270 likes | 477 Views
Factoring and Discrete Logarithm Based Cryptography. A Tale of Two Families Burt Kaliski and Moses Liskov RSA Laboratories. B.D.H. (Before Diffie-Hellman). Only symmetric cryptography existed Cryptography didn’t focus on hard problems Major research area: Key Distribution Problem
E N D
Factoring and Discrete Logarithm Based Cryptography A Tale of Two Families Burt Kaliski and Moses Liskov RSA Laboratories
B.D.H. (Before Diffie-Hellman) • Only symmetric cryptography existed • Cryptography didn’t focus on hard problems • Major research area: Key Distribution Problem • The Diffie-Hellman result cracked the field open
The Breakthrough • The Diffie-Hellman key exchange system (1976) • Now Alice and Bob share a secret key! Alice generates x, Bob generates y. Alice sends ax mod p, Bob sends ay mod p. Alice and Bob compute axy mod p.
Diffie-Hellman and RSA • RSA invented in 1977 • Public-key cryptosystem capable of encryption and signature as well as key exchange • Set the stage for the next 20 years
The Two Families • Diffie-Hellman, and later ElGamal, DSA, and Elliptic Curve are all in the Discrete Logarithm (DL) family. • RSA and related systems make up the Factoring family.
Beginnings • First, cryptosystems are invented: • Diffie-Hellman invented in 1976 • RSA (1977) • Merkle’s puzzles (1979) • Knapsack Cryptosystems (1978) • McEliece Cryptosystem (1978) • Elliptic Curve Cryptography (1985)
Testing • After a cryptosystem is proposed, the Crypto community attempts to break it. • Most of the cryptosystems that have been proposed outside of the two families failed at this step. • For example, knapsack cryptosystems were found to be insecure.
Testing • Diffie-Hellman, RSA, and Elliptic Curve all withstood analysis from the Crypto community. • Testing is an ongoing process.
Basic Components • Discrete Logarithm and Factoring both provide the same fundamental tools, but in different ways: • Digital Signature • Encryption • Key Agreement
Implementation Issues • Once a cryptosystem is realized to be promising, it must be implemented. • The Cryptosystem must be made efficient enough to be practical! • Some cryptosystems have not been made efficient enough to be widely accepted.
Implementation Issues • Similar implementation results can be used by both families. • RSA and DL require efficient modular exponentiation and multiplication. • ECDL requires efficient EC multiplication and addition.
Next Steps • Proofs of Security • Industrialization & Standardization • Advanced Techniques
Proofs of Security • The inability of the Crypto community to break an algorithm is reassuring. • A proof that an algorithm is secure is far more desirable. • A provably secure variation is often attainable, under some assumptions.
Proofs of Security • Examples: • OAEP and PSS provide provably secure methods for using RSA. • Pointcheval-Stern and Brickell provide provably secure variants of DSA and ECDSA. • Proofs of equivalence between hard problems
Standardization • Once an algorithm is very well accepted, standards must be developed. • Standards are necessary for • Interoperability • Guaranteed level of security • Community confidence • Without standards, actual implementation and use is very difficult.
Standardization • Both families have survived this process; they are the only ones to have made it this far. • Factoring (RSA): PKCS #1, ANSI X9.31, X9.44 • Discrete Log (DSA, DH): ANSI X9.30, X9.42 • Discrete Log (ECC): ANSI X9.62, ANSI X9.63 • Also, IEEE P1363 covers all of these.
Advanced Techniques • Once a cryptosystem is fairly well established, it becomes a natural tool for more advanced techniques. • Advanced techniques solve limited, specific problems in new ways. • Examples: • Zero Knowledge Proofs of Private Key Knowledge
Advanced Techniques • Examples (cont.): • Blind Signatures • Secret Sharing / Threshold Security • Group Signatures • Undeniable Signatures • Zero Knowledge Proofs of Key Security • Key Validation Procedures
Discrete Logarithm Timeline DL Number Field Sieve [Gor93] Bit Security result for DL [BM82] ANSI X9.62 and X9.63 for EC drafted Schnorr ID/signature scheme [Sch90] ANSI X9.42 drafted Montgomery’s Method [M85] Index Calculus method [Adl79] 1st ECC workshop Elliptic Curve proposed by Miller and Koblitz [Mil86] [Kob87] Authenticated DH developed [DVW92] 1976 1980 1990 1998 DSA, DSA proposed Coppersmith DL attack on GF(2n) [Cop84] Chaum et al. ZK proof [CEGP87] DH proved equivalent to DL under certain assumptions [Mau94] Diffie-Hellman invented [DH76] Fast Modular Exponentiation [BGMW92] ElGamal cryptosystem invented [Elg85] EC reduced to DL for certain curves [MOV90] ANSI X9.42 balloted ANSI X9.30 drafted
Factoring Timeline OAEP invented [BR94] Rabin’s variant of RSA [Rab79] PKCS #1 v1 published Montgomery’s Method [M85] ANSI X9.31 adopted Fiat-Shamir ID scheme [FS86] Chinese Remainder Theorem efficiency result [QC82] Fast Hardware implementation of RSA [SV93] Public Exponent 3 attack [Has88] PSS invented [BR96] 1976 1980 1990 1998 Related Message attack [CFPR96] RSA Cryptosystem invented [RSA78] RSA Factoring Challenge started Bit Security result for RSA [ACGS84] ISO/IEC 9796 published General Number Field Sieve [BLP94] [BLZ94] Multiple Polynomial Quadratic Sieve [Sil87] PKCS #1 v2 published
Other Techniques Timeline Revised Chor-Rivest Knapsack System [CR88] Chor-Rivest attacked [SH95] Goppa code variant on McEliece cryptosystem proposed [GPT91] Ajtai-Dwork lattice based cryptosystem, some analysis [AD97] Merkle-Hellman Knapsack System [MH78] Merkle Proposes Multiple Iteration Knapsack System Merkle-Hellman Knapsack System Broken [Sha84] 1976 1980 1990 1998 McEliece Cryptosystem (Algebraic Coding) Chor-Rivest Knapsack System proposed [CR85] Advantages of LUC brought into question [BBL95] Multiple Iteration Merkle-Hellman Broken [Bri85] LUC cryptosystems proposed [SS95] McEliece analysis [CS98], [S98] Goppa code idea debunked [Gib93]
Why Two Families? • DL and Factoring have held up through the full development process. • No other family has made it through the process. • DL and Factoring based on seemingly hard but not NP-complete problems.
Which is Better? • Neither DL nor Factoring is entirely better in practice; each has its own advantages. • Developments in one family often propagate to the other. • For example • ZK key validation (DL to Factoring) • ZK identity schemes (Factoring to DL)
Should We Look for More? • It is possible that the DL problem and the Factoring problem could both become solved. • Other types of cryptography would give us a fallback in case this happens.
Should We Look for More? • Value has been gained from our failed attempts at other types of cryptosystems. • Example • Knapsack cryptosystems were proposed. • Lattice reduction was used to break them. • It was then found that lattice reduction bears some relation to factoring!
Where is Cryptography Going? • DL and Factoring will doubtless continue to be tested, and new, valuable results developed. • Other ideas will be proposed, and perhaps they can follow in the footsteps of the two families. • Continuing basic research benefits us all.