370 likes | 549 Views
Public-Key Cryptography and Selected Applications in 30 Minutes Selected slides for ad-hoc discussions Related to IP Cores Protection in FPGA Environment! W. Adi Technical University of Braunschweig, Germany. Outlines. Historical Overview: Finite Rings in Cryptography
E N D
Public-Key Cryptography and Selected Applications in 30 Minutes Selected slides for ad-hoc discussions Related to IP Cores Protection in FPGA Environment! W. Adi Technical University of Braunschweig, Germany
Outlines • Historical Overview: • Finite Rings in Cryptography • Fuzzy Computation Concept • Applications • Conclusions
Indusrial Networks - CAN-Bus TV Remote Control Car Wireless Service Light Network node Heating Kitchen Garage Internet Door Gates ... Power Station power line network Why security? Global Information Short Circuit ! Need Reliability and Security • Intensive Use of Coding and Cryptography • Discrete mathematics. . • Number Theory
Cryptography ?... Art orScience ? In three epochs: I. Conventional Cryptography asArt • Julius Caesar Cipher • 873 : Al-Kindi: “Letters on Extracting Cryptograms” • Kaisiski “ The Art of Deciphering” 1863, ... Gauss • Vernam (AT&T) 1926, first and last unbreakable system • II world ware 1945, Enigma, Hagelin .... Alan Turing II.Coding and Cryptograph asScience1949C= B log2 (1 + S/N) • Shannon (AT&T) 1948'A Mathematical Theory of Communication‚ • Shannon (AT&T) 1949 'Communication Theory of Secrecy Systems‘ III. Breakthrough to Modern Cryptology 1976 • Diffie and Hellmann 1976 Public key Cryptography (Stanford University) • RSA 1978 (public key secrecy system) (MIT) • ....... Any new Breakthrough expected ? ! Intensive use of Finite Rings Historical overview:Coding & Cryptography
Cryptographic Functions Using Finite Rings
Open Register A B Secret key-B Secret key-A injection SHIELD injection ! Same thing ! Shared Secret Public-Key Cryptography Breakthrough 1976 (Diffie-Hellman) Shared Secretwithout exchange of secrets“Mechanical Scenario”
Secret shielded secret SHIELD =One Way Function How: 2 6 mod 11 = 9 log2 9 (mod 11) = 6 Discrete logarithm Problem : no efficient algorithm is known to compute log2 9 modulo 11 ! How to “publicly” hide (shield) a secret ? All operations in A finite RingZm! One-Way function: 6 9
Open Agreement and Register Shielding function is: y = (5 x) mod 7 A B 5 3 = 6 5 5 = 3 K-open-A= 6 K-open-B=3 6 3 3 ( ) 5 ( ) 5 5 5 3 Shield 5 5.3 5 3.5 ! same thing ! Z = 6 Example for Diffie-Hellman key exchange scheme 1976 Widely use in internet and banking ... Secret key-B= 5 Secret key-A= 3 5 3 5 5
User A User B Public register Ko.Kc =1 in Z(m) Close Kc Kc ( )Kc(mod m) open Ko (MKc)Ko Basic Public Key Secrecy System (RSA system) (Mechanical simulation: user B wants secured message from A) All operations inZm M MKc.Ko=M Breaking this system is equivalent to factoring m ! MKc MKc
Commutative lock is : MKeyinZm A B B A User A User B Pass 1 A A A B A A B B B A B B A B A A A B Pass 2 Pass 3 No Key Cryptography : Shamir 3-Pass Protocol MKa Mka Kb M MKb
User A User B B B A B A A B B A A A B B A A B Research Question: Can anybody find a mathematical function which is equivalent to the following non-commutative mechanical lock simulation? Non-Commutative No Key Cryptography : Shamir 3-Pass Protocol
Rabin Lock Based on Quadratic Residue in the Ring Zm Simple Arithmetic!
x ? Inverse function is unknown in Zm Squaring and Square Roots in Zm(Rabin Lock) the function Y =X2 is one-way in Zm if m is a product of two unknown primes ! Squaring:Y =x2 (mod m) x y x 2 Breaking this lock is equivalent to factoring m !
Conventional Secret Key Identification Mechanism Fundamental Concepts
Challenge-Response Identification Protocol Explicit Secret Key Signature Authenticity without Secrecy Set up: Agree on a secret key Ki and a One-Way Function F Prover A Verifier Ki Ki Generate a random R (Challenge) Who are you ? : Prove by using R that you know Ki Authentication Request RES=F(Ki , R) ? I am A, and this is the proof : RES (Response) If RES = F(Ki , R) then accept
128 bits RAND RAND Authentication request 32 Bit Authentication response = XRES Authentication Result GSM: Challenge-Response identification mechanism Mobil-Station Verifier-Station SIM Identity key max. 128 Bit Random Generator Ki Ki RAND RAND A3 A3 XRES XRES
Public-Key Identification Mechanism Fundamental Concepts
Identification Protocols/Mechanisms Zero- Knowledge Iterative Proof (ZKIP) Authenticity without Secrecy Prover Verifier Who are you ? Authentication Request I am A, and this is the proof ZK: Prover reveals no secrets, whatever to the verifier !
Omura Proof-of-Identity Protocol Based on Discrete Log. Problem public directory is primitive element in GF(p) ya = public key of A Xa = ya Verifier Prover A I am user A xa Randomly choose k compute R = k R R RXa RXa compute yak check RXa = yak RXa = k. Xa Is not Zero Knowledge if verifier cheats !
Fiat-Shamir Proof-of-Identity Protocol (1986) A Zero-Knowledge proof ! public directory p1p2 are secret m is RSA type modulus xa secret key of A ya = xa2 in Zm (mod m) Prover A Verifier A chooses a unitr in Zm and computes (I am user A, S) randomly choose b b = 1 or 0 S = r 2 b S ya xa If t2 = S . yab then accept (A knows xa ) t t= r. xab Prob. of attack success for k trials= 2-k
All operations in a Finite RingZm! Discrete log problem Factorizing Problem Famous One-Way Functions used for Public-Key Systems • Exponentiation Y a k (mod p) • Multiplication in Elliptic-Curve Group • Exponentiation Y M k (mod m) • Factoring m p . q • Squaring C M 2 (mod m) • Knapsack Problem m = p.q , p, q = large primes
Simplify Public-Key Arithmetic using fuzzy modular computations (Adi, Eurocom 2000)
Fuzzy Modular Computations Division Algorithm to compute the remainder of Y mod m R Y mod m Y/m = q + R/m Y = q m + R=> R = Y – q m To findR, subtract exactly q times of m from Y What happens if we subtract only z times of m? R´ = Y – z m or R´ = (q-z) m + R R’R mod m
Example : Using fuzzy modular computations Copmute R = 43 modulo 5 The correct answer is R=3 As 43 - 5. 8 = 3 (division Algorithm) We do not want to divide! Let us compute roughly R’ = 43 – 5 x 6 = 13 Anybody receiving R’ = 13 can run the division algorithm and get the final answer R=3 Sender need not to run the division algorithm, just subtract unpredictable random number of m’s from the original value and send what you get! Saving! No division operation at all, just one subtraction!
How to attack the system R´ and m are known Try to find Y R´ = Y – z m Chose z with weight = n/2. Number of z combinations is high: Security-loss is only log2 n bits!
Impact on Modular Multiplication Complexity Fuzzy Modular Multiplication
Secret Hiding Using the Fuzzy Modular Concept Hiding a secret kby exponentiation in RSA based systems S C kmod N Let us substitute k byk´ = k– z (N) S C k –z (Ni)mod N (same S) Send k´ = k– z (N) And do not exponentiatiate leave the work to the receiver
Danger of sending the same k two times! Send k´ = k– z1 (N) Send k´´ = k– z2 (N) => k´ – K´´ = - (z1 + z2) (N) Having even unknown multiple of (N) simplify computing (N) Breaking RSA system is equivalent to computing Euler function ! Therefore K should be used only once in the system
One possible Application Fast Public-Key Image Signature in a Mobile system Environment Using Fuzzy Modular Arithmetic
Digital Frame Digital Frame Simple Data Compressor Digital Frame DCT coef. Frame digest Public-Key Signature Generator Digital Frame Signed Frame Signature Signature Public-Key Image Signature
D1,1 D1,2 D1,3 D1,4 D1,5 D1,6 D1,7 D1,M-1 S1,M verifier Mobile Signer D2,1 D2,2 D2,3 D2,4 D2,5 D2,6 D2,7 D2,M-1 S2,M D3,1 D3,2 D3,3 D3,4 D3,5 D3,6 D3,7 D3,M-1 S3,M Calculate K’ out of K K ’ A frame with N x M blocks Calculate r r Calculate s DN-1,1 DN-1,2 DN-1,3 DN-1,4 DN-1,5 DN-1,6 DN-1,7 DN-1,M-1 SN-1,M ( r , s , M ) SN,1 SN,2 SN,3 SN,4 SN,5 SN,6 SN,7 SN,M-1 SN,M Public-Key Image Signature Using DSA system
Message (M) is signed by User A Xa = Secret Key of A Xa = yain GF(p) Public Directory Verifier is element in GF(p) with order q where q = large prime p, q, , ya ya = public key of A u1 u2 [ . ya ] U mod p M or H(M) M S r If k-1 ( M + r . Xa ) in GF(q) = S r U mod p Rq[ Rp(k) ] = r k Then M is authentic k = Random integer in GF(q) Signed Message Public-Key Signature Using DSA system
Resulting Simplified Computations For signing a piece of image data M : • - Compute A = k-1 H(M) (3) • - Compute B = r * (k-1 Xa) (4) • - Compute s = A + B – t’ q (5) No modular computations are involved.
Advantages and Disadvantages Advantage: Only Two multiplications and one addition are required Implementation in a low complexity mobile environment is possible Disadvantages: Signature data overhead of at most log2 q bits. Assume we have q as a prime in the range if 1000 bits Then the signature size is doubled to 2000 bits The security level is reduced. The new system key-size n’ is then n’ = log2 q - log2 (log2 q) => 1000 –10 = 990 bits instead of 1000 bits