1 / 34

Lecture 7: Non-secret Key Cryptosystems

This lecture discusses non-secret key cryptosystems, with a focus on Real mathematics and their effects on war. It explores concepts such as Diffie-Hellman key agreement and RSA encryption.

jeanettemathews
Download Presentation

Lecture 7: Non-secret Key Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 7: Non-secret Key Cryptosystems Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers. G. H. Hardy, The Mathematician’s Apology, 1940. David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science

  2. Diffie-Hellman Key Agreement • Choose public numbers: q (large prime number),  (generator mod q) • A generates random XAand sends B: YA =XA mod q. • B generates random XBand sends A: YB = XB mod q. • A calculates secret key: K = (YB) XA mod q. • B calculates secret key: K = (YA) XB mod q. University of Virginia CS 551

  3. Public-Key Cryptography • Same paper introduced concept of Public-Key Cryptography • Private procedure: E • Public procedure: D • Identity: E (D(m)) = D (E(m)) = m • Secure: cannot determine E from D • But didn’t know how to find suitable E and D University of Virginia CS 551

  4. One-way Functions • Like mixing paint – easy to mix, hard to unmix • Simple example: • Middle 100 digits of n2, n random 100 digit number • Given n, easy to calculate. • Given 100 digits, hard to find n. • Application: • Trusted spies, untrustworthy border guards University of Virginia CS 551

  5. Properties of E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D • Trap-door one way permutation: also • E (D (M)) = M University of Virginia CS 551

  6. RSA E(M) = Me mod n D(C) = Cd mod n (red = secret) n = p * q p, q are prime dis relatively prime to(p – 1)(q – 1) e * d 1 (mod (p – 1)(q – 1)) University of Virginia CS 551

  7. RSA in Perl print pack"C*", split/\D+/, `echo "16iII*o\U@{$/=$z; [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc` Until 1997 – Illegal to show this slide to non-US citizens! Today: can export RSA, but only with 512 bit keys. (by Adam Back) University of Virginia CS 551

  8. First Amendment Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment. Sixth Circuit Court of Appeals, April 4, 2000 Ruling that Peter Junger could post RSA source code on his web site University of Virginia CS 551

  9. Properties of E and D • Trap-door one way function: • D (E (M)) = M. • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D • Trap-door one way permutation: also • E (D (M)) = M University of Virginia CS 551

  10. Property 1: D (E (M)) = M E(M) = Me mod n D(E(M)) = (Me mod n)d mod n = Med mod n (as in D-H proof) Hmm...can we choosee, dandnso:M  Med mod n University of Virginia CS 551

  11. M  Med mod n M Med mod n 1 Med-1mod n Euler and Fermat say: M(n)1mod n where (n) is the Euler totient function. • Proof by higher authority. (Stallings, p. 219) University of Virginia CS 551

  12. Euler’s totient function • (n) = number of positive integers < n which are relatively prime to n. • If n is prime, (n) = n – 1. • Proof by contradiction. University of Virginia CS 551

  13. Totient Properties • (p * q) = (p) * (q) • (Idiotic proof from original lecture removed.) • We are trying to find: 1 Med-1mod n know: 1  M(n) mod n ed – 1 =  (n) University of Virginia CS 551

  14. Priming the Pump • Choose n = p * q where p and q are prime. • (n) = (p) * (q) • Since p and q are prime: (p) = p – 1 (q) = q – 1 • (n) = (p - 1) * (q - 1) = p*q – p – q + 1= n – (p + q) + 1. University of Virginia CS 551

  15. Where’s ED? • So, we need to choose e and d: ed =  (n) + 1 = n – (p + q) • Pick random d, relatively prime to  (n) gcd (d,  (n)) = 1 • Since d is relatively prime to  (n)it has a multiplicative inverse e: d * e  1 mod  (n) University of Virginia CS 551

  16. Identity d * e  1 mod  (n) So,d * e = (k *  (n)) + 1 for some k. Hence, Med-1mod n = Mk *  (n)mod n University of Virginia CS 551

  17. D (E (M)) = M Med-1mod n = Mk *  (n)mod n Euler says 1 M (n)mod n. So 1 Mk *  (n)mod n 1  Med-1mod n M Med mod n QED. University of Virginia CS 551

  18. Properties of E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D • Trap-door one way permutation: also • E (D (M)) = M University of Virginia CS 551

  19. Property 2: Easy to Compute • E(M) = Me mod n • Easy – every 4th grader can to exponents, every kindergartner can do mod n. • How big are M, e, and n? • M: 2n where n is the number of bits in M • M and n must be big (~10100) for security University of Virginia CS 551

  20. Fast Exponentiation • am + n = am * an • ab = ab/2 * ab/2 (if 2 divides b) • So, can compute Me in about log2e multiplies. • e around 21024, 1024 multiplies is doable (by a computer, not a kindergartner) • Faster bitwise algorithms known University of Virginia CS 551

  21. Anything else hard to compute? • We need to find large prime numbers p and q • Obvious way: Pick big number x for i = 2 to x - 1 if i divides x its not prime, start over with x + 1 done – x is prime sqrt (x) University of Virginia CS 551

  22. How many prime numbers? • Infinite (proved by Euclid, 300BC) • Proof by contradiction: • Suppose that there exist only finitely many primes p1 < p2 < ... < pr. • Let N = (p1)(p2)...(pr) > 2. • The integer N-1, being a product of primes, has a prime divisor pi in common with N; • So, pi divides N - (N-1) =1. University of Virginia CS 551

  23. Density of Primes (x) is the number of primes  x From http://www.utm.edu/research/primes/howmany.shtml University of Virginia CS 551

  24. Approximating (x) • The Prime Number Theorem: (x) ~ x/lnx • So, to find a prime bigger than x, we need to make about ln x/2 guesses • Each guess requires sqrt(x) work • For 200 digits (worst imaginable case): 230 guesses * 10100 • More work than breaking 3DES! University of Virginia CS 551

  25. Need a faster prime test • There are several fast probabilistic prime tests • Can quickly test a prime with high probability, with a small amount of work • If we pick a non-prime, its not a disaster (exercise for reader, PS3) University of Virginia CS 551

  26. Largest Known Prime by Chris K. Caldwell University of Virginia CS 551

  27. Properties of E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D (next time) • Trap-door one way permutation: also • E (D (M)) = M University of Virginia CS 551

  28. Property 4: E (D (M)) = M D(M) = Md mod n E(D(M)) = (Md mod n)e mod n = Mde mod n = Med mod n = M (from the property 1 proof) University of Virginia CS 551

  29. Applications of RSA • Privacy: • Bob encrypts message to Alice using EA • Only Alice knows DA • Signatures: • Alice encrypts a message to Alice using DA • Bob decrypts using EA • Knows it was from Alice, since only Alice knows DA University of Virginia CS 551

  30. Two “Questionable” Statements in RSA Paper • “The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.” (p. 6) University of Virginia CS 551

  31. Two “Questionable” Statements in RSA Paper • “(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general-purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations.)” (p. 4) University of Virginia CS 551

  32. Who really invented RSA? • General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII) • 1969 – James Ellis asked to work on key distribution problem • Secure telephone conversations by adding “noise” to line • Late 1969 – idea for PK, but function University of Virginia CS 551

  33. RSA & Diffie-Hellman • Asks Clifford Cocks, Cambridge mathematics graduate, for help • He discovers RSA (four years early) • Then (with Malcolm Williamson) discovered Diffie-Hellman • Kept secret until 1997! • NSA claims they had it even earlier University of Virginia CS 551

  34. Charge • Reread the parts of RSA paper you didn’t understand the first time • PS2 Due next Weds • Next time: security of RSA (third property) University of Virginia CS 551

More Related