private keys of public key pairs and zero-knowledge protocols peter landrock
TRANSCRIPT
Private Keys of Public Key Pairs
and Zero-Knowledge Protocols
Peter Landrock
Public Key Infrastructures requires
Generation of user public keys
Registration of users and keys (LRA)
Certification (CA) – certificates bind a person to his key
Directories (DIR)
Blacklists/revocation
Key administration
plus -
Format/syntax
ASN.1 based certificates (X.509)?
Special purpose certificates?
Integration into browsers?
Integration into applications (java?)
Security in transport layer (e.g. SSL)?
Format: S/MIME, PGP,….?
Use of smartcards?
PKI - Roles
LRA
Users
CA DA
User
CA
DIR
User
LRA
The world seen with the user’s eyes
Business
Transactions
Registration at Local Registration Authority
Communication with Directory under session
Revocation of key
Foundation
But the foundation is cryptographic algorithms, which is – mathematics!
So let’s focus on that for a while
Cryptographic Algorithms
Conventionel (symmetric) crypto systems– Quantum cryptography - unbreakable
Hash functions– perhaps the weakest point - art, not math.
Public key (asymmetric) systems– Today RSA, tomorrow elliptic curves?
Crypto systems
Symmetric systems– same key for encryption and decryption
Asymmetric systems– One key may be given to everybody
the public key, P– while the other is kept secret
the private key, S
Public Key encryption - RSA
Choose two large primes p,q and let n = pq
Choose a public exponent e– mutually prime to (n) = (p -1)(q -1)
Based on classical (Greek) math we find integersd, x < 0, with de + x(n) = 1
Fact (Euler, Fermat):
– For m < n we have m med mod n
Finding the private key means factoring n
Alternative: One way functions
– Choose a large prime number p– Choose a “generator”, g– Choose a random number v as private key– Calculate the public key
w = gv modp– Finding v from w is known as the discrete log
problem
The new technique: Elliptic Curves
The set of points P = (x,y) satisfying
y2 = x3 + ax + b
in Z/pZ.
can be added using a particular formula. It allows construction of a public key pair.
Example:a = 6890847943309044493598067961180259058846730261
b = 45938986288872696329065378640786839725897820174
will correspond to an RSA security level of 768 bits for some prime p of length 200 bits!
Why Elliptic Curves?
More security per bit– Smaller key size– Smaller signature size– Faster computations– Less resources required (smart cards)
Well developed mathematical theory (complex)
RSA/DSA/EC - comparingperformance (RSA: small public exp.)
0
10
20
30
40
50
60
70
80
sign, msec ver, msec
RSA
DSA
EC
RSA/DSA/EC - Comparing key sizes
0
100
200
300
400
500
600
700
800
public key, bits private key, bits signature, bits
RSA
DSA
EC
Elliptic Curves
An EC is the set of solutions (x,y) to equations of the form
y2 + a1xy + a3y = x3 + a2x2 + a4x +a6
over a (finite) field together with an
additional point (called the point at
infinity O)
Finite fields
(F, +, •): set of elements with addition, subtraction, multiplication and division.
GF(p): Integers modulo p (prime)
GF(2n)– polynomials with binary coefficients modulo
and irreducible polynomial of degree n– (a+b)2 = a2 + b2
Unique up to isomorphism
Implementation Issues
Choice of field– GF(2n) faster than GF(p) (at least in hardware)
Representation of elements for GF(2n)– Standard basis– Optimal normal basis– Polynomials over subfield
Elliptic Curves
Example: GF(23)
Curve defined by y2 = x3 + x + 1{(0,1), (0,-1), (1,7), (1,-7), (3, 10), (3,-10),
(4,0), (5,4), (5, -4), (6,4), (6,-4), (7,11),
(7,-11), (9,7), (9,-7), (11,3), (11, -3),
(12,4), (12,-4), (13,7), (13,-7), (17,3),
(17,-3), (18,3),(18,-3), (19,5), (19,-5)}
Elliptic Curves
Sum (xs,ys) of (x1,y1) = (9,7) and
(x2, y2) = (18,3)=(-5,3), x1≠y1
is defined as follows:
:=(y2-y1)/(x2-x1) = -4/9 = 20 mod 23
xs = 2-x1-x2 =9-9+5=5
ys= (x1-xs)-y1 = -3(9-5) - 7 = 4
Thus (9,7)+(18,3) = (5,4)
Elliptic Curves
Double of (5,4)
:=(3x12+1)/(2y1) = 76/8 = 7/8 = 21 = -2
xd = 2-2x1 =4-5-5=17
yd= (x1-xs)-y1 = -2(5+6) - 4 = -3
Thus (5,4)+(5,4) = (17,-3)
GF(2n)
GF(2):
p(u) irreducible polynomial of degree n
EC over GF(2n) defined by
y2+xy = x3 + ax2 + b
EC over GF(2n)
Sum :=(y1+y2)/(x1+x2)
xs = 2+ + x1+x2 + a
ys = (x1+xs)+ xs + y1
Double := x1 + y1/x1
xd = 2+ + a
yd = ( + 1)xD + x12
Key Generation
Choose field and equation
Determine the group order g– If large prime divisor q, choose curve randomly
Find a generator of subgroup of order q Let g = qr Choose random point P Calculate rP If rP O, set generator := rP
Try our lab on www.cryptomathic.com!
How to blackmail a bank using RSA with public exponent 3
1. step
The well-known bank AMO announces a nation-wide PKI scheme based on RSA (1024 bits, public exponent 3)
Message received week 1 at AMO:– I know your private key! I am going to publish
the 1st upper byte of the key, unless you send me 2 $!
Bank ignores
2. step
Message received week 2 by AMO:– Here is the 1st byte: 11011010– I am going to publish the 2nd upper byte of your
private key, unless you send me 4 $!
Bank is puzzled. The blackmailer is right about the first byte! Could he be guessing, or maybe the first byte is not so difficult?
3. step
Message received week 3 by AMO:– Here is the 2nd byte: 00011001– I am going to publish the 3rd upper byte of your
secret key, unless you send me 8 $!
The Bank hires a security specialist– the problem is that it will cost 100.000 $ to
switch to a different key
About 1 year later
Message received week 52 by AMO:– Here is the 51st byte: 01111101– I am going to publish the 52nd upper byte of
your secret key, unless you send me 252 $!– Conclusion of the specialist:
offer him 25.000 $ now
Conclusion
If they had hired an expert rather than a specialist, they could have saved the money(less his fee of course!)
Expert opinion:
1024 bits is 128 bytes. He can only do what he does up to the first 64 bytes.– Here is how he does it:
Solution
1. Subtract 1 from the modulus n
2. Divide by 3 and multiply by 2
3. The upper half of this number is the upper half of your private exponent
AMO: What about the lower half?
Only the banks knows! The system is secure
Proof
”Based on classical (Greek) math we find integersd, x < 0, with (*) de + x(n) = 1”– where d is chosen minimal of course
Now let e = 3. As d < (n), x is -1 or -2! But as 3 is mutually prime to (n) = (p -1)(q -1),
p and q are both 2 mod 3,
and (*) above shows x = -2 as (n) = 1 mod3
Proof
Hence d = (1 + 2(n))/3
But (n) = (p -1)(q -1) = n –(p + q) + 1,
Thus we know the upper half of (n): It is equal to the upper half of n.
This suggest to consider very carefully what to store as the private key, e.g. if storage is a problem
Card trick
End up with two piles: A private key and the corresponding public key
Demo: Key Generation - the most vulnerable part
-- using two suits in a deck of cards.Say spade (black) and hearts (red)
1 Chose a very large prime number (13)2 Calculate ”modulo” 13:
divide by 13 and take the remainder:29 = 213 + 3 = 3 mod 1353 = 125 = 10·13 - 5 = 8 mod 13
(= 9·13 + 8)3 Remove the king = 13 = 0 mod 13
My private key!!!
12, 11, 9, 5, 10, 7, 1, 2, 4, 8, 3, 6
Do you recognise a pattern?
We have illustrated Fermat’s little Theorem:
213 mod 13 = 2 (ap mod p = a)
2 is a generator:
2, 22, 23, 24, 25,…. up to 212 = 1 are all different mod 13!
Which power of 2 is e.g. 10 mod 13?
Mechanisms and (Interactive) Protocols
Mechanisms– To generate a digital signature is a mechanism
Comprising of cryptographic primitives, e.g.– Hash calculation (e.g. SHA-1)– Signature generation (e.g. RSA PKCS #1)
Interactive protocols– Can be used for
Key exchange (e.g. Diffie-Hellman) User Identification
User Identification
Let’s assume Alice has a public key pair (P,S).– Alice wants to get access to a database DB– DB knows her public key (e.g. through a valid
certificate)– We need to agree on an identification protocol?
How?
Many possibilities
How about?– Alice connects– BD sends a ransom challence r– Alice calculates S(r) and sends this to DB– DB verifies that P(S(r)) = r and lets her in
Is this safe?
Problem
DB can use Alice as an oracle– R might be the hash of a message which
commits Alice unknowingly– The problem is that Alice calculates what may
be a digital signature
How can this be prevented?– The problem is that we cannot be sure that Alice
applies her private key to something completely random
Solution
1. step– DB chooses any r, calculates s = P(r), and sends
s to Alice
2. step– Alice calculates S(s) = r and returns r to DB
What did DB learn, except that Alice was able to recover r – not known to her – from s?– Nothing at all
But ....
Solution
Alice has no means of verifying that DB follows the protocol– Something else is needed:
Let E be some symmetric encryption which Alice and DB agrees is strong– We can now define a socalled zero-knowledge
identification protocol:
Solution
1. step– DB chooses any r, calculates s = P(r), and sends
s to Alice
2. step– Alice calculates S(s) = r, chooses a random key
k and returns Ek(r) to DB
3. step– DB sends r to Alice
4. step– Alice sends k to DB who verifies Dk(Ek(r)) = r
Succes!
This protocol – is secure
Alice will not be succesful without knowing S
– is sound DB will know that only a person able to compute r
from randomly chosen P(r) can respond
– is zero-knowledge DB learns nothing from the protocol that he could not
calculate by himself: P(r) = s S(s) = r – except that Alice can calculate r from s
In fact -
Zero-knowledge protocol can be simulated
1. step– DB chooses any r, calculates s = P(r), and sends
s to DB
2. step– DB chooses a random key k and returns Ek(r) to
DB
3. step– DB sends r to DB
4. step– DB sends k to DB who verifies Dk(Ek(r)) = r
Zero-knowledge protocol can be simulated
A third party (an arbiter) cannot differentiate the traces of – a simulated zero-knowledge protocol
from that of
– a 2-party zero-knowledge protocol:– Only DB will know if he simulated it or he indeed
did identity Alice in the protocol!
Useful definitions (Fiat-Shamir)
Authentication– A can prove to B that she is A
Identification– A can prove to B that she is A, but B cannot
prove to C that he is A
Non-repudiation– A can prove to B that she is A, but B cannot
even prove to himself that he is A
Conclusion
Cryptography is applied mathematics
Mathematics was ”invented” to be helpful– and it is!
T.H. Hardy wrote in ”A mathemathian’s Apology ”:– I have never done anything useful!
Not true: We use the Hardy-Littlewood conjecture in our products
How to store private keys
When signing, the time of calculation is reduced by a factor 2-4 by using the Chinese Remainder Theorem
If this is not an issue, we either store– n and d– n and e and calculate d
So assume in the following we want to use the CRT
Storing private keys using CRT
The CRT states that if you know
x = z mod p
and
y = z mod q,
you can calculate z from x and y.
All you need is an a < n which is 1 mod p
and 0 mod q. Then
z = xa + y(1-a) mod n
Storing private keys using CRT
We need to calculate z md mod n
Obviously,
z mod p md mod(p-1) mod p
z mod q md mod(q-1) mod q
as m(p-1) mod p = 1 for a prime p
So we need p,q, d(p)=d mod(p-1) and d(q)=d mod(q-1)
What about a?
What about a?
How about
a = (qp-2 modp)q?
This is obviously 0 modq, and 1 modp (by Fermat’s Little Theorem)
So we are home and dry:
md = (md(p)
modp)a + (md(q) modq)(1-a) modn
This may be refined slightly to ensure that equality
holds
Appendix: Card trick
End up with two piles: A private key and the corresponding public key
Card trick
1 Arrange both suits in order, ace to queen, face down, ace on top
2 Deal the (entire) black suit (holding it face down) in two piles (left and right), face up:
left (ace), right (2), left (3), right (4), …
Card trick
3 Remove the top card of the right pile (queen = 12), place it face up in a new pile, and place the top red card (ace) face up where the black queen was.
4 Place the left pile (6 black cards) on top of the right pile (1 red on top of 5 blacks), and turn over to have a new stack of 12 cards face down
Card trick
5 Repeat step 2, 3 and 4 altogether 11 times
The two piles have now been interchanged - but in which order do the cards occur?
The black pile is my private key
The red pile is my public key
Identify me!
Card trick
– Now run an identification protocol between A and B: Keep both piles face down black is the private key of A, red the public the person (B) with the red pile names any black card,
say no. 9. B then turns over the red cards, one by one, and stops
with the 9th: This is no. 3 A turns over the black cards. The 3. black is no. 9!
Identification completed. The keys match!