Download Slides

15-349
Introduction to Computer and
Network Security
Iliano Cervesato
2 September 2008 – Public-key Encryption
Where we are
 Course intro
 Cryptography







Intro to crypto
Modern crypto
Symmetric encryption
Asymmetric encryption
Beyond encryption
Cryptographic protocols
Attacking protocols
 Program/OS security & trust
 Networks security
 Beyond technology
2
Outline
 Public-key cryptography – motivations
 The Merkle-Hellman encryption algorithm
 The knapsack problem
 How Merkle-Hellman works
 Cryptoanalysis
 Basic number theory
 Modular arithmetic
 Primality and inverses
 The El Gamal encryption scheme
 The discrete logarithm problem
 RSA
 The factorization problem
 RSA cryptographic challenges
3
Asymmetric Encryption – Review
Encryption
Decryption
box
Ciphertext
E
M
Cleartext
Public data
box
X
X
D
k-1
k
Public key
M
Cleartext
Private key
k
Dk (Ek(m)) = m
-1
4
Motivations
 Can 2 keys be better than 1?
 How do we make data public?
 Why bother?
 Key management problem
 Added flexibility
 E.g., digital signatures
5
Naïve Key Management
Principals A1, …, An want to talk
 Each pair needs a key
 n(n-1)/2 keys
 Keys must be established
 Physical exchange
 Secure channel
…
A1
A5
A2
A4
A3
6
A1
Improved Solution
A5


Centralized keydistribution center
n key pairs needed
However
 KDC must be trusted
 KDC is single point of
failure
 Still n direct
exchanges
k5
k1
KDC
k4
A4
k2
k3
A2
A3
… if Ai wants to talk to Aj …
 Ai  KDC: “connect me to Aj”
 KDC generates new key kij
 KDC  Ai: Eki(kij)
 KDC  Aj: Ekj(kij, “Ai wants to
talk”)
Still naïve
 KDC online all the time
7
Public-Key Solution
 Pair
for each Ai
 ki’s are published
(ki, ki-1)
 Phonebook
 Simple setup
 Ai generates (ki, ki-1)
 Ai publishes ki
 … details later
Public data
A1
A1  k1
…
k-11
Ai  ki
…
Ai
k-1i
 Secure web sites would be impossible without
 https
8
The Knapsack problem
 Given objects of size s1, s2, … sn, is it possible to
completely fill a knapsack of size s?
 Is there binary vector v such that
 NP-complete
Si visi = s ?
 What if si+1 > Sj<i sj ?
 Easy: O(n)
 Super-increasing knapsack
for (i=n; i > 0; i--) {
if (s > si)
s = s – si
}
return (s == 0)
 Hmm, this feels like encryption material …
9
Merkle-Hellman Encryption
 Pick
 a super-increasing sequence S = (s1,s2,…,sn)
 a prime p > sn 100-200 digits long
 a multiplier w
 (S, w) is the private key
 Compute
 hi = wsi mod p
 H = (h1, h2, …, hn) is the public key
 Encryption of binary m
 x = Si himi
 Attacker has to solve general knapsack in H – hard
 Decryption of x
 Multiply x by w-1
 Solve super-increasing knapsack problem in S – easy
10
Cryptanalysis of Merkel-Hellman
 Scheme based on a special instance of
knapsack problem
 modular knapsack generated from superincreasing sequence
 Not as hard as general knapsack
 If p is known
 If s1 can be found, all si can be found
 Can deduce w and p from H
 Try successive values of w and observe where
whi rolls over
 Right w is where they all roll over at the same
time
11
Number Theory – Divisors
Z is a ring
 Z = {…, -1, 0, 1, …}
 + is commutative, associative and invertible w.r.t. 0
 * is commutative, associative with identity 1
 a|b if c. ac = b
 E.g., 3|6
 E.g., 3|10
 gcd(a, b) = largest d  Z
s.t. d|a and d|b
 E.g. gcd(18,15) = 3
 Modular arithmetic
Euclid’s algorithm
Given a > b
 r0 = b, r1 = a
 ri-2 = qiri-1 + ri
 When rn+1 = 0, set gcd(a,b) = rn
 u,v. gcd(a,b) = ua + vb
 a = b mod n if c. an + c = b
 Zn = {0, …, n-1}
 All operations modulo n
 Also a ring
12
Number Theory – Prime numbers
 p>1 prime if 1 and p are its only divisors
 E.g. 3, 5, 7, …
 p and q are relatively prime if gcd(p,q) = 1
 E.g. 4 and 5 are relative primes
 There are infinitely many primes
13
Arithmetic Modulo a Prime
 p prime number
 For us, at least 1024 bits (~ 300 digits)
 Zp = {0, 1, …, p-1}
 Addition and multiplication are modulo p
 Exponentiation is iterated multiplication
 x is the inverse of y  0 if xy = 1 mod p
Zp is a
Galois field
 All non-null elements of Zp are invertible
 x-1 = xp-2 mod p
 We can solve linear
equations in Z*p
Fermat’s little theorem
If a  0, then ap-1 = 1 mod p
 If ax = b mod p, then x = bap-2 mod p
 Z*p = {1, …, p-1}
 Contains all invertible elements of Zp
 Zp = Z*p U {0}
14
Computing in Zp
 Let n be the length of p
 Usually around 1024 bits
 Addition in Zp done in O(n)
 Multiplication is O(n2)
 Clever (and practical) algorithms achieve O(n1.7)
 Same for inverse
 xr mod p computed in O((log r) n2)
 Repeated squares
 E.g.: g23 = g10111 = g . g2 . g4 . g16
(7 multiplications)
 Addition chains
 Saves 20% in average (but shortest chain is NP-complete)
 g, g2, g3, g5, g10, g20, g23
(6 multiplications)
15
Complexity in Zp
 Easy problems
 Generating p
 Addition, multiplication, exponentiation
 Inversion, solving linear equations
 Problems believed to be hard
 DL: Discrete logarithm
 Given g and x  Zp, find r s.t. x = gr mod p
 DH: Diffie-Hellman
 Given g, gr, gs  Zp, find grs mod p
 Note
 DL implies DH
 Unknown if DH implies DL
 Best known attack on DL requires space and O(2n) time
16
Diffie-Hellman Key Exchange
Public data
p, g
A
B
• Choose random a
1  a  p-1
ga mod p
• send ga mod p
• Receive ga mod p
• Choose random b
• Receive
gb mod
p
gb mod p
1  b  p-1
• Send gb mod p
• (gb)a = gab mod p
• (ga)b = gab mod p
• k = f(gab)
• k = f(gab)
17
Diffie-Hellman Key Exchange [2]
 Allows 2 principals to produce a shared
secret
 Without secure channel or physical exchange
 Without a key distribution center
 f is typically a hash function
 Agreed upon in advance
 However, no authentication
 Can be fixed with some infrastructure
 Security relies on hardness of DH
18
El Gamal Encryption Scheme
A wants to send
A
aA
• Choose random a
• Send gBa,
gBaBa m mod pB
Public data
secret m  ZpB to B
A1  p1 ,g1,g1a1
…
B
Ai  pi ,gi,giai
…
gBa, gBaBa m mod pB
aB
• Receive gBa,
gBaBa m mod pB
• (gBa)aB = gBaBa mod pB
 Security rests on hardness of DL
 Criticisms
• Compute gB-aBa mod pB
• gB-aBa gBaBa m mod pB
=m
 Transmitted message double of m
 Public data has to be managed
 Very slow (~10Kb/sec vs. 250Kb/s of DES)
19
Arithmetic Modulo a Composite
 n natural number
 For us, typically 1024 bits or ~ 300 digits
 Typically n = pq, with p and q primes
 Zn = {0, 1, …, n-1}
 x is inverse of y  0 if xy = 1 mod n
 x has inverse iff gcd(x,n) = 1
 ux + vn = 1 by Euclid’s algorithm so x-1 = u
 Works also in Zp where more efficient than x-1 = xp-2
 We can solve linear equations in Zn
 Z*n = {x : gcd(x,n) = 1}
 Contains all invertible elements of Zn
20
Euler’s Totient Function
 f(n) is the number of positive integers relatively

prime to n
f(n) is the size of Z*n
 If n = Pipiei,
then f(n) = Pipiei-1(pi-1)
 If n=pq,
then f(n) = (p-1)(q-1) = n – p – q – 1
Euler’s theorem
If a  Z*n, then af(n) = 1 mod n
 a is invertible with inverse af(n)-1
21
Computing in Zn
 Easy problems
 Generating p
 Addition, multiplication, exponentiation
 Inversion, solving linear equations
 Hard problems
 Factoring
 Given n, find p,q s.t. n = pq
23
The set-up of RSA
 n = pq
 n is the product of 2 (large) primes

 By Euler’s theorem, f(n) = (p – 1)(q – 1)
Select e and d such that (me)d = m
 How?
 Pick e relative prime to f(n)
 E.g., a prime greater than f(n)
 By Fermat’s theorem, compute d = ef(n)-1
 ed = 1 mod f(n)
 ed = kf(n) + 1 = k(p-1)(q-1) + 1 = k’(p-1) + 1
 Now:




mp-1 = 1 mod p
mk’f(n) = 1 mod p
mk’f(n)+1 = m mod p
med = m mod p
24
RSA
[Rivest,Shamir,Adelman ’76]
A wants to send
secret m  ZnB
to B
A
• Send
pA,qA,dA
m eB
mod nB
Public data
ni = piqi
eidi = 1 mod f(ni)
A1  n1 ,e1
…
Ai  ni ,ei
…
meB mod nB
 Security of RSA rests on
 Hard to factorize n = pq
 Hard to compute f(n) from n
 Factoring implies RSA
 Unknown if RSA implies factoring
B
pB,qB,dB
• Receive meB mod nB
• (meB)dB mod nB
= meBdB mod nB
= mkf(nB)+1 mod nB
= (mf(nB))k m mod nB
= (1)k m mod nB
= m mod nB
25
Attacks on RSA
 Small d for fast decryption
 But easy to crack if d < (n1/4)/3
[Wiener]
 d should be at least 1080
 Small e for fast encryption
 If m sent to more than e recipients, then m easily
extracted
 Popular e = 216 + 1
 Same message should not be sent more than 216 + 1 times
 Modify message (still dangerous)
 Timing attacks
 Time to compute md mod n for many m can reveal d
 Homomorphic properties of RSA
 If ci = mie mod n (i=1,2), then c1c2 = (m1m2)e mod n
 Easy chosen plaintext attack
 Eliminated in standards based on RSA
26
RSA Cryptographic Challenges
 Factoring given primes set as challenge by
RSA Labs
 http://www.rsa.com/rsalabs/
– RSA-ddd: challenge in digits
– RSA-bbb: challenge in bits




RSA-140: 1999 in 1 month
RSA-155: 1999 in 4 months
RSA-160: 2003 in 20 days
RSA-200: 2005 in 18 months
 Challenges no longer active
27
Key length
 Public-key crypto has very long keys
 1024, 2048, 4096 are common
 Is it more secure than symmetric crypto?
 56, 128, 192, 256
 Key lengths don’t compare!





1024  80 bit
2048  112 bit
3072  128 bit
7680  192 bit
15,360  256 bit
28