public key crypto - ntu.edu.sg · 270 chapter 9 / public-key cryptography and rsa in addition, some...
TRANSCRIPT
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Anwitaman DATTA SCSE, NTU Singapore
PUBLIC KEY CRYPTO
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by William Stallings
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
PUBLICKEY
CRYPTO
⌘ Use case: key distribution, digital signatures
⌘ Public key cryptosystems: RSA, ECC
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
System modelA tale of two keys
Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke
Alice creates a private/public key pair- Knowing just the public key, one cannot
infer the private key- Data is encrypted with one key but it can
be decrypted only with the other key (andnot with the encryption key!
So then, knowing plain/cipher-text pair initself should also not compromise the cipher(e.g., by disclosing the private key).
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
System model
- Alice keeps the private key
- Everyone and their cat can have the public key
A tale of two keys
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Confidential communication
270 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA
In addition, some algorithms, such as RSA, also exhibit the following characteristic.
• Either of the two related keys can be used for encryption, with the other usedfor decryption.
A public-key encryption scheme has six ingredients (Figure 9.1a; comparewith Figure 2.1).
Plaintextinput
Bobs'spublic key
ring
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Joy
Mike
Mike Bob
Ted
Alice
Alice's publickey
Alice's privatekey
(a) Encryption with public key
Plaintextinput
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Bob's privatekey
Bob
Bob's publickey
Alice'spublic key
ring
JoyTed
(b) Encryption with private key
X
X
PUa
PUb
PRa
PRb
Y = E[PUa, X]
Y = E[PRb, X]
X =D[PRa, Y]
X =D[PUb, Y]
Alice
Bob Alice
Figure 9.1 Public-Key Cryptography
Confidential infoPublicly known info
Assuming a mechanism to guarantee thise.g., trusted PKI
Receiver’s Public Key
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Authentication
270 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA
In addition, some algorithms, such as RSA, also exhibit the following characteristic.
• Either of the two related keys can be used for encryption, with the other usedfor decryption.
A public-key encryption scheme has six ingredients (Figure 9.1a; comparewith Figure 2.1).
Plaintextinput
Bobs'spublic key
ring
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Joy
Mike
Mike Bob
Ted
Alice
Alice's publickey
Alice's privatekey
(a) Encryption with public key
Plaintextinput
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Bob's privatekey
Bob
Bob's publickey
Alice'spublic key
ring
JoyTed
(b) Encryption with private key
X
X
PUa
PUb
PRa
PRb
Y = E[PUa, X]
Y = E[PRb, X]
X =D[PRa, Y]
X =D[PUb, Y]
Alice
Bob Alice
Figure 9.1 Public-Key Cryptography
Confidential infoPublicly known info
The described process does not provide confidentiality of plaintext. Why?
Sender’s Private Key
Note: Not all public-key cryptosystems support use of either key for encryption, and the other for decryption.
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
AuthenticationA more efficient variation
For confidentiality:- Need to encrypt the whole
digitally signed data as the plaintext.
- Four encrypt/decrypt operations!
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
A pragmatic solution
message messagehash
encrypt/sign withsender’s private key
append signed hashwith message
encrypt with the session key
encrypt the session key w/ receiver’s public key
append and transmit
Authentication and confidentiality: both together, efficiently
generate a (symmetric crypto) session key
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
A pragmatic solution
message messagehash
encrypt/sign withsender’s private key
append signed hashwith message
encrypt with the session key
encrypt the session key w/ receiver’s public key
append and transmit
Authentication and confidentiality: both together, efficiently
generate a (symmetric crypto) session key
How
do w
e know?
PKI
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Public key cryptosystems: Wish list
It is easy- for a party X to generate its
public and private keys PUx and PRx respectively- for sender S to encrypt message M, knowing PUx
C=E(PUx,M)- for receiver X (knowing PRx) to decrypt message
M=D(PRx,C)=D(PRx,E(PUx,M))
Optionally: either key can be used in either order- M=D(PRx,E(PUx,M))=D(PUx,E(PRx,M))
It is computationally infeasible for anyone to- determine PRx knowing PUx- determine M knowing C and PUx
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Trapdoor functions
Trapdoor functions- Easy to compute in one direction - Difficult to compute in other direction (finding the inverse)
but easy to compute, with some special information (trapdoor)
Source: https://en.wikipedia.org/wiki/Trapdoor_function
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
The RSA algorithm
Ron Rivestborn in 1947
Adi Shamirborn in 1952
Leonard M. Adlemanborn in 1945
- Excerpt from ACM news release on
2002 Turing award
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA overview
RSA cryptosystem- plaintext and ciphertext are (represented as) integers- between 0 and n-1 for some n- block cipher with bock size b, such that 2b < n ≤ 2b+1
keys- public key PU=(e,n)- private key PR=(d,n)
encryption & decryption
assuming:
- The encryption and decryption computations are relatively easy- It is infeasible to determine d given e and n
Assumes: factorization of the product of two large primes & discrete logarithm are hard
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA overview
assuming:
claim:- with semiprime n=pq, where p and q are prime numbers- e and d, with ed mod 𝜙(n) =1satisfies the property Med mod n = M
Equivalent to say:ed ≡1 (mod 𝜙(n))d ≡e-1 (mod 𝜙(n))
True iff e (and thus d) are relatively prime with 𝜙(n)There is no formal proof of “hardness”. It’s just that right now
no efficient, non-quantum integer factorization algorithm is (publicly) known.
caveat
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA cryptosystem
9.2 / THE RSA ALGORITHM 281
We now look at an example from [HELL79], which shows the use of RSAto process multiple blocks of data. In this simple example, the plaintext is analphanumeric string. Each plaintext symbol is assigned a unique code of twodecimal digits (e.g., a = 00, A = 26).6 A plaintext block consists of four decimaldigits, or two alphanumeric characters. Figure 9.7a illustrates the sequenceof events for the encryption of multiple blocks, and Figure 9.7b gives a specificexample. The circled numbers indicate the order in which operations areperformed.
6The complete mapping of alphanumeric characters to decimal digits is at this book’s Website in thedocument RSAexample.pdf.
Plaintext P
Decimal string
Sender
Receiver
(a) General approach (b) Example
Blocks of numbers
Transmit
P1, P2,
P1 = C1d mod n
P2 = C2d mod n
Ciphertext C
C1 = P1e mod n
C2 = P2e mod n
Recovereddecimal text
n = pq
Random numbergenerator
e, p, q
Private keyd, n
Public keye, n
How_are_you?
33 14 22 62 00 17 04 62 24 14 20 66
Sender
Receiver
Transmit
P1 = 3314 P2 = 2262 P3 = 0017P4 = 0462 P5 = 2414 P6 = 2066
C1 = 331411 mod 11023 = 10260C2 = 226211 mod 11023 = 9489C3 = 1711 mod 11023 = 1782C4 = 46211 mod 11023 = 727C5 = 241411 mod 11023 = 10032C6 = 200611 mod 11023 = 2253
P1 = 102605891 mod 11023 = 3314P2 = 94895891 mod 11023 = 2262P3 = 17825891 mod 11023 = 0017P4 = 7275891 mod 11023 = 0462P5 = 100325891 mod 11023 = 2414P6 = 22535891 mod 11023 = 2006
11023 = 73 151
5891 = 11–1 mod 1080010800 = (73 – 1)(151 – 1)11023 = 73 51
Random numbergenerator
e = 11n = 11023
d = 5891n = 11023
e = 11p = 73, q = 151
1
2
6
3
4
5
7
1
2
6
3
4
5
7
d = e–1 mod φ(n)φ(n) = (p – 1)(q – 1)
n = pq
Figure 9.7 RSA Processeing of Multiple Blocks
PKI280 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA
For decryption, we calculate M = 1123 mod 187:
1123 mod 187 = [(111 mod 187) × (112 mod 187) × (114 mod 187) × (118 mod 187) × (118 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14,641 mod 187 = 55
118 mod 187 = 214,358,881 mod 187 = 33
1123 mod 187 = (11 × 121 × 55 × 33 × 33) mod 187 = 79,720,245 mod 187 = 88
Figure 9.5 The RSA Algorithm
Key Generation Alice
Select p, q p and q both prime, p Z q
Calculate n = p * qCalcuate f(n) = (p - 1)(q - 1)
Select integer e gcd (f(n), e) = 1; 1 < e < f(n)
Calculate d d K e-1 (mod f(n))
Public key PU = {e, n}
Private key PR = {d, n}
Encryption by Bob with Alice’s Public Key
Plaintext: M 6 n
Ciphertext: C = Me mod n
Decryption by Alice with Alice’s Public Key
Ciphertext: C
Plaintext: M = Cd mod n
Encryption
Plaintext88
Plaintext88
Ciphertext11
88 mod 187 ! 11
PU ! 7, 187
Decryption
711 mod 187 ! 88
PR ! 23, 187
23
Figure 9.6 Example of RSA Algorithm
Encryption and Decryption
A 3rd party web demo (worksheet): https://www.cs.drexel.edu/~jpopyack/IntroCS/HW/RSAWorksheet.html
Assuming: it is infeasible to determine d given e and n
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA computation
recipient knows:- PR={23,187} // d=23, n=187- 187=17×11 // p=17, q=11- ɸ(n)=(p-1)(q-1)=160 // check: 7×23 mod 160=1
sender knows:- PU={7,187} // e=7, n=187- plaintext to encrypt: M=88 // 88 < 187
Example
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA computation
sender knows:- PU={7,187}- plaintext to encrypt: M=88 // 88 < 187
Example: Encryption
Encryptionciphertext
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA computationExample: Decryption
Decryption
recipient knows:- PR={23,187}- 187=17×11 // p=17, q=11- ɸ(n)=(p-1)(q-1)=160 // check: 7×23 mod 160=1- receives cipher text: 11
plaintext
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
RSA: concluding remarks
Source: http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
9.2 / THE RSA ALGORITHM 281
We now look at an example from [HELL79], which shows the use of RSAto process multiple blocks of data. In this simple example, the plaintext is analphanumeric string. Each plaintext symbol is assigned a unique code of twodecimal digits (e.g., a = 00, A = 26).6 A plaintext block consists of four decimaldigits, or two alphanumeric characters. Figure 9.7a illustrates the sequenceof events for the encryption of multiple blocks, and Figure 9.7b gives a specificexample. The circled numbers indicate the order in which operations areperformed.
6The complete mapping of alphanumeric characters to decimal digits is at this book’s Website in thedocument RSAexample.pdf.
Plaintext P
Decimal string
Sender
Receiver
(a) General approach (b) Example
Blocks of numbers
Transmit
P1, P2,
P1 = C1d mod n
P2 = C2d mod n
Ciphertext C
C1 = P1e mod n
C2 = P2e mod n
Recovereddecimal text
n = pq
Random numbergenerator
e, p, q
Private keyd, n
Public keye, n
How_are_you?
33 14 22 62 00 17 04 62 24 14 20 66
Sender
Receiver
Transmit
P1 = 3314 P2 = 2262 P3 = 0017P4 = 0462 P5 = 2414 P6 = 2066
C1 = 331411 mod 11023 = 10260C2 = 226211 mod 11023 = 9489C3 = 1711 mod 11023 = 1782C4 = 46211 mod 11023 = 727C5 = 241411 mod 11023 = 10032C6 = 200611 mod 11023 = 2253
P1 = 102605891 mod 11023 = 3314P2 = 94895891 mod 11023 = 2262P3 = 17825891 mod 11023 = 0017P4 = 7275891 mod 11023 = 0462P5 = 100325891 mod 11023 = 2414P6 = 22535891 mod 11023 = 2006
11023 = 73 151
5891 = 11–1 mod 1080010800 = (73 – 1)(151 – 1)11023 = 73 51
Random numbergenerator
e = 11n = 11023
d = 5891n = 11023
e = 11p = 73, q = 151
1
2
6
3
4
5
7
1
2
6
3
4
5
7
d = e–1 mod φ(n)φ(n) = (p – 1)(q – 1)
n = pq
Figure 9.7 RSA Processeing of Multiple Blocks
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Key measure: Encryption strength
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
Bits of Security Symmetric Key Algorithm
Corresponding RSA Key Size
Corresponding ECC Key Size
80 Triple DES (2 keys) 1024 160112 Triple DES (3 keys) 2048 224128 AES-128 3072 256192 AES-192 7680 384256 AES-256 15360 512
NIST recommendations
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Elliptic curve cryptography (ECC)
Web resources:Certicom’s tutorial on ECC: https://www.certicom.com/content/certicom/en/ecc-tutorial.htmlVery nice 3rd party web demo (and tutorial): https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html
Not such a new kid in town!
Victor S. Millerborn in 1947
Neal Koblitzborn in 1948
ECC invented (independently):- 1985- wide-scale adoption circa 2005
barrier to adoption: patent/license protections
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Elliptic curves
Point addition over the elliptic curve y2 = x3 - 1x + 2 in ℝ. Point addition over the elliptic curve y2 = x3 - 1x + 2 in 𝔽23. The curve has 30 points (including the point at infinity).
These plots were generated using the following (3rd party) web demo:https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Elliptic curves over finite fields
For applications to cryptography, - we are interested in curves over finite fields
variables and coefficients restricted to elements of a finite field- Binary curves over GF(2m)- Prime curves Ep(a,b) over Zp
(this is the one we shall study in this course)
Example: (4,5) ∈ E23(9,17)
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Prime curves: Ep(a,b) over Zp
claim: Finite abelian group if (4a3+27b2) mod p ≠ 0 mod p- addition (algebraic interpretation)
we will use the results “as is”, without derivation/proof∀P, Q ∈Ep(a,b)i. P+0=P Remark: Point at Infinity is the new zeroii. If P=(xP,yP) then –P=(xP,-yP)iii. For P=(xP,yP), Q=(xQ,yQ), when P ≠ -Q, R=P+Q is computed as:
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Prime curves: Ep(a,b) over Zp
- multiplicationusing repeated addition10P=P+P+P+P+P+P+P+P+P+P
= (((P+P)+(2P))+4P)+2Pnote the trick to reduce the number of actual operations!
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Prime curves: Ep(a,b) over Zp
exercise - Consider P,Q∈E23(9,17), with P=(16,5), Q=(4,5).
Determine k such that Q=kP.
recall
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Discrete log: prime-field elliptic curvesExample with P∈E23(9,17)
n n×P1 (16,5)2 (20,20)3 (14,14)4 (19,20)5 (13,10)6 (7,3)7 (8,7)8 (12,17)
P=(16,5)
n n×P9 (4,5)10 (3,18)11 (5,7)12 (18,10)13 (1,21)14 (10,7)15 (15,10)16 (17,0)
n n×P17 (15,13)18 (10,16)19 (1,2)20 (18,13)21 (5,16)22 (3,5)23 (4,18)24 (12,6)
n n×P25 (8,16)26 (7,20)27 (13,13)28 (19,3)29 (14,9)30 (20,3)31 (16,18)32 (inf,inf)
-P
P=(16,5), Q=(4,5). Determine k such that Q=kP. 9P=Q, i.e. k=9
033 (16,5) 1×P
Recall:Point at Infinity
is the new zero
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Elliptic curve public key cryptography
global information:- Eq(a,b) :elliptic curve with parameters a, b and q;
where q is a prime of integer of the form 2m
- G : point on the elliptic curve whose order is a large value n
public/private key pair (of user X):- select private key nX: nX < n- calculate public key PX: PX=nX×G
Encryption: to send a message M (to user X), C={kG,M+kPX}
Decryption: M+kPX-nXkG = M+knXG-nXkG = M
Security derived from hardness of discrete logarithm: computing x, given G and xG
Known to sender only
CX4024 CRYPTOGRAPHY & NETWORK SECURITY | © 2018, Anwitaman DATTA
Concluding remarks
RSA:- Plain RSA not semantically secure:
known ciphertext attack- Remedy: padding
Optimal Asymmetric Encryption Padding (OAEP)
Further reading:- Diffie Hellman
key exchange- ElGamal encryption
Public key infrastructure:- Verification of identity: levels- Revocation of keys- Single point of breach: Certification
agency’s own private keye.g. Dutch certificate authority DigiNotar
ECC: popular these days, but- Particularly vulnerable to side-
channel attacks- Easier (than RSA) to break by a (still
hypothetical) quantum computer- Backdoor in NIST standards?
Dual_EC_DRBG cryptotrojan