340 likes | 488 Views
Modern Cryptography Lecture 10. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects
E N D
Modern CryptographyLecture 10 Yongdae Kim
Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Meeting tomorrow? • 5th assignment is due 4/4 2:15 PM. • Check Calendar
Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b) x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1 a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x X, but it is computationally infeasible to find any x X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x X such that f(x) =y.
Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption
Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property
Group • A nonempty set G and operator , (G, ) is a group if: • CLOSURE: for all x,y G, x y G • ASSOCIATIVITY: x,y,z G, (x y) z = x (y z) • IDENTITY: I G such that x G, Ix = x = xI • INVERSE: x G, inverse element x-1 G such that x-1 x = I = x x-1 • A group (G, ) is ABELIAN if: • COMMUTATIVITY: for all x,y G, x y = y x • A group G is finite if |G| is finite. The number of elements in a finite group is called its order.
Examples • Z = {… -2, -1, 0, 1, 2, …} under + is a group • We call it (Z, +) • Abelian? • (Z, ) group? • Zn = {0, 1, 2, …, n-1} group? • M = Set of all 2 X 2 matrix • (M, +) Abelian group? • (M, ) group?
Cyclic Groups • An element g G is a group generator of group (G, ) if for all x G, $ i such that x=gi = g g g … g (i times), G = <g> • Definition:(G, ) is cyclic if group generator. • Definition:Group order of a group (G, ) is the size of set G, i.e., |G| or #{G} or ord(G) • Definition:Group (G, ) is finite if ord(G) is fixed. • Example: the set Zn with addition modulo n is a group. Zn with multiplication modulo n is not a group. Zn* is a group of order f(n)
Cyclic Groups • An element g G is a group generator of group (G, ) if for all x G, $ i such that x=gi = g g g … g (i times), G = <g> • Definition:(G, ) is cyclic if group generator. • Definition:Group order of a group (G, ) is the size of set G, i.e., |G| or #{G} or ord(G) • Definition:Group (G, ) is finite if ord(G) is fixed. • Example • (Zn, + mod n) is a cyclic group. generator? • (Zp* , mod n)is a cyclic group. generator?
Examples • Q= {a/b | a,b Z, b 0} • (Q, +): group • the rationals are closed under addition • the identity is 0 • the inverse of x is -x • the rationals are associative • the rationals are commutative (so the group is abelian) • (Q-{0}, *): group • the rationals are closed under multiplication • the identity is 1 • the inverse of x is 1/x • the rationals are associative • the rationals are commutative (so the group is abelian)
Examples (cnt.) • Zp • (Zp, +) • integers mod p are closed under + • the identity is 0 • the inverse of x: -x \equiv p-x mod p • + is associative • + is commutative (so the group is abelian) • (Zp*, ) • integers mod p are closed under • the identity is 1 • the inverse of x: x-1 = xp-2 mod p • is associative • is commutative (so the group is abelian)
Subgroup • (H, ) is a subgroup of (G, ) if: • H is a subset of G • a b H for all a,b H • $ identity • $ a-1 H for all a H. • Example: G = Z7* = {1,2,3,4,5,6}, H = {1,2,4} • H is closed under multiplication mod 7 • 1 is still the identity • 1 is 1 inverse, 2 and 4 are inverses of each other • Lagrange Theorem (slight variation) • Let G be a multiplicative group of order n. For any g in G, ord(g) divides n.
Discrete Logarithm Problem • Discrete Logarithm problem • Discrete Logarithm • The discrete logarithm of y to the base g modulus p is x such that y = gx mod p • DLP: Given p, a generator g of Zp*, and an element y Zp*, find the integer x such that gx = y mod p. • GDLP: Given a generator g of cyclic group G, and an element y G, find the integer x such that gx = y. • Best Algorithms • Pollard’s rho: O(sqrt(q)) where q is the group size. • Index calculus: Lp[1/3, c]
Diffie-Hellman • New Directions in Cryptography • Whitfield Diffie, Martin E. Hellman, IEEE Transactions on Information Theory, 1976 • Setting • Zp* = {1, 2, … , p – 1}, g –generator • Protocol • A B : NA = gn1mod p • B A : NB = gn2mod p • A : NBn1= gn1n2mod p • B : NAn2= gn1n2mod p • Diffie-Hellman Key : gn1 n2
Diffie-Hellman • To set up a key shared between two parties who never met before • Security • DLP Diffie-Hellman problem? • Diffie-Hellman problem DLP? • Authentication?
DLP in subgroup of Zp* • Efficient and Secure Construction • Zp* = {1, 2, … , p – 1}, g’ – generator • p = k q + 1 (|p| = 1024, |q| = 160) • g = g’ k, ordp(g) = q • G = <g> • When p = k q + 1 with |p|=1024, |q| = 160 (e.g.) • With Pollard’s rho: O(sqrt(q)) • With Index calculus: Lp[1/3, c] • So best in min of above two • That’s why we choose the above parameter and also Hash function
Better Implementation of DH • Setting • Zp* = {1, 2, … , p – 1}, g’ – generator • p = k q + 1 (|p| = 1024, |q| = 160) • g = g’ k, ordp(g) = q • Protocol • A B : NA = gn1mod p • B A : NB = gn2mod p • A : NBn1= gn1n2mod p, B : NAn2= gn1n2mod p • Security • With Pollard’s rho: O(sqrt(q)) • With Index calculus: Lp[1/3, c]
More Discussion on DH • Long-term vs. Short-term DH • Short-term DH • When n1 and n2 are fresh, you can always generate a session (symmetric) key between two entities with two messages. • Long-term DH • When A has (nA, gnA) and B has (nB, gnB) as (private, public) key pair, A and B can compute their long-term symmetric keywithout any message. • Does not provide forward/backward security: When either one’s private key is compromised, their pair-wise key is compromised. • Authentication is required! • Note that you can build DH on any group. • Elliptic Curve DH is a DH protocol on top of a group on elliptic curve.
ElGamal Public Key Encryption • Key Generation • prime p (system-wide parameter) and a generator g of Zp* • A’s public key is y=gx, A’s private key is x • Encryption • generate random integer k and compute r = gk mod p • compute c = my kmod p • Ciphertext(r, c) • Decryption • m = c r –amod p
Discussions on ElGamal • Hashed ElGamal • Encryption: Ey(m)=(c, d)=(gr, m⊕H(yr)) • Efficiency • 2 mod exp, 2 times message expansion • Security • Randomized encryption • precluding or decreasing CCA • Use fresh k for each encryption • c1 / c2 = m1 / m2if k is same
Comparison: RSA vs. ElGamal • Speed • Encryption Speed • RSA • ElGamal • Decryption Speed • RSA • ElGamal • Message Expansion • RSA • ElGamal • Public Key Size • When do you want to use what?
Digital Signature • Integrity • Authentication • Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky WJ Clinton
Mh x S VA u {True, False} Digital Signature with Appendix • Schemes with appendix • Requires the message as input to verification algorithm • Rely on cryptographic hash functions rather than customized redundancy functions • DSA, ElGamal, Schnorr etc. M Mh S SA,k h m mh s* s* = SA,k(mh) u = VA(mh, s*)
Desirable Properties • For each k R, SA,k should be efficient to compute • VA should be efficient to compute • It should be computationally infeasible for an entity other than the signer to find an m M and an s S such that VA(m’, s*) = true, where m’ = h (m)
Types of Attacks • Key-only: adversary knows only the public key • Message attacks • Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him • Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) • Adaptive chosen-message attack: adversary can use the signer as an oracle
RSA Signature • Key generation n, p, q, e, d • Sign • Compute s = h(m)d mod n • Signature: (m, s) • Verify • Obtain authentic public key (n, e) • Verify h(m) = se mod n
DSA (US Standard) • DSA Algorithm : key generation • select a prime q of 160 bits • 1024 bit p with q|p-1 • Select g’ in Zp*, and g = gk=g’(p-1)/q mod p, g1 • Select 1 x q-1, compute y= gx mod p • public key (p, q, g, y), private key x
DSA (cont) • DSA signature generation • Select a random integer k, 0 < k < q • Compute r=(gk mod p) mod q • compute k-1 mod q • Compute s = k-1 (h(m) + xr) mod q • signature = (r, s) • DSA signature verification • Verify 0<r<q and 0<s<q, if not, invalid • Compute w= s-1mod q and h(m) • Compute u1=wh(m)mod q, u2=rw mod q • Compute v = (gu1yu2 mod p) mod q • Valid iff v=r
DSA (cont) • H(m) = -xr + ks (mod q) • w h(m) + xrw = k mod q • u1 + x u2 = k mod q • (gu1 yu2 mod p) mod q = (gk mod p) mod q • Security of DSA • two distinct DL problems: ZP*, cyclic subgroup order q • Parameters: • q~160bits, p 768~1Kb, p, q, g can be system wide
DSA (cont) • Performance • Signature Generation • One modular exponentiation • Several 160-bit operations (if p is 1024 bits) • The exponentiation can be precomputed • Verification • Two modular exponentiations
Comparison: RSA vs. DSA • Speed • Signature generation • RSA • DSA • Signature verification • RSA • DSA • Memory • RSA • DSA • Which one do you want to use?
Blind signature scheme • Chaum for Electronic Cash • Sender A; Signer B • B’s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0 k < n • Protocol actions • (blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk • (signing) B comp s* = (m*)d mod n, to A • (unblinding) A: computes s = k-1s* mod n