Download NetworkSecurity_Chapter3

Document related concepts

Wiles's proof of Fermat's Last Theorem wikipedia , lookup

Approximations of π wikipedia , lookup

Addition wikipedia , lookup

List of prime numbers wikipedia , lookup

Arithmetic wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Transcript
Chapter 3
Public Key Cryptography
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
BK
TP.HCM
Outline
 Finite Fields
Number Theory
Public Key Cryptography
▫ Diffie Helman
▫ RSA
▫ El Gamal
2
BK
TP.HCM
Finite Fields
• Concept of groups, rings, fields
• Modular arithmetic with integers
• Euclid’s algorithm for GCD
• Finite fields GF(p)
3
BK
TP.HCM
Group
a set of elements or “numbers”
with some operation whose result is also in the
set (closure)
obeys:
▫ associative law:
(a.b).c = a.(b.c)
▫ has identity e:e.a = a.e = a
▫ has inverses a-1:
a.a-1 = e
if commutative
a.b = b.a
▫ then forms an abelian group
BK
TP.HCM
Cyclic Group
define exponentiation as repeated application
of operator
▫ example:
a3 = a.a.a
and let identity be: e=a0
a group is cyclic if every element is a power of
some fixed element
▫ ie b = ak
for some a and every b in group
a is said to be a generator of the group
BK
TP.HCM
Ring
a set of “numbers”
with two operations (addition and multiplication)
which form:
an abelian group with addition operation
and multiplication:
▫ has closure
▫ is associative
▫ distributive over addition:
a(b+c) = ab + ac
if multiplication operation is commutative, it
forms a commutative ring
if multiplication operation has an identity and no
zero divisors, it forms an integral domain
BK
TP.HCM
Field
a set of numbers
with two operations which form:
▫ abelian group for addition
▫ abelian group for multiplication (ignoring 0)
▫ ring
have hierarchy with more axioms/laws
▫ group -> ring -> field
BK
TP.HCM
Modular Arithmetic
define modulo operator “a mod n” to be
remainder when a is divided by n
use the term congruence for: a = b mod n
▫ when divided by n, a & b have same remainder
▫ eg. 100 = 34 mod 11
b is called a residue of a mod n
▫ since with integers can always write: a = qn + b
▫ usually chose smallest positive remainder as residue
 ie. 0 <= b <= n-1
▫ process is known as modulo reduction
 eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
BK
TP.HCM
Divisors
say a non-zero number b divides a if for some
m have a=mb (a,b,m all integers)
that is b divides into a with no remainder
denote this b|a
and say that b is a divisor of a
eg. all of 1,2,3,4,6,8,12,24 divide 24
BK
TP.HCM
Modular Arithmetic Operations
is 'clock arithmetic'
uses a finite number of values, and loops back
from either end
modular arithmetic is when do addition &
multiplication and modulo reduce answer
can do reduction at any point, ie
▫ a+b mod n = [a mod n + b mod n] mod n
BK
TP.HCM
Modular Arithmetic
can do modular arithmetic with any group of
integers:
Zn = {0, 1, … , n-1}
form a commutative ring for addition
with a multiplicative identity
note some peculiarities
▫ if (a+b)=(a+c) mod n
then b=c mod n
▫ but if (a.b)=(a.c) mod n
then b=c mod n only if a is relatively prime to n
BK
TP.HCM
Modulo 8 Addition Example
+
0
1
2
3
4
5
6
7
0
0
1
2
3
4
5
6
7
1
1
2
3
4
5
6
7
0
2
2
3
4
5
6
7
0
1
3
3
4
5
6
7
0
1
2
4
4
5
6
7
0
1
2
3
5
5
6
7
0
1
2
3
4
6
6
7
0
1
2
3
4
5
7
7
0
1
2
3
4
5
6
BK
TP.HCM
Greatest Common Divisor (GCD)
a common problem in number theory
GCD (a,b) of a and b is the largest number that
divides evenly into both a and b
▫ eg GCD(60,24) = 12
often want no common factors (except 1) and
hence numbers are relatively prime
▫ eg GCD(8,15) = 1
▫ hence 8 & 15 are relatively prime
BK
TP.HCM
Euclidean Algorithm
an efficient way to find the GCD(a,b)
uses theorem that:
▫ GCD(a,b) = GCD(b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is:
EUCLID(a,b)
1.
2.
3.
4.
5.
6.
A = a; B = b
if B = 0 return
R = A mod B
A = B
B = R
goto 2
A = gcd(a, b)
BK
TP.HCM
Example GCD(1970,1066)
1970 = 1 x 1066 + 904
1066 = 1 x 904 + 162
904 = 5 x 162 + 94
162 = 1 x 94 + 68
94 = 1 x 68 + 26
68 = 2 x 26 + 16
26 = 1 x 16 + 10
16 = 1 x 10 + 6
10 = 1 x 6 + 4
6 = 1 x 4 + 2
4 = 2 x 2 + 0
gcd(1066, 904)
gcd(904, 162)
gcd(162, 94)
gcd(94, 68)
gcd(68, 26)
gcd(26, 16)
gcd(16, 10)
gcd(10, 6)
gcd(6, 4)
gcd(4, 2)
gcd(2, 0)
BK
TP.HCM
Galois Fields
finite fields play a key role in cryptography
can show number of elements in a finite field
must be a power of a prime pn
known as Galois fields
denoted GF(pn)
in particular often use the fields:
▫ GF(p)
▫ GF(2n)
BK
TP.HCM
Galois Fields GF(p)
GF(p) is the set of integers {0,1, … , p-1} with
arithmetic operations modulo prime p
these form a finite field
▫ since have multiplicative inverses
hence arithmetic is “well-behaved” and can do
addition, subtraction, multiplication, and division
without leaving the field GF(p)
BK
TP.HCM
GF(7) Multiplication Example
 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
BK
TP.HCM
Finding Inverses
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)
2. if B3 = 0
return A3 = gcd(m, b); no inverse
3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m
4. Q = A3 div B3
5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)
6. (A1, A2, A3)=(B1, B2, B3)
7. (B1, B2, B3)=(T1, T2, T3)
8. goto 2
BK
TP.HCM
Inverse of 550 in GF(1759)
Q
A1
A2
A3
B1
B2
B3
—
1
0
1759
0
1
550
3
0
1
550
1
–3
109
5
1
–3
109
–5
16
5
21
–5
16
5
106
–339
4
1
106
–339
4
–111
355
1
BK
TP.HCM
Modular Polynomial Arithmetic
can compute in field GF(2n)
▫ polynomials with coefficients modulo 2
▫ whose degree is less than n
▫ hence must reduce modulo an irreducible poly of
degree n (for multiplication only)
form a finite field
can always find an inverse
▫ can extend Euclid’s Inverse algorithm to find
BK
TP.HCM
Number Theory
Prime Numbers and Prime Factorisation
Basic theorem of arithmetic (every number can
be expressed as a product of prime powers),
LCM, GCD.
Computing GCD using the Euclidean Algorithm
(Chapter 4.3)
Modular arithmetic operations (Chapter 4.2)
Computing modular multiplicative inverse using
extended Euclidean Algorithm (Chapter 4.4)
22
BK
TP.HCM
Prime Numbers
prime numbers only have divisors of 1 and self
▫ they cannot be written as a product of other numbers
▫ note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theory
list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
23
BK
TP.HCM
Prime Factorisation
to factor a number n is to write it as a product
of other numbers: n=a x b x c
note that factoring a number is relatively hard
compared to multiplying the factors together to
generate the number
the prime factorisation of a number n is when
its written as a product of primes
▫ eg. 91=7x13 ; 3600=24x32x52
24
BK
TP.HCM
Relatively Prime Numbers & GCD
two numbers a, b are relatively prime if have
no common divisors apart from 1
▫ eg. 8 & 15 are relatively prime since factors of 8 are
1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only
common factor
conversely can determine the greatest common
divisor by comparing their prime factorizations
and using least powers
▫ eg. 300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
25
BK
TP.HCM
Notations
26
BK
TP.HCM
Ring vs. Field
Consider the two equations
2x + 2y ≡ 22 mod 56
2x + 2y ≡ 22 mod 31
We cannot reduce the first equation to x + y ≡ 11 mod
56.
We can reduce the second equation to x + y ≡ 11 mod
31.
Why? (need to multiply by the multiplicative inverse of 2)
As all numbers have multiplicative inverses we can
easily solve systems of linear equations in a field. Not so
simple in rings.
27
BK
TP.HCM
Euclidean Algorithm
28
BK
TP.HCM
Extended Euclidean Algorithm
29
BK
TP.HCM
Square and Multiply Algorithm(1/2)
See Figures 9.7 in the text book.
Compute y = ax mod n. Large a; x; n (say 300
digits long).
Let b(r ) … b(0) be the binary representation of
the exponent x (an r + 1 bit number)
Square and multiply algorithm requires r + 1 to
2(r + 1)
multiplications (1000 to 2000 multiplications for
300 digit exponents)
30
BK
TP.HCM
Square and Multiply Algorithm(2/2)
z=1;
for i=r downto 0
z=z*z mod n
if (b(i) = 1)
z = z*a mod n
endif;
endfor;
31
BK
TP.HCM
Fermat's Little Theorem
ap-1 ≡ 1 mod p
▫ where p is prime and gcd(a,p)=1
also ap ≡ a mod p
useful in public key and primality testing
32
BK
TP.HCM
Euler Phi Function
when doing arithmetic modulo n
complete set of residues is: 0..n-1
reduced set of residues is those numbers
(residues) which are relatively prime to n
▫ eg for n=10,
▫ complete set of residues is {0,1,2,3,4,5,6,7,8,9}
▫ reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues
is called the Euler Phi Function ø(n)
33
BK
TP.HCM
Euler Phi Function
to compute ø(n) need to count number of
residues to be excluded
in general need prime factorization, but
▫ for p (p prime)
ø(p)
▫ for p.q (p,q prime; p ≠ q)
ø(pq)
= p-1
=(p-1)x(q-1)
eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
34
BK
TP.HCM
Euler's Theorem
a generalisation of Fermat's Theorem
aø(n) ≡ 1 mod n
▫ for any a,n where gcd(a,n)=1
eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11
35
BK
TP.HCM
Public-Key Cryptography
developed to address two key issues:
▫ key distribution – how to have secure
communications in general without having to trust
a KDC with your key
▫ digital signatures – how to verify a message
comes intact from the claimed sender
public invention due to Whitfield Diffie & Martin
Hellman at Stanford Uni in 1976
▫ known earlier in classified community
36
BK
TP.HCM
Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
▫ a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
▫ a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
is asymmetric because
▫ those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
37
BK
TP.HCM
Public-Key Cryptography
38
BK
TP.HCM
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
▫ it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
▫ it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
▫ either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
39
BK
TP.HCM
Inverse Problems
Most PKC algorithms rely on difficult inverse
problems.
Factorization Problem: Given large p and q it is
easy to compute n = p*q. But given n it is
impractical to factorize n into the constituent
primes.
Discrete Logarithm Problem: Let α = ga mod p.
Given a; g; p computing α is trivial. However
given α ; g and p it is impractical to compute a
40
BK
TP.HCM
Factoring Problem
For a large n with large prime factors, factoring
is a hard problem
have seen slow improvements over the years
▫ as of May-05 best is 200 decimal digits (663) bit with
LS
biggest improvement comes from improved
algorithm
▫ cf QS to GNFS to LS
41
BK
TP.HCM
Factoring Problem
For a large n with large prime factors, factoring
is a hard problem
See Table 9.4
▫ have seen slow improvements over the years
 as of May-05 best is 200 decimal digits (663) bit with LS
▫ biggest improvement comes from improved
algorithm
▫ QS(Quadratic Sieve) to GNFS(Generalized Number
Field Sieve) to LS(Lattice Sieve)
42
BK
TP.HCM
Discrete Logarithm Problem
the inverse problem to exponentiation is to find
the discrete logarithm of a number modulo p
that is to find x such that y = gx (mod p)
this is written as x = dlogg y (mod p)
whilst exponentiation is relatively easy, finding
discrete logarithms is generally a hard problem
BK
TP.HCM
Public-Key Cryptosystems
Authentication and Secrecy
44
BK
TP.HCM
Public-Key Applications
can classify uses into 3 categories:
▫ encryption/decryption (provide secrecy)
▫ digital signatures (provide authentication)
▫ key exchange (of session keys)
some algorithms are suitable for all uses, others
are specific to one
45
BK
TP.HCM
Diffie Helman Key Exchange
46
BK
TP.HCM
DH Example
47
BK
TP.HCM
RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
RSA scheme is a block cipher
Plaintext and ciphertext are integers between 0
and (n-1)
A typical size for n is 1024 bits, or 309 decimal
digits
48
BK
TP.HCM
RSA Key Setup
each user generates a public/private key pair
by:
selecting two large primes at random - p, q
computing their system modulus n=p.q
▫ note ø(n)=(p-1)(q-1)
selecting at random the encryption key e
 where 1<e<ø(n), gcd(e,ø(n))=1
solve following equation to find decryption key d
▫ e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: PU={e,n}
keep secret private decryption key: PR={d,n}
49
BK
TP.HCM
RSA Use
to encrypt a message M the sender:
▫ obtains public key of recipient PU={e,n}
▫ computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
▫ uses their private key PR={d,n}
▫ computes: M = Cd mod n
note that the message M must be smaller than
the modulus n (block if needed)
50
BK
TP.HCM
Why RSA Works
because of Euler's Theorem:
▫ aø(n)mod n = 1 where gcd(a,n)=1
in RSA have:
▫
▫
▫
▫
n=p.q
ø(n)=(p-1)(q-1)
carefully chose e & d to be inverses mod ø(n)
hence e.d=1+k.ø(n) for some k
hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
51
BK
TP.HCM
RSA Example - Key Setup
Select primes: p=17 & q=11
Compute n = pq =17 x 11=187
Compute ø(n)=(p–1)(q-1)=16 x 10=160
Select e: gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
1.
2.
3.
4.
5.
52
BK
TP.HCM
RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
53
BK
TP.HCM
Efficient Encryption
encryption uses exponentiation to power e
hence if e small, this will be faster
▫ often choose e=65537 (216-1)
▫ also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
▫ using Chinese remainder theorem
if e fixed must ensure gcd(e,ø(n))=1
▫ ie reject any p or q not relatively prime to e
54
BK
TP.HCM
Efficient Decryption
decryption uses exponentiation to power d
▫ this is likely large, insecure if not
can use the Chinese Remainder Theorem
(CRT) to compute mod p & q separately. then
combine to get desired answer
▫ approx 4 times faster than doing directly
only owner of private key who knows values of
p & q can use this technique
55
BK
TP.HCM
RSA Key Generation
users of RSA must:
▫ determine two primes at random - p, q
▫ select either e or d and compute the other
primes p,q must not be easily derived from
modulus n=p.q
▫ means must be sufficiently large
▫ typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse
algorithm to compute the other
56
BK
TP.HCM
Generating Large Primes
Say we need to generate a 150 digit prime
Generate a random odd number with 150 digits
Check if it is a prime
If not increment number by two and check again
till we \stumble upon" a prime
57
BK
TP.HCM
Prime Distribution
prime number theorem states that primes occur
roughly every (ln n) integers
but can immediately ignore evens
so in practice need only test 0.5 ln(n)
numbers of size n to locate a prime
▫ note this is only the “average”
▫ sometimes primes are close together
▫ other times are quite far apart
58
BK
TP.HCM
Primality Testing
Traditionally sieve using trial division
▫ ie. divide by all numbers (primes) in turn less than the
square root of the number
▫ only works for small numbers
Alternatively can use statistical primality tests
based on properties of primes
▫ for which all primes numbers satisfy property
▫ but some composite numbers, called pseudo-primes,
also satisfy the property
Can use a slower deterministic primality test
59
BK
TP.HCM
Miller Rabin Algorithm
a test based on Fermat’s Theorem
algorithm is:
TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq
2. Select a random integer a, 1<a<n–1
3. if aq mod n = 1 then return (“maybe prime");
4. for j = 0 to k – 1 do
j
5. if (a2 q mod n = n-1)
then return(" maybe prime ")
6. return ("composite")
60
BK
TP.HCM
Probabilistic Considerations
if Miller-Rabin returns “composite” the number is
definitely not prime
otherwise is a prime or a pseudo-prime
chance it detects a pseudo-prime is < 1/4
hence if repeat test with different random a then
chance n is prime after t tests is:
▫ Pr(n prime after t tests) = 1-4-t
▫ eg. for t=10 this probability is > 0.99999
61
BK
TP.HCM
RSA Security
possible approaches to attacking RSA are:
▫ brute force key search (infeasible given size of
numbers)
▫ mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)
▫ timing attacks (on running of decryption)
▫ chosen ciphertext attacks (given properties of
RSA)
62
BK
TP.HCM
Timing Attacks
developed by Paul Kocher in mid-1990’s
exploit timing variations in operations
▫ eg. multiplying by small vs large number
▫ or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
▫ use constant exponentiation time
▫ add random delays
▫ blind values used in calculations
63
BK
TP.HCM
Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
• attackers chooses ciphertexts & gets decrypted
plaintext back
• choose ciphertext to exploit properties of RSA to
provide info to help cryptanalysis
• can counter with random pad of plaintext
• or use Optimal Asymmetric Encryption Padding
(OASP)
64
BK
TP.HCM
El Gamal
Based on the difficulty of discrete log problem
(like DH)
All entities agree on a prime p (say 200 digits
long) and a generator g
Alice chooses a random value a as her private
key (a < p also has typically the same number of
digits as p)
Alice compute α = ga mod p as her public key.
65
BK
TP.HCM
El Gamal
66
BK
TP.HCM
El Gamal Example
67