c05 Crypto Publickeycrypto10
c05 Crypto Publickeycrypto10
c05 Crypto Publickeycrypto10
Asymmetric-Key Cryptography
Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1
Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key and asymmetric-key To introduce trapdoor one-way functions and their use in asymmetric-key cryptosystems To discuss the RSA cryptosystem
10.2
10-1 INTRODUCTION
Symmetric and asymmetric-key cryptography will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other. Topics discussed in this section:
10.1.1 10.1.2 10.1.3 10.1.4
10.3
10-1 INTRODUCTION
Symmetric and asymmetric-key cryptography will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other. Note
Symmetric-key cryptography is based on sharing secrecy; asymmetric-key cryptography is based on personal secrecy.
10.4
10.1.1 Keys
Asymmetric key cryptography uses two separate keys: one private and one public.
Figure 10.1 Locking and unlocking in asymmetric-key cryptosystem
10.5
10.6
10.1.2 Continued
Plaintext/Ciphertext Unlike in symmetric-key cryptography, plaintext and ciphertext are treated as integers in asymmetric-key cryptography.
Encryption/Decryption
C = e(Kpublic , P)
P = d(Kprivate , C)
10.7
10.8
10.9
10.1.4 Continued
One-Way Function (OWF)
10.10
10.1.4 Continued
Example 10. 1 When n is large, n = p q is a one-way function. Easy Given p and q calculate n Difficult Given n calculate p and q This is the factorization problem. Example 10. 2 When n is large, the function y = xk mod n is a trapdoor oneway function. Easy Given x, k, and n calculate y Difficult Given y, k, and n calculate x This is the discrete logarithm problem. However, if we know the trapdoor, k such that k k = 1 mod f(n), we can use x = yk mod n to find x.
10.11
10.12
10.2.1 Introduction
Figure 10.5 Complexity of operations in RSA
10.13
10.2.2 Procedure
Figure 10.6 Encryption, decryption, and key generation in RSA
10.14
KB
8: Network Security 8-16
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. me 1524832 c = me mod n
encrypt:
letter l
m 12 d c
17 m = cd mod n letter 12 l
decrypt:
c 17
481968572106750915091411825223071697
8: Network Security
8-18
m = (m e mod n) d mod n
Useful number theory result: If p,q prime and n = pq, then: y y mod (p-1)(q-1) x mod n = x mod n
mod n
= m mod n
(since we chose ed to be divisible by (p-1)(q-1) with remainder 1 )
= m
8: Network Security 8-19
+ = m = K (K (m)) B B
Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:
10.21
http://www-fs.informatik.unituebingen.de/~reinhard/krypto/English/4. 1.e.html
10.22
10.24
Plaintext attack
Short message attack if it is known that Alice is sending a four-digit number to Bob, Eve can easily try plaintext numbers from 0000 to 9999 to find the plaintext. Therefore, short msg must be padded with random bits. Cycling attack the continuous encryption of the ciphertext will eventually result in the plaintext. The complexity of this is equivalent to the complexity of factoring n.
10.25
Revealed decryption exponent attack: In RSA, if d is comprised, then p, q, n, e, and d must be regenerated. Low decryption exponent attack. In RSA, the recommendation is to have to prevent
3 1
1 4
Chosen-ciphertext attack
Assume Alice creates the ciphertext and sends C to Bob. Also assume that Bob will decrypt an arbitrary ciphertext for Eve, other than C. Eve intercepts C and uses the following steps:
Eve chooses a random integer X Eve calculates Y = C * X^e mod n Eve sends Y to Bob for decryption and get Z=Y^d mod n; this step is an instance of a chosen ciphertext attack. Eve can easily find C because Z = Y^d mod n = (C * X^e)^d mod n = (C^d * X^ed) mod n = (C^d * X) mod n = (P*X)mod n Z = (P*X)mod n P = Z*X^(-1) mod n
10.27
Timing attack
only squaring if the corresponding bit in the private exponent d is 0. requires shorter time to decrypt. Both squaring and multiplication if the corresponding bit is 1. requires longer time to decrypt
This timing difference allows Eve to find the value of bits in d, one by one.
An iteration involving multiplication and squaring consumes more power than an iteration that uses only squaring.
Powering attack
10.28
P C1d mod n 3. Calculate 1 P P r 1 modn 1 4. Calculate This adds multiplication to the iteration involving squaring operation only.
10.29
RSA Recommendations
1.The number of bits for n should be at least 1024. This means 1024 that n should be around 2 , or 309 decimal digits. 2.The two primes p and q must each be at least 512 bits. 3.The values of p and q should not be very close to each other. 4.Both p-1 and q-1 should have at least one large prime factor. 5.The ratio p/q should not be close to a rational number with a small enumerator or denominator. 6.The modulus n must not be shared. 16 7.The value of e should be 2 1 8.If the private key d is leaked, Bob must immediately change n as well as both e and d. It has been proven that knowledge of n and one pair (e,d) can lead to the discovery of another pairs of the same modulus. 9. Message must be padded with OAEP. A short message in RSA makes the ciphertext vulnerable to short message attack.
10.30
P = P1 || P2, where P1 is the masked version of the padded message M; P2 is sent to allow Bob to find the mask Encryption Decryption If there is a single bit error during transmission, RSA will fail. Transmission media must be made error-free.
10.31
OAEP
Encryption Pad the plaintext to make m-bit message M, if M is less than m-bit Choose a random number r of k-bits. (used only once) Use one-way function G that inputs r-bit integer and outputs m-bit integer. This is the mask. P1 = M G(r) P2 = H(P1) r, function H inputs m-bit and outputs k-bit C = E(P1 || P2). Use RSA encryption here.
10.32
OAEP
Decryption P = D (P1 || P2) Bob first recreates the value of r: H(P1) P2 = H(P1) H(P1) r = r Bob recreates msg: G(r) P1 = G(r) G(r) M = M
10.33
10.2.6 OAEP
Figure 10.9 Optimal asymmetric encryption padding (OAEP)
10.34
10-3 Continued
Figure 10.10 Rabin cryptosystem
10.36
10.3.1 Procedure
Key Generation
(p, q)
10.37
10.3.1 Continued
Encryption
10.38
10.3.1 Continued
Decryption
Note
The Rabin cryptosystem is not deterministic: Decryption creates four plaintexts.
10.39
10.3.1 Continued
Example 10. 9
Here is a very trivial example to show the idea. 1. Bob selects p = 23 and q = 7. 2. Bob calculates n = p q = 161. 3. Bob announces n publicly; he keeps p and q private.
4. Alice wants to send the plaintext P = 24. Note that 161 and 24
are relatively prime; 24 is in Z161*. Encryption: C = 242 mod 161 = 93, and sends the ciphertext
93 to Bob.
10.40
10.3.1 Continued
Example 10. 9
5. Bob receives 93 and calculates four values: a1 = +(93 (23+1)/4) mod 23 = 1 mod 23
a2 = (93 (23+1)/4) mod 23 = 22 mod 23 b1 = +(93 (7+1)/4) mod 7 = 4 mod 7 b2 = (93 (7+1)/4) mod 7 = 3 mod 7 6. Bob takes four possible answers, (a1, b1), (a1, b2), (a2, b1), and (a2, b2), and uses the Chinese remainder theorem to find four possible plaintexts: 116, 24, 137, and 45. Note that only the second answer is Alices plaintext.
P2 Chinese_Remainder(a1, b2, p, q) is to find x mod p = a1 24(x) mod 23(p) = 1 (a1) x mod q = b2 24(x) mod 7(q) = 3 (b2)
10.41
10.4.2 Procedure
Figure 10.11 Key generation, encryption, and decryption in ElGamal
C2
10.43
10.4.2 Continued
Key Generation
10.44
10.4.2 Continued
10.45
10.4.2 Continued
d 1
(e1 ) P (e1 ) P
rd
rd 1
10.47
10.4.3 Continued
Example 10. 10
Here is a trivial example. Bob chooses p = 11 and e1 = 2. and d = 3 e2 = e1d = 8. So the public keys are (2, 8, 11) and the private key is 3. Alice chooses r = 4 and calculates C1 and C2 for the plaintext 7.
10.4.3 Continued
Example 10. 11 Instead of using P = [C2 (C1d) 1] mod p for decryption, we can avoid the calculation of multiplicative inverse and use P = [C2 C1 p1d] mod p (see Fermats little theorem in Chapter 9). In Example 10.10, we can calculate P = [6 5 1113] mod 11 = 7 mod 11.
Note
For the ElGamal cryptosystem, p must be at least 300 digits and r must be new for each encipherment.
10.49
10.4.3 Continued
Example 10. 12 Bob uses a random integer of 512 bits. The integer p is a 155-digit number (the ideal is 300 digits). Bob then chooses e1, d, and calculates e2, as shown below:
10.50
10.4.3 Continued
Example 10. 10 Alice has the plaintext P = 3200 to send to Bob. She chooses r = 545131, calculates C1 and C2, and sends them to Bob.
10.51
http://www-fs.informatik.unituebingen.de/~reinhard/krypto/English/4. 2.en.html
10.52
10-5 ELLIPTIC CURVE CRYPTOSYSTEMS Although RSA and ElGamal are secure asymmetric-key cryptosystems, they use either integer or polynomial arithmetic with very large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves offers same security with smaller bit sizes newer, but not as well analyzed
10.53
ECC is an approach to public key cryptography based on the algebraic structure of elliptic curves over finite fields. Its security is based on the possibility of efficient additive exponentiation and absence of efficient (classical) algorithms for additive logarithm. have two families commonly used:
prime curves Ep(a,b) defined over Zp use integers modulo a prime best in software binary curves E2m(a,b) defined over GF(2n) use polynomials with binary coefficients best in hardware
10.54
ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation need hard problem equiv to discrete log
Q=kP, where Q,P belong to a prime curve is easy to compute Q given k,P but hard to find k given Q,P known as the elliptic curve logarithm problem
10.55
Elliptic curves over real numbers use a special class of elliptic curves of the form
where 4a^3 + 27b^2!=0 The left-hand side has a degree of 2 while the right-hand side has a degree of 3. This means that a horizontal line can intersects the curve in three points if all roots are real. However, a vertical line can intersects the curve at most in two points.
10.56
Example 10. 13 Figure 10.12 shows two elliptic curves with equations y2 = x3 4x and y2 = x3 1. However, the first has three real roots (x = 2, x = 0, and x = 2), but the second has only one real root (x = 1) and two imaginary ones.
Figure 10.12 Two elliptic curves over a real field
10.57
All points on an elliptic curve. A tuple P(x1, y1) represents a point on the curve if x1 and y1 are coordinates of a point on the curve that satisfy the equation of the curve. For example, the points P(2, 0), Q(0, 0), R(-2, 0), S(10, 30.98) are all points on the curve Each point is represented by two real number.
10.58
Set
We define the set as the points on the curve, where each point is a pair of real numbers E={(2, 0), (0, 0), (-2, 0), (10, 30.98) (10, 30.98)}
We can define an addition operation on the points of the curve. Addition operation is different from the integer addition.
Operation
10.59
10.5.1 Continued
10.60
10.5.1 Continued
1.
2.
3. The intercepting point is at infinity; a point O as the point at infinity or zero point, which is the additive identity of the group.
10.61
Finding Points on the Curve Algorithm 10.12 shows the pseudocode for finding the points on the curve Ep(a, b).
10.62
10.5.2 Continued
10.63
Example 10. 14 The equation is y2 = x3 + x + 1 and the calculation is done modulo 13. Figure 10.14 Points on an elliptic curve over GF(p) where p is 13
x1 = x2 and y1+y2 mod p = 0
10.64
10.65
10.5.4 Continued
Generating Public and Private Keys E(a, b) e1(x1, y1) d e2(x2, y2) = d e1(x1, y1) Encryption
Decryption
Note The security of ECC depends on the difficulty of solving the elliptic curve logarithm problem.
10.66
10.5.4 Continued
The P calculated by Bob is the same as that intended by Alice. P = C2 (d C1) = P + r e2 (d r e1) = P + (r d e1) - (r d e1) =P+O Known: e2 = d e1
10.67
10.5.4 Continued
Example 10. 19 Here is a very trivial example of encipherment using an elliptic curve over GF(p). 1. Bob selects E67(2, 3) as the elliptic curve over GF(p).
10.68
10.69
ECC Security
relies on elliptic curve logarithm problem compared to factoring, can use much smaller key sizes than with RSA etc for equivalent key lengths computations are roughly equivalent hence for similar security ECC offers significant computational advantages
10.70
ECC Security
10.71
10.72
Continued
Note The symmetric (shared) key in the Diffie-Hellman method is K = gxy mod p.
10.73
Continued
Example 15.1 Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows: 1. 2. 3. 4. 5. 6. 7. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4. Alice sends the number 21 to Bob. Bob sends the number 4 to Alice. Alice calculates the symmetric key K = 43 mod 23 = 18. Bob calculates the symmetric key K = 216 mod 23 = 18. The value of K is the same for both Alice and Bob; gxy mod p = 718 mod 35 = 18.
10.74
Continued
Example 15.2
Let us give a more realistic example. We used a program to create a random integer of 512 bits (the ideal is 1024 bits). The integer p is a 159-digit number. We also choose g, x, and y as shown below:
10.75
Continued
Example 15.2 Continued
10.76
Continued
Figure 15.10 Diffie-Hellman idea
10.77
Another Analog
Alice & Bob each think of a secret color (known only to them) They mix their color with yellow (agreed upon openly ahead of time) and exchange. They mix their color with what theyve received. Both have the same color but observer cannot duplicate.
10.78
Man-in-the-Middle Attack
Figure 15.11 Man-in-the-middle attack
10.79
ECC Diffie-Hellman
Public: Elliptic curve and point B=(x,y) on curve Secret: Alices a and Bobs b
Alice a
Bob b
Alice computes shared key a(b(x,y)) Bob computes shared key b(a(x,y)) These are the same since ab = ba
10.80
Alice and Bob send each other their public keys. Both take the product of their private key and the other users public key.
Alice KAB = a(bB) Bob KAB = b(aB) Shared Secret Key = KAB = abB
10.81
RSA Integer Factorization DH Discrete Logarithms ECC - Elliptic Curve Discrete Logarithm problem
10.82
Security of ECC
RSA Key Size: 3072 bits ECC Key Size: 256 bits
Impractical?
10.83
192
256
10.84
384
512
7680
15360
Applications of ECC
Many devices are small and have limited storage and computational power Where can we apply ECC?
Wireless communication devices Smart cards Web servers that need to handle many encryption sessions Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems
10.85
Benefits of ECC
Same benefits of the other cryptosystems: confidentiality, integrity, authentication and non-repudiation but Shorter key lengths
Encryption, Decryption and Signature Verification speed up Storage and bandwidth savings
10.86
Summary of ECC
compared to factoring, can use much smaller key sizes than with RSA etc
10.87