540 likes | 734 Views
Overview of Public Key Cryptology. Ed Dawson Information Security Research Centre Queensland University of Technology. Introduction RSA Algorithm Discrete Log Ciphers Conclusion and Future Directions. INTRODUCTION. Public Key Ciphers Concept first proposed in 1976 by Diffie and Hellman
E N D
Overview ofPublic Key Cryptology Ed Dawson Information Security Research Centre Queensland University of Technology
Introduction • RSA Algorithm • Discrete Log Ciphers • Conclusion and Future Directions
Public Key Ciphers • Concept first proposed in 1976 by Diffie and Hellman • Based on difficult mathematical problem • Two main types of public key ciphers • Based on difficulty of factoring large integors e.g. RSA algorithm • Based on difficulty of solving discrete log problem over a finite group with large order e.g. ElGamal algorithm.
Public Key Ciphers • Let message be noted M • Require one way encryption function E that uses public key, PU, where EPU (M) = C • Require trapdoor information donated by private key, PR, and decryption function D such that DPR (C) = M
Message Encryption Bob wants to send encrypted message M to Alice. Step 1: Bob looks up Alice’s Public Key, PU Step 2: Bob uses PU to encrypt message, EPU(M) = C Step 3: Bob sends C on open channel to Alice Step 4: Alice uses PR to decrypt C, DPR (C) = M
Digital Signatures Alice wants to send M to Bob with her digital signature. Step 1: Alice forms hash of M using one way hash function F, H=F(M) Step 2: Alice uses private key to form signature DPR (M) = C Step 3: Alice transmits M, S to Bob Step 4: Bob looks up PU Step 5: Bob forms hash, F(M)=H Step 6: Bob checks signature EPU (S) = H
Introduction to RSA • Rivest-Shamir-Adleman, MIT, 1977 • Public Key cryptosystem and digital signature scheme. • Based on difficulty of factoring large integers
RSA Key Generation 1. Let p,q be large prime numbers, randomly chosen from the set of all large prime numbers. 2. Compute n = pq. 3. Select e randomly 4. Compute d e-1 (modulo (n)). 5. Publish n and e. Keep p, q and d secret.
Encryption: 1. Divide the message into blocks m where m < n. 2. Compute and send c me (modulo n). Decryption: • 1. Compute cdm (mod n)
Implementation Issues • For key generation need efficient method to generate huge primes • For encryption and decryption • Efficient modular arithmetic • Efficient exponentiation
RSA Performance The RSA operation involves modular multiplication, which takes time proportional to (log n)2. Public-key: 2 to 17 multiplications if e has few non-zero bits. Private-key: 1.5 log n multiplications. Given p,q, four times faster using the Chinese Remainder Theorem. Good public-key speed, fair private-key speed - but good in combination with secret key, message digest.
Software Implementation Pentium 111 700 MHz 1024-bit RSA key generation 430 ms encrypt 0.35 ms decrypt 16.8 ms Figures from http://www.cpktec.com/performance.html using CRT and d = 17.
Factoring is equivalent to solving RSA Supposing the public keys n and e are known and the attacker can factor n. Factoring n = pq one can solve for (n) = (p - 1)(q - 1) Given (n) and e, the attacker can solve for d where ed ≡ 1 (mod (n)). The attacker can then decrypt the message.
Common Modulus Problem Users should use a different modulus otherwise • users can discover each other’s private key • Possible to fake signatures.
Selection of p and q • Formatted primes, and • Random generation of primes
Formatted Primes The digits p and q should be carefully selected to maximise the computational effort associated with a factoring attack. In particular: • p and q should only differ in length by a few digits. • both p – 1 and q – 1 should contain large prime factors, and • gcd (p – 1, q – 1) should be small
One method of selecting prime p where p – 1 has a large factor is given by the following algorithm: Step 1: Select a large random prime p ' Step 2: Let k = 2 Step 3: Let p = kp ' + 1 Step 4: Is p prime? • Yes → p is the required prime • No → go back to Step 3 and increment k by 2
Random Generation of Primes • The primes p and q should be random and sufficiently large: • “large primes” are more important than “strong primes” • The primes may be the same length, and • Typical prime generation methods are adequate. • The public exponent e should be small or chosen at random or, if the private exponent d is chosen, it should not be too small.
Types of Factoring Algorithm • Special purpose • P and q too close • P and q too far away • General Purpose • Does not depend on structure of p and q • Can work in parallel • Most powerful technique is NFS used in 1999 to factor 512 bit RSA challenge number.
New Attacks on RSA Algorithm • Quantum Computer • Cryptanalysis in linear time. • Infeasible with current technology.
Timing Analysis (Paul Kocher 1995) • Encryption of know plaintext may provide leakage of information. • 512-bit modulus attacked using 2000 plaintext encryption. • Attack may apply in the case of use of RSA in smart cards. • How to avoid Timing Analysis attacks • Use fixed time for encryption process. • Multiply by random blinding factor.
Shamir, Trommer 2002, 2003 • Improvements on NFS
YEAR Number of Digits Factorised 1970 43 1980 50 1982 55 1983 62 1984 72 1989 80 1993 110 1994 129 1999 140 2003 280 ?
Discrete Log Problem Let G be a finite group with generator g The discrete log problem over G is: given g in G and y in G where y = gx, find x. If G has enough elements this may be a difficult problem. Various Groups used • Nonzero elements in finite field • Elliptic curves • Hyper elliptic curves • XTR algorithm
Methods for Solving the Discrete Log Problem There are four general types of algorithms for solving the discrete log problem: • Algorithms which work in arbitrary groups. • Algorithms which depend on the order of the group being smooth. • The index calculus method. • Methods which exploit mappings between groups.
Discrete Log Ciphers Many ciphers have evolved from the discrete log problem including: • Diffie-Hellmann (1976) • ElGamal (1985) • DSA (1991)
Diffie-Hellman key Agreement (or Exchange) This system was designed for key agreement of a symmetric cipher key. Public knowledge: • group G with n elements • generator g of G
Protocol: Alice and Bob wish to generate key K to use on an insecure channel. • Alice and Bob each generate secret keys a and b respectively where 0a, b n – 1. • Alice sends ga to Bob (over an insecure channel). • Bob sends gb to Alice (over an insecure channel). • Alice and Bob both compute secret key K where K ≡ gab.
ElGamal Cryptosystem Key Generation • Select a group G with a large number of elements n and a generator g. • Each user A selects an integer a where 0a, b n – 1 and computes ga • a is private key • ga, g are public keys
Protocol: To send a message m to A, choose k at random and send to A the pair (gk, mgak). A recovers m by: • evaluating (gk)a • dividing mgak by gak
Notes on ElGamal: • Can be adapted for digital signatures • Do not need to be part of the system to be able to send messages to A, i.e. the sender of the encrypted message does not need to have their own key published. • If an attacker can solve the discrete log problem, the system can be broken by determining a from ga.
Discrete Log Problem over Zp*: Let p be a large prime. We will let g denote a generator of the multiplicative group of Zp Discrete log problem is given g, p, y Find x such that y=gx mod p
Discrete Log Problem and Factoring Solving the discrete log problem over Zp is comparable to the difficulty of factoring n, where n is the product of two primes, i.e. if the number of bits in n is the same as the number of bits in p. Hence, the discrete log ciphers modulo p offer the same level of security as the RSA algorithm.
Elliptic Curves Over Zp • Let p > 3 an odd prime, and let a and b be integers such that 4a3+27b20 (mod p). • An elliptic curve of Zp is defined by an equation E:y2 = x3 + ax + b and is the set of all points (x,y) which satisfy the equation, together with a special element called the point of infinity. That isE(Zp) = {(x,y): y2 = x3 + ax + b} { }
Addition Laws There is a simple rule for addition of two points on an elliptic curve to produce a third curve point. This operation involves a few arithmetic operations in the underlying field Zp. Under this operation, the set of elliptic curve points forms a group. Note that for historical reasons, the operation of an elliptic curve is denoted by “addition”, in contrast to the operation in the group Zp, which is denoted by “multiplication”.
Doubling and Adding Points • Doubling and addition of points on curves over the real numbers can be illustrated graphically. • The same equations apply to curves over GF(p).
Discrete Log Problem over Elliptic Curve Let: • p be a large prime, • E denote an elliptic curve, y2 = x3 + ax + b, defined over integers modulo p, • P be a generator of a large subset of E, and • P, P1 be points on E such that P1 = nP(where nP denotes P + … + P). Elliptic curve discrete log problem: Given P1 and P find n. This problem may be intractable if the order of E and P is sufficiently large.
Security of ECC versus DSA/RSA • Elliptic curve cryptosystems give the most security per bit of any known public-key scheme. • The ECDLP problem appears to be much more difficult than the integer factorisation problem and the discrete logarithm problem of Zp. • The strength of elliptic curve cryptosystems grows much faster with the key size increases than does the strength of RSA.
Elliptic Curve Security MIPS-years is the number of years it would take a computer that operates at one million instructions per second.
ECC Benefits ECC is particularly beneficial for application where: • computational power is limited (ICCs, wireless devices, PC cards) • integrated circuit space is limited (ICCs, wireless devices, PC cards) • high speed is required.
ECC Benefits (cont’d) • intensive use of signing, verifying or authenticating is required. • signed messages are required to be stored or transmitted (especially for short messages). • bandwidth is limited (wireless communications and some computer networks).
Two Methods of Curve Generation • use a random curve, and • use a fixed curve
Key Generation for Random Elliptic Curves • Select a prime q and integers a and b (mod q) which define a curve E = {(x,y) : y2≡ x3 + ax + b ) mod q)} and the point at infinity . • Count the number of points on the curve, say r. • Factorise r into its prime factors. • Find a point P‘ = (x,y) which generates a large subset of points.
Comments on Random Curve Generation • Counting points on a curve is very intensive. • This is not practical for devices with limited memory such as smart cards.
Key Generation for Fixed Curves • Discrete log ciphers do not have the same common modulus problem as the RSA algorithm. • Use an elliptic curve from the standards such as the IEEEP1362 standard: • The order of the curve is known. • Finding a generator is easy. • Small loss of security compared to a random curve..
Elliptic Curve Implementation Issues • Key generation • With fixed curve only need random number generator • Arithmetic • Finite field • Elliptic curve addition
CONCLUSION AND FUTURE DIRECTIONS