size.
33/61
Random primes
• Primality testing
– In practice, probabilistic (Monte Carlo)
algorithms for testing primality are
used, e.g.
• Solovay-Strassen
• Miller-Rabin
– These algorithms are fast, but they may
give an integer that is not a prime at
output, but the probability of this is
small.
34/61
The Euler’s function (n )
• Let n be a positive integer.
• The Euler’s function (n ) is defined
to be the number of positive integers
b less than or equal to n, which are
relatively prime to n, i.e.
35/61
11 n,b,nbbn
The Euler’s function (n )
• Theorem - computing (n )
– Given a positive integer n with the
factorization
– Then
36/61
r
rpppn 21
21
np
r
iii p
nppn ii1
11
1
• Example – RSA
– n =pq, where p and q are primes
– Then (n ) = (p1-p 0)(q1-q 0)=(p -1)(q -
1)
The Euler’s function (n )
37/61
• Euclidean algorithm - computes (a,b),
given integers a and b
Extended Euclidean algorithm
38/61
• Example: find (1180,482)
1. 1180= 2482 + 216
2. 482 = 2216 + 50
3. 216 = 450 + 16
4. 50 = 316 + 2
5. 16 = 82 + 0
• So, (1180,482)=2
Extended Euclidean algorithm
39/61
• Theorem – extended Euclidean
algorithm
– Let d =(a,b), where a >b.
– Then there exist integers u and v such
that d =ua +vb.
Extended Euclidean algorithm
40/61
• Example
1180=2482+216
482=2216+50
216=450+16
50=316+2
16=82+0
Extended Euclidean algorithm
41/61
2=50-316=
=50-3(216-450)=
=1350-3216=
=13(482-2216)-3216=
=13482-29216=
=13482-29(1180-
2482)=
=71482-291180So, u =-29, v =71
• Arithmetic modulo m
– Zm is defined to be the set G = {0,...,m -
1}, equipped with two operations, + and
, i.e. Zm is a structure (G,+,)
– The results of addition and multiplication
are reduced modulo m
Multiplicative inverse
42/61
• The structure (G,+) satisfies the
axioms of the group – additive group:
1. Closure:
2. Associativity:
3. Existence of the identity (neutral)
element
4. Existence of the inverse elements
Multiplicative inverse
43/61
GY*XGY,X
z*y*xz*y*xGz,y,x
xx*ee*xGxGe
ex*xx*xGxGx 111
• The structure (G,) satisfies closure,
associativity and the existence of the
neutral element, but does not satisfy
the existence of inverse element for
each element of G (in general).
• Such a structure (G,+,) is called a
ring.
Multiplicative inverse
44/61
• Multiplicative inverse – inverse of an
element of the structure (G,) of the
ring Zm
• Theorem
– An element a of Zm has a multiplicative
inverse if and only if (a,m )=1
Multiplicative inverse
45/61
• Let a be an element of Zm and let
(a,m )=1 (i.e. a and m are
mutually prime). This can be
shown by Euclidean algorithm.
• Then by extended Euclidean
algorithm we get
1=ua +vm
Multiplicative inverse
46/61
Multiplicative inverse
• Taking modulo m of the both sides of the expression 1=ua +vm we get
1ua (mod m )
• This means that u is the multiplicative inverse of a modulo m.
47/61
• Example
– Find the multiplicative inverse of 2 in Z17.
• The Euclidean algorithm gives
1. 17=82+1
2. 2=21+0
• The extended Euclidean algorithm gives
1. 1=17-82
• Taking modulo 17 of both sides gives
1-82 (mod 17), or equivalently 192 (mod 17), i.e.
9=2-1
Multiplicative inverse
48/61
• Modular exponentiation is computing
bn (mod m )
• Let (n0,n1,...,nk-1) be the binary
representation of n, i.e.
n =n0+2n1+22n2+...+2k-1nk-1
• The binary representation of n is
obtained by means of the “arrow
algorithm”
Modular exponentiation
49/61
• The “arrow algorithm” – convert
from base 10 to any base B
1. Get the last digit of the
converted number by dividing n
by B and taking the remainder
2. Replace n by the quotient
3. Repeat until the quotient is 0.
Modular exponentiation
50/61
• The modular exponentiation
algorithm
Modular exponentiation
51/61
• Example: compute 3875 (mod 103)
–We first convert the exponent 75 to base
2
– Thus 7510=(1001011)2
– Then we run 7 iterations of the
algorithm, using b =38, n =75 and m
=103.
Modular exponentiation
52/61
• The algorithm flow
Modular exponentiation
53/61
• So at the output the algorithm gives
that 3875 (mod 103)=79
• Alternatively, we can pre-compute
the values
• Each such value is obtained by
squaring the previous one and taking
modulo m.
Modular exponentiation
54/61
i238
Modular exponentiation
55/61
• What the algorithm actually does is
to compute 3875 as
• Then we have
63 222138
79631623838383838103mod386310 222275
• Bob does the following (1):
1. Chooses p =11 and q =13
2. Computes n =1113=143 and
(n )=1012=120
3. Sets e =7 and checks with EA
that (e, (n ))=1, i.e. (7,120)=1.
Indeed, 120=177+1
Example – RSA encipher and decipher
56/61
• Bob does the following (2):
4. Applies EEA to find that 7-1-
17103 (mod 120), so d =103
5. Posts his public key (143,7) in a
public repository and keeps the
private key d =103 secret.
Example – RSA encipher and decipher
57/61
• Alice wants to encipher the message
5 and to send the ciphertext to Bob
(1)
1. Obtains Bob’s public key (143,7)
2. Computes c =57 (mod 143)
• As 7=(111)2, Alice carries out
the pre-computations 51=5,
52=25, 54=252=53 (all mod
143)
Example – RSA encipher and decipher
58/61
• Alice wants to encipher the message
5 and to send the ciphertext to Bob
(2)
3. c=57=52553=47 (mod 143)
4. c=47 is sent to Bob
Example – RSA encipher and decipher
59/61
• Bob receives c =47 and deciphers
(1)
1. Computes m =47103 mod 143
• As 103=(1100111)2, Bob
carries out the pre-
computations 471=47, 472=64,
474=92, 478=27, 4716=14,
4732=53 and 4764=92 (all mod
143)
Example – RSA encipher and decipher
60/61
• Bob receives c =47 and deciphers (2)
2. m =47103=4764925392=5
(mod 143)
Example – RSA encipher and decipher
61/61
top related