140 likes | 163 Views
Public Key Cryptography. CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk. Public Key Cryptography. “New Directions in Cryptography”, Diffie&Hellman, 1976: Two fundamental problems in cryptography can be solved by an asymmetric “trapdoor one-way function”:
E N D
Public Key Cryptography CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk Public Key Cryptography
Public Key Cryptography “New Directions in Cryptography”, Diffie&Hellman, 1976: Two fundamental problems in cryptography can be solved by an asymmetric “trapdoor one-way function”: • key distribution • source authentication An asymmetric encryption function: • Encryption & decryption keys are different. • Knowledge of the encryption key is not sufficient for deriving the decryption key efficiently. • Hence, the encryption key can be made “public”. Public Key Cryptography
Public Key Cryptography Key distribution solution: • Alice makes her encryption key K public • Everyone can send her an encrypted message: C = EK(P) • Only Alice can decrypt it with the private key K-1: P = DK-1(C) Source Authentication Solution: • Only Alice can “sign” a message, using K-1. • Anyone can verify the signature, using K. Only if such a function could be found... Public Key Cryptography
Alice Bob g mod p g mod p computes (g) mod p computes (g) mod p K = g mod p Diffie-Hellman Key Exchange Public parameters:p: A large primeg: A generator of Zp*. ie., {gi | 0 ≤ i ≤ p-2} = {1, 2,...,p-1}. , {0, 1, 2,...,p-2} are secret. Public Key Cryptography
Security of DH • Discrete Logarithm Problem: Given p, g, g mod p, what is ? (easy in Z, hard in Zp.) • DH Problem: Given p, g, g mod p, g mod p, what is g mod p? • Conjecture: DHP is as hard as DLP. (note: Neither is proven to be NP-complete.) • “Safe prime”: If (p-1)/2 is also a prime. • Best known method for DLP: “Number Field Sieve” with running time e(1.923 + O(1)) ((ln p)^(1/3)) ((ln ln p)^(2/3)). Public Key Cryptography
Efficiency of DH Generating a large prime • Generate a random number & test for primality. • Primality testing is efficient. • Density of primes: Prime Number Theorem: For π(n) denoting the number of primes ≤ n, we have π(n) ~ n / ln n. That is, lim n → (π(n) ln n) / n = 1. Public Key Cryptography
Efficiency of DH How to compute (g mod p) for large p, g,? xn = (xk)2 if n = 2k (xk)2x if n = 2k + 1 “Repeated squaring”: Start with the most significant bit of the exponent. E.g. Computing 325 mod 20. 25 = (11001)2 y0 = 3(1) mod 20 = 3 y1 = 3(11) mod 20 = 32 3 mod 20 = 7 y2 = 3(110) mod 20 = 72 mod 20 = 9 y3 = 3(1100) mod 20 = 92 mod 20 = 1 y4 = 3(11001) mod 20 = 12 3 mod 20 = 3 Further efficiency with preprocessing xi, i < 2k, for some k. Public Key Cryptography
Structure of Zp* For a prime p, let Zp* denote all non-zero elements of Zp. Fermat’s (Little) Theorem: For all x Zp*, we have xp-1 ≡ 1 (mod p). Let <g> denote the numbers generated by powers of g in Zp*; <g> = {g, g2,…, gp-1}. E.g. for Z5*: <1> = {1} <2> = {2,4,3,1} <3> = {3,4,2,1} <4> = {4,1} • “order” of 1 is one; of 4 is two; of 2 & 3 is four. • 2 & 3 are “generators” of Z5* (they have order p-1). • Fact: For every prime p, Zp* has a generator. Public Key Cryptography
Number Theory Review Euclid’s algorithm to compute gcd(m,n): Divide repeatedly until no divisor is left: m = q0n + r0 , 0 ≤ r0 < n n = q1r0 + r1 , 0 ≤ r1 < r0 r0 = q2r1 + r2 , 0 ≤ r2 < r1 rk-2 = qkrk-1 + rk , 0 ≤ rk < rk-2 rk-1 = qk+1rk . (why is convergence guaranteed?) Theorem: gcd(m,n) = rk. Proof: rk divides all ris, hence rk | m,n. Conversely, if d | m,n, then d | ri , including rk. .... Public Key Cryptography
Extended Euclid’s Algorithm • Compute u, v, such that gcd(m,n) = um + vn. • Maintain ui, vi, such that ri = uim + vin. (“loop invariant”)When the last r is reached, u & v are found. • Given ri-2 = ui-2m + vi-2n and ri-1 = ui-1m + vi-1n, we have ri = ri-2 – qiri-1 = (ui-2m + vi-2n) – qi (ui-1m + vi-1n) = (ui-2 – qiui-1)m + (vi-2 – qivi-1)nHence, ui = ui-2 – qiui-1 and vi = vi-2 – qivi-1. • Initial conditions: For r0 = m – q0n, we have r-1=n, r-2=m. u-1 = 0, v-1 = 1 u-2 = 1, v-2 = 0. Public Key Cryptography
Extended Euclid’s Algorithm E.g. Compute gcd(100, 18) with the u, v coefficients: i ri qi ui vi -2 100 – 1 0 -1 18 – 0 1 0 10 5 1 -5 1 8 1 -1 6 2 2 1 2 -11 (*) 3 0 4 – – gcd(100, 18) = 2, 2 = 2*100 – 11*18. Public Key Cryptography
Number Theory Review Def: m, n Z are relatively prime if gcd(m,n) = 1. Def: Zn*: the numbers in Zn relatively prime to n. e.g., Z6* = {1, 5}, Z7* = {1, 2, 3, 4, 5, 6}. Def:(n) = |Zn*|. e.g., (6) = 2, (7) = 6. Theorem: If n is prime, (n) = n – 1. Theorem (Euler): For all m Zn*, we have m(n) ≡ 1 (mod n). (This result generalizes Fermat’s theorem to composite values of n.) Public Key Cryptography
Number Theory Review Chinese Remainder Theorem: For n1, n2,..., nk pairwise relatively prime, the system x ≡ r1 (mod n1) x ≡ r2 (mod n2) x ≡ rk (mod nk) has a unique solution in Zn, where n = n1n2...nk. E.g., x ≡ 1 (mod 3), x ≡ 1 (mod 4) x ≡ 1 (mod 12). But x ≡ 1 (mod 2), x ≡ 1 (mod 4) is either 1 or 5 in Z8, whereas x ≡ 1 (mod 2), x ≡ 2 (mod 4) has no solutions. . . . Public Key Cryptography