1 / 13

Public Key Cryptography

Public Key Cryptography. CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk. Public Key Cryptography. “New Directions in Cryptography”, Diffie&Hellman, 1976: Two fundamental problems in cryptography can be solved by an asymmetric “trapdoor one-way function”:

lcoates
Download Presentation

Public Key Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public Key Cryptography CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk Public Key Cryptography

  2. Public Key Cryptography “New Directions in Cryptography”, Diffie&Hellman, 1976: Two fundamental problems in cryptography can be solved by an asymmetric “trapdoor one-way function”: • key distribution • source authentication An asymmetric encryption function: • Encryption & decryption keys are different. • Knowledge of the encryption key is not sufficient for deriving the decryption key efficiently. • Hence, the encryption key can be made “public”. Public Key Cryptography

  3. Public Key Cryptography Key distribution solution: • Alice makes her encryption key K public • Everyone can send her an encrypted message: C = EK(P) • Only Alice can decrypt it with the private key K-1: P = DK-1(C) Source Authentication Solution: • Only Alice can “sign” a message, using K-1. • Anyone can verify the signature, using K. Only if such a function could be found... Public Key Cryptography

  4. Alice Bob g mod p g mod p computes (g) mod p computes (g) mod p K = g mod p Diffie-Hellman Key Exchange Public parameters:p: A large primeg: A generator of Zp*. ie., {gi | 0 ≤ i ≤ p-2} = {1, 2,...,p-1}. ,  {0, 1, 2,...,p-2} are secret. Public Key Cryptography

  5. Security of DH • Discrete Logarithm Problem: Given p, g, g mod p, what is ? (easy in Z, hard in Zp.) • DH Problem: Given p, g, g mod p, g mod p, what is g mod p? • Conjecture: DHP is as hard as DLP. (note: Neither is proven to be NP-complete.) • “Safe prime”: If (p-1)/2 is also a prime. • Best known method for DLP: “Number Field Sieve” with running time e(1.923 + O(1)) ((ln p)^(1/3)) ((ln ln p)^(2/3)). Public Key Cryptography

  6. Efficiency of DH Generating a large prime • Generate a random number & test for primality. • Primality testing is efficient. • Density of primes: Prime Number Theorem: For π(n) denoting the number of primes ≤ n, we have π(n) ~ n / ln n. That is, lim n → (π(n) ln n) / n = 1. Public Key Cryptography

  7. Efficiency of DH How to compute (g mod p) for large p, g,? xn = (xk)2 if n = 2k (xk)2x if n = 2k + 1 “Repeated squaring”: Start with the most significant bit of the exponent. E.g. Computing 325 mod 20. 25 = (11001)2 y0 = 3(1) mod 20 = 3 y1 = 3(11) mod 20 = 32 3 mod 20 = 7 y2 = 3(110) mod 20 = 72 mod 20 = 9 y3 = 3(1100) mod 20 = 92 mod 20 = 1 y4 = 3(11001) mod 20 = 12 3 mod 20 = 3 Further efficiency with preprocessing xi, i < 2k, for some k. Public Key Cryptography

  8. Structure of Zp* For a prime p, let Zp* denote all non-zero elements of Zp. Fermat’s (Little) Theorem: For all x  Zp*, we have xp-1 ≡ 1 (mod p). Let <g> denote the numbers generated by powers of g in Zp*; <g> = {g, g2,…, gp-1}. E.g. for Z5*: <1> = {1} <2> = {2,4,3,1} <3> = {3,4,2,1} <4> = {4,1} • “order” of 1 is one; of 4 is two; of 2 & 3 is four. • 2 & 3 are “generators” of Z5* (they have order p-1). • Fact: For every prime p, Zp* has a generator. Public Key Cryptography

  9. Number Theory Review Euclid’s algorithm to compute gcd(m,n): Divide repeatedly until no divisor is left: m = q0n + r0 , 0 ≤ r0 < n n = q1r0 + r1 , 0 ≤ r1 < r0 r0 = q2r1 + r2 , 0 ≤ r2 < r1 rk-2 = qkrk-1 + rk , 0 ≤ rk < rk-2 rk-1 = qk+1rk . (why is convergence guaranteed?) Theorem: gcd(m,n) = rk. Proof: rk divides all ris, hence rk | m,n. Conversely, if d | m,n, then d | ri , including rk. .... Public Key Cryptography

  10. Extended Euclid’s Algorithm • Compute u, v, such that gcd(m,n) = um + vn. • Maintain ui, vi, such that ri = uim + vin. (“loop invariant”)When the last r is reached, u & v are found. • Given ri-2 = ui-2m + vi-2n and ri-1 = ui-1m + vi-1n, we have ri = ri-2 – qiri-1 = (ui-2m + vi-2n) – qi (ui-1m + vi-1n) = (ui-2 – qiui-1)m + (vi-2 – qivi-1)nHence, ui = ui-2 – qiui-1 and vi = vi-2 – qivi-1. • Initial conditions: For r0 = m – q0n, we have r-1=n, r-2=m. u-1 = 0, v-1 = 1 u-2 = 1, v-2 = 0. Public Key Cryptography

  11. Extended Euclid’s Algorithm E.g. Compute gcd(100, 18) with the u, v coefficients: i ri qi ui vi -2 100 – 1 0 -1 18 – 0 1 0 10 5 1 -5 1 8 1 -1 6 2 2 1 2 -11 (*) 3 0 4 – –  gcd(100, 18) = 2, 2 = 2*100 – 11*18. Public Key Cryptography

  12. Number Theory Review Def: m, n  Z are relatively prime if gcd(m,n) = 1. Def: Zn*: the numbers in Zn relatively prime to n. e.g., Z6* = {1, 5}, Z7* = {1, 2, 3, 4, 5, 6}. Def:(n) = |Zn*|. e.g., (6) = 2, (7) = 6. Theorem: If n is prime, (n) = n – 1. Theorem (Euler): For all m  Zn*, we have m(n) ≡ 1 (mod n). (This result generalizes Fermat’s theorem to composite values of n.) Public Key Cryptography

  13. Number Theory Review Chinese Remainder Theorem: For n1, n2,..., nk pairwise relatively prime, the system x ≡ r1 (mod n1) x ≡ r2 (mod n2) x ≡ rk (mod nk) has a unique solution in Zn, where n = n1n2...nk. E.g., x ≡ 1 (mod 3), x ≡ 1 (mod 4)  x ≡ 1 (mod 12). But x ≡ 1 (mod 2), x ≡ 1 (mod 4) is either 1 or 5 in Z8, whereas x ≡ 1 (mod 2), x ≡ 2 (mod 4) has no solutions. . . . Public Key Cryptography

More Related