590 likes | 807 Views
COSC 350: Codes and Ciphers Public-Key Cryptography. March 26, 2002 Prof. Dorothy E. Denning. Public-Key Cryptography. Each user has a unique public-private key pair Alice - K Apriv , K Apub Bob - K Bpriv , K Bpub The public key can be given to anyone
E N D
COSC 350: Codes and CiphersPublic-Key Cryptography March 26, 2002 Prof. Dorothy E. Denning
Public-Key Cryptography • Each user has a unique public-private key pair • Alice - KApriv, KApub • Bob - KBpriv, KBpub • The public key can be given to anyone • The private key is not shared with anyone, including a trusted third party (authentication server) • The public key is a one-way function of the private-key (hard to compute private key from public one) • Used for key distribution/agreement, message encryption, and digital signatures
Origins of Public Key • Concept credited to Diffie and Hellman, 1976 • “New Directions in Cryptography” • Motivation - They wanted a scheme whereby Alice could send a message to Bob without the need for Alice and Bob to share a secret or for a Trusted Third Party -- called “public-key” because Alice & Bob need only exchange public keys to set up a secret channel • Invented earlier by British at CESG • http://www.cesg.gov.uk/about/nsecret.htm
Public-Key Agreement • Method whereby Alice and Bob can agree on a secret key to use with DES, AES, or some other symmetric encryption algorithm • They do this after exchanging only public keys • They each compute a secret session key K from their own private key and the other’s public key. They both arrive at the same K independently
Diffie-Hellman Method • Shared prime p and generator g • Alice: private xa and public ya = gxa mod p • xa = logg ya mod p (hard to compute) • Bob: private xb and public yb = gxb mod p • They swap public keys • Alice computes: K = ybxa mod p = gxbxa mod p • Bob computes: K = yaxb mod p = gxaxb mod p
Math Strength • Depends on difficulty of computing the discrete logarithm • The best known methods are exponentially hard - same as factoring • e.g., given n, find p, q where n = p * q • Need to use numbers on the order of 768 bits (230 digits) or bigger • Implementations typically use 512 (155), 1024 (310) or 2048 (621) bits (digits).
On The Fly Approach • Alice and Bob generate xa, xb, ya, yb on the fly • They exchange ya and yb and compute K • What are drawbacks? • What applications are appropriate?
Permanent • Alice and Bob generate permanent keys and deposit ya and yb in public database (key center) • Alice gets yb from database (or from Bob) • Alice computes K = ybxa mod p = gxb xa mod p • Alice -> Bob: ya, C = EK(M) • (or Bob could get ya from database) • Bob computes K = yaxb mod p = gxa xb mod p • Bob decrypts C with K to get M • What are drawbacks?
Hybrid Approach • Alice & Bob generate xa, xb and deposit public keys ya, yb • Alice gets yb from database (or from Bob) • Alice generates temporary pair xt, yt • Alice computes K = ybxt mod p = gxb xt mod p • Alice -> Bob: yt, EK(M) • Bob computes K = ytxb mod p = gxt xb mod p and decrypts M
Public-Key Encryption • The public and private keys are used for message encryption and decryption for purpose of secrecy • Alice encrypts message to Bob with Bob’s public key • Bob decrypts messages to him with his private key • In practice, public-key encryption is used to encrypt and decrypt messages that contain symmetric keys (e.g., for DES/AES), and the symmetric keys are used to encrypt/decrypt the data
Sending Messages • To send message M to Bob, only Bob’s keys used • Alice -> Bob: C = EBpub(M) • Bob decrypts: M = DBpriv(C) • In practice, use to distribute symmetric key K • Alice -> Bob: CK = EBpub(K), CM = EK(M) • Bob decrypts: K = DBpriv(CK), M = DK(CM) • Alice and Bob then use K to encrypt/decrypt messages
RSA Method • Ron Rivest, Adi Shamir, Leonard Adleman • 1977 -- all at MIT at the time • Basic idea: an exponentiation cipher where the modulus is the product of two large primes • Mathematical strength is derived from the difficulty of factoring a number into its primes
RSA • Pick primes p and q and compute n = p * q • Pick e, d such that e * d = 1 mod f(n) • f(n) = (p-1) * (q-1) • (e, n) is public key • (d, n) is private key - (p, q) also part of private key, but not used after computation of d and e • Encrypt: C = Me mod n • Decrypt: M = Cd mod n
Example • p = 53, q = 61, n = 53 * 61 = 3233 • pick e = 71 • compute d such that • 71 * d = 1 mod (52 * 60) • get d = 791 • Let M = 1704 • C = 170471 mod 3233 = 3106. • M = 3106791 mod 3233 = 1704.
Theory • Proof sketch for f(n) = (p-1) * (q-1) • f(n) = # primes < n relatively prime to n • consider the n=pq numbers 0, 1, ..., pq-1 • all are relatively prime to n except for 0 and • p-1 elements: q, 2q, 3q, ..., (p-1)q • q-1 elements: p, 2p, 3p, ..., (q-1)p • so f(n) = pq - [(p-1) + (q-1) + 1] • = pq - p - q + 1 = (p-1)(q-1)
Factoring • Given a number n, find primes p1, p2, ..., pk such that n = p1 * p2 * ... * pk • For RSA, there are known to be only 2 factors: • n = p * q • Factoring arbitrary numbers is harder than factoring special types of numbers, e.g., numbers of the form n = 2s - 1 (Mersenne number) • Breaking RSA can be no harder than factoring, but could be easier
History of Factoring • Year# DigitsMethod • 1970 41 Continued Fraction - Morrison-Brillhart • 1980 50 • 1982 55 • 1983 62 • 1984 72 • 1991 100 Quadratic Sieve • 1993 120 Quadratic Sieve • 1994 129 Quadratic Sieve (RSA predicted 40 quadrilllion years!) • 1996 130 Number Field Sieve (1000 MIPS yrs) • 1999 140 Number Field Sieve (2000 MIPS yrs, 8.9 CPU yrs) • 2000 155 Number Field Sieve (35.7 CPU yrs) (512 bits) • ???? 174 RSA challenge not yet factored (576 bits)
Proposed Advances • The Weizmann Institute Key Locating Engine (TWINKLE) • code breaking machine design by Adi Shamir • 6-by-6-inch electro-optical computer • measures light from diodes to perform calculations to break keys • Daniel Bernstein proposal to NSF • special purpose hardware to facilitate sieving and matrix reduction • trades time for memory • would allow factorization of numbers with 3 times as many bits for large n • might need 3,072-bit key instead of 1,024-bit key
Quadratic Sieve • fastest algorithm for numbers up to 110 digits • Aug. 93 - Mar. 94 - 129-digit number factored in effort led by Arjen Lenstra • Used double large prime variation of the multiple polynomial QS • 600 people, 1,600 machines on the Internet using e-mail to communicate • Equivalent to about 5,000 MIPS years • 1 MIPS year is computation over 1 year at rate of 1 M instructions/sec
Number Field Sieve • fastest method for numbers > 110 digits • 1996 - 130-digit number factored on the Internet -- again led by Lenstra • Took only 500 MIPS years! • Lenstra estimated that 50,000 Pentium PCs could break a 155 digit (512-bit key) in a few days • T = exp((1.923 + O(1))(ln(n)1/3(ln(ln(n)))2/3)
RSA-512 Factored • Factored August 22, 1999 • Used General Number Field Sieve • line sieving and lattice sieving • 35.7 CPU years; 8000 MIPS years • Elapsed time: 7.4 months • Polynomial selection: 9 weeks • Sieving: 3.7 months produced over 124 million relations • 11 sites participated • Matrix solution: 224 CPU hours and 3.2 GB memory on Cray C916 to solve matrix with about 6.7 million rows and columns
QS and NFS • Use random square factoring • Find x and y such that x2 = y2 mod n • Then • x2 - y2 = 0 mod n => (x-y)(x+y) = 0 mod n • If x y mod n then • gcd(x-y, n) yields a prime factor of n probability of this is at least 1/2 • So trick is generating numbers that are squares
Random Square Factoring • Two-phase process • 1) Sieving/collection • Find number to put into a matrix • Takes gobs of time for large numbers • Effort can be distributed • 2) Matrix reduction/solution • Find entries in matrix that, when combined, give pairs (x, y) of squares • Takes reasonable time, but not distributable • Uses gobs of memory
factor n = 24961 factor base = {-1,2, 3, 5, 13, 23} compute m = sqrt n = 157 a = z + m b = a2 - n so b = a2 mod n i z b factorization of b a v 1 0 -312 -1 * 23 * 3 * 13 157 1 1 1 0 1 0 2 1 3 3 158 0 0 1 0 0 0 3 -1 -625 -1 * 54 156 1 0 0 0 0 0 4 2 320 26 * 5 159 0 0 0 1 0 0 5 -2 -936 -1 * 23 * 32 * 13 155 1 1 0 0 1 0 6 4 960 26 * 3 * 5 161 0 0 1 1 0 0 7 -6 -2160 -1 * 24 * 33 * 5 151 1 0 1 1 0 0 want x, y such that x2 = y2 mod n b3 * b6 * b7 = a32 * a62 * a72 = (a3 * a6 * a7)2 mod n x = a3 * a6 * a7 mod n = 156 * 161 * 151 mod n = 23405 y2 = b3 * b6 * b7 mod n = 210 * 34 * 56 mod n y = - 25 * 32 * 53 mod n = 13922 gcd (x-y, n) = gcd (9483, 24961) = 109 = first factor compute n/109 = 229 = second factor
Generating Primes • For RSA, need to generate primes p, q • Other ciphers also require prime numbers • Guaranteed - prove the number has no factors • must attempt to factor, which is not feasible for very large numbers • Probabilistic - no guarantee • but can say with some very high probability that number is prime • much faster - practical even for very large numbers
Sieve of Eratosthenes • Invented around 200 B.C. • Finds all primes less than N • Write down all numbers 2, 3, 4, 5, ..., N • Delete multiples of 2 greater than 2 • Delete multiples of 3 greater than 3 • Continue up to sqrt(N) • When done, have all primes < N • Totally impractical for 200 digit numbers!
Practical Method • Prick random n-bit number p • Set low-order and high-order bit to 1 • Is p divisible by small primes 3, 5, 7, 11, …? • go up to primes < 256 or 2000 • 3, 5, 7 - eliminates 54% of odd numbers • all primes < 256 eliminates 76% • Do Rabin-Miller test 5 times. If pass all 5 tests, consider p to be prime
Rabin-Miller Test • Probabilistic test • Details in Schneier • Suppose p passes the test. • The probability that p is prime is at least 3/4. Thus, the probability that p is not prime is at most 1/4. • Do test t times. If p passes all t times, then the probability that p is not prime is at most (1/4)t. for t = 5, this is 1/1024
Odds of Success • Pick p at random - what are the chances that it is prime? • Let z = # primes between 1 and N • Prime Number Theorem: • z approaches N/ln(N) as z gets large • For N = 10,000,000 • N/ln(N) = 620,421 and z = 664,579 • So odds are about 7/100 • For 100 digit numbers, odds are 1/115
Strong Primes • Defeat certain factoring methods • Properties • (p-1)/2 and (q-1)/2 should be prime • gcd(p-1, q-1) should be small • both p-1 and q-1 should have large prime factors, denoted p’ and q’ • both p’-1 and q’-1 should have large prime factors • Schneier recommends against using strong primes
Practical Considerationsfor Exponentiation Ciphers • Block messages according to the modulus size • Use method of fast exponentiation • repeated squaring and multiplication • for each 0 bit, square (multiply by itself) • for each 1 bit, multiply and then square • (no square on last bit) • if exponent has t bits, # of multiplies is T where • t <= T <= 2t - 1
Example • 25 = 1 1 0 0 1 • a25 mod n = a16 * a8 * a mod n • how many multiplies? • 89 = 1 0 1 1 0 0 1 • a89 mod n = a64 * a16 * a8 * a mod n • how many multiplies?
Fast Exponentiation • function fastexp(a, z, n) - “return az mod n” • a1 := a; z1 := z; x:= 1; • while z1 != 0 do begin • while z1 mod 2 = 0 do begin “square a1 while z1 is even” • z1 := z1 div 2; • a1 := (a1 * a1) mod n • end; • z1 := z1 - 1; • x := (a1 * x) mod n “multiply” • end; • fastexp := x; • end
Digital Signatures: Objectives • Message integrity and authenticity • detect tampering and bogus messages • Source/sender authenticity • detect forgeries • Non-repudiation • sender cannot disavow signing a message • a third party -- court -- can resolve dispute
Public-Key Signatures • Signer has a public-private key pair • The signature is produced with the private key • only signer can do this • The signature is validated with the public key • anyone can do this, including the intended recipient and a third party judge • No keys of the receiver are used
Sending a Signed Message • Alice sends a signed message to Bob using her private key. Bob validates with her public key • Alice -> Bob: (M, S) where • S = signApriv(h(M)) for hashing function h • Bob checks: validateApub(M, S) • Hashing function h is public and not keyed • S is function of entire message M
RSA Signatures • Let (e, n) be Alice’s public key and (d, n) her private key • Alice -> Bob: (M, S) where • S = signApriv(h(M)) = (h(M))d mod n • Bob checks: validateApub(M, S): • h1 = h(M) • h2 = Se mod n [ = (h(M))d e mod n = h(M) ] • if h1 = h2 then accept else reject
Why Hashing • Reduces time to sign and space for signature • Also important for security • Suppose don’t hash: what happens if you ask Alice to sign a message sent to her? • C = EApub(M) = Me mod n • S = signApriv(M) = Md mod n
Digital Signature Standard (DSS) • FIPS PUB 186, adopted 1994 • Uses variant of methods invented by ElGamal and Schnorr, which in turn were based on Diffie-Hellman • Uses exponentiations in modular arithmetic where security is based on difficulty of computing the discrete log (as for DH) • Uses SHA for hashing
DSS • public values shared by group • p - prime number - 512-1024 bits • q - 160-bit value (most computation mod q) • g = h(p-1)/q mod p where h < (p-1) and g > 1 • user private key • x - any number less than q • user public key • y = gx mod p
Notes • Verification is slower than with RSA • Both RSA and DSS are used extensively -- many products support both • DSS not designed for encryption -- use with Diffie-Hellman key exchange
Encrypt & Sign With RSA • Alice generates K & computes • CK = EBpub(K) • CM = EK(M) • S = signApriv(M) • Alice -> Bob: CK, CM, S • Bob computes • K = DBpriv(CK) • M = DK(CM) • validateApub(M, S)
KBobpub certificate KBobpriv random K enc dec password ciphertext key K K Dear Bob … Love, Alice enc ciphertext message dec Dear Bob … hash sign signature ok? sent to Bob KSAlicepriv KSAlicepub password Bob Alice
E-Mail In Practice • Alice composes message M to Bob and clicks button “send signed and encrypted” • Alice’s system prompts Alice for password, which unlocks her private signature key • Alice’s system looks up Bob’s public key-encrypting key. It generates K, and computes CK, CM, and S • When Bob gets message, he clicks on button “decrypt and validate” • Bob’s system prompts him for a password, which unlocks his private key-encrypting key. It decrypts CK and then CM • Bob’s system looks up Alice’s public signature key and validates S. It displays M and whether S was OK
Login AuthenticationChallenge-Response • Alice logs onto server • Server sends Alice a challenge M • Alice returns M and her signature S of it • Server validates S and knows it is Alice
Elliptic Curve Cryptography • Can implement schemes analogous to Diffie-Hellman and DSA using elliptic curves mod p instead of the integers mod p • Computing discrete logs is thought to be much harder in elliptic curve than integers mod p • Comparable security with shorter keys • 160 bits comparable to 1024 RSA/DH • 108 bits broken in 4 months using 9,500 computers • So less storage needed for keys • Order of magnitude speedup