Download NetworkSecurity_Chapter3

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
Document related concepts

Wiles's proof of Fermat's Last Theorem wikipedia , lookup

Approximations of π wikipedia , lookup

Addition wikipedia , lookup

List of prime numbers wikipedia , lookup

Arithmetic wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Transcript 
Chapter 3
Public Key Cryptography
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
BK
TP.HCM
Outline
 Finite Fields
Number Theory
Public Key Cryptography
▫ Diffie Helman
▫ RSA
▫ El Gamal
2
BK
TP.HCM
Finite Fields
• Concept of groups, rings, fields
• Modular arithmetic with integers
• Euclid’s algorithm for GCD
• Finite fields GF(p)
3
BK
TP.HCM
Group
a set of elements or “numbers”
with some operation whose result is also in the
set (closure)
obeys:
▫ associative law:
(a.b).c = a.(b.c)
▫ has identity e:e.a = a.e = a
▫ has inverses a-1:
a.a-1 = e
if commutative
a.b = b.a
▫ then forms an abelian group
BK
TP.HCM
Cyclic Group
define exponentiation as repeated application
of operator
▫ example:
a3 = a.a.a
and let identity be: e=a0
a group is cyclic if every element is a power of
some fixed element
▫ ie b = ak
for some a and every b in group
a is said to be a generator of the group
BK
TP.HCM
Ring
a set of “numbers”
with two operations (addition and multiplication)
which form:
an abelian group with addition operation
and multiplication:
▫ has closure
▫ is associative
▫ distributive over addition:
a(b+c) = ab + ac
if multiplication operation is commutative, it
forms a commutative ring
if multiplication operation has an identity and no
zero divisors, it forms an integral domain
BK
TP.HCM
Field
a set of numbers
with two operations which form:
▫ abelian group for addition
▫ abelian group for multiplication (ignoring 0)
▫ ring
have hierarchy with more axioms/laws
▫ group -> ring -> field
BK
TP.HCM
Modular Arithmetic
define modulo operator “a mod n” to be
remainder when a is divided by n
use the term congruence for: a = b mod n
▫ when divided by n, a & b have same remainder
▫ eg. 100 = 34 mod 11
b is called a residue of a mod n
▫ since with integers can always write: a = qn + b
▫ usually chose smallest positive remainder as residue
 ie. 0 <= b <= n-1
▫ process is known as modulo reduction
 eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
BK
TP.HCM
Divisors
say a non-zero number b divides a if for some
m have a=mb (a,b,m all integers)
that is b divides into a with no remainder
denote this b|a
and say that b is a divisor of a
eg. all of 1,2,3,4,6,8,12,24 divide 24
BK
TP.HCM
Modular Arithmetic Operations
is 'clock arithmetic'
uses a finite number of values, and loops back
from either end
modular arithmetic is when do addition &
multiplication and modulo reduce answer
can do reduction at any point, ie
▫ a+b mod n = [a mod n + b mod n] mod n
BK
TP.HCM
Modular Arithmetic
can do modular arithmetic with any group of
integers:
Zn = {0, 1, … , n-1}
form a commutative ring for addition
with a multiplicative identity
note some peculiarities
▫ if (a+b)=(a+c) mod n
then b=c mod n
▫ but if (a.b)=(a.c) mod n
then b=c mod n only if a is relatively prime to n
BK
TP.HCM
Modulo 8 Addition Example
+
0
1
2
3
4
5
6
7
0
0
1
2
3
4
5
6
7
1
1
2
3
4
5
6
7
0
2
2
3
4
5
6
7
0
1
3
3
4
5
6
7
0
1
2
4
4
5
6
7
0
1
2
3
5
5
6
7
0
1
2
3
4
6
6
7
0
1
2
3
4
5
7
7
0
1
2
3
4
5
6
BK
TP.HCM
Greatest Common Divisor (GCD)
a common problem in number theory
GCD (a,b) of a and b is the largest number that
divides evenly into both a and b
▫ eg GCD(60,24) = 12
often want no common factors (except 1) and
hence numbers are relatively prime
▫ eg GCD(8,15) = 1
▫ hence 8 & 15 are relatively prime
BK
TP.HCM
Euclidean Algorithm
an efficient way to find the GCD(a,b)
uses theorem that:
▫ GCD(a,b) = GCD(b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is:
EUCLID(a,b)
1.
2.
3.
4.
5.
6.
A = a; B = b
if B = 0 return
R = A mod B
A = B
B = R
goto 2
A = gcd(a, b)
BK
TP.HCM
Example GCD(1970,1066)
1970 = 1 x 1066 + 904
1066 = 1 x 904 + 162
904 = 5 x 162 + 94
162 = 1 x 94 + 68
94 = 1 x 68 + 26
68 = 2 x 26 + 16
26 = 1 x 16 + 10
16 = 1 x 10 + 6
10 = 1 x 6 + 4
6 = 1 x 4 + 2
4 = 2 x 2 + 0
gcd(1066, 904)
gcd(904, 162)
gcd(162, 94)
gcd(94, 68)
gcd(68, 26)
gcd(26, 16)
gcd(16, 10)
gcd(10, 6)
gcd(6, 4)
gcd(4, 2)
gcd(2, 0)
BK
TP.HCM
Galois Fields
finite fields play a key role in cryptography
can show number of elements in a finite field
must be a power of a prime pn
known as Galois fields
denoted GF(pn)
in particular often use the fields:
▫ GF(p)
▫ GF(2n)
BK
TP.HCM
Galois Fields GF(p)
GF(p) is the set of integers {0,1, … , p-1} with
arithmetic operations modulo prime p
these form a finite field
▫ since have multiplicative inverses
hence arithmetic is “well-behaved” and can do
addition, subtraction, multiplication, and division
without leaving the field GF(p)
BK
TP.HCM
GF(7) Multiplication Example
 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
BK
TP.HCM
Finding Inverses
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m);
(B1, B2, B3)=(0, 1, b)
2. if B3 = 0
return A3 = gcd(m, b); no inverse
3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m
4. Q = A3 div B3
5. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)
6. (A1, A2, A3)=(B1, B2, B3)
7. (B1, B2, B3)=(T1, T2, T3)
8. goto 2
BK
TP.HCM
Inverse of 550 in GF(1759)
Q
A1
A2
A3
B1
B2
B3
—
1
0
1759
0
1
550
3
0
1
550
1
–3
109
5
1
–3
109
–5
16
5
21
–5
16
5
106
–339
4
1
106
–339
4
–111
355
1
BK
TP.HCM
Modular Polynomial Arithmetic
can compute in field GF(2n)
▫ polynomials with coefficients modulo 2
▫ whose degree is less than n
▫ hence must reduce modulo an irreducible poly of
degree n (for multiplication only)
form a finite field
can always find an inverse
▫ can extend Euclid’s Inverse algorithm to find
BK
TP.HCM
Number Theory
Prime Numbers and Prime Factorisation
Basic theorem of arithmetic (every number can
be expressed as a product of prime powers),
LCM, GCD.
Computing GCD using the Euclidean Algorithm
(Chapter 4.3)
Modular arithmetic operations (Chapter 4.2)
Computing modular multiplicative inverse using
extended Euclidean Algorithm (Chapter 4.4)
22
BK
TP.HCM
Prime Numbers
prime numbers only have divisors of 1 and self
▫ they cannot be written as a product of other numbers
▫ note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theory
list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
23
BK
TP.HCM
Prime Factorisation
to factor a number n is to write it as a product
of other numbers: n=a x b x c
note that factoring a number is relatively hard
compared to multiplying the factors together to
generate the number
the prime factorisation of a number n is when
its written as a product of primes
▫ eg. 91=7x13 ; 3600=24x32x52
24
BK
TP.HCM
Relatively Prime Numbers & GCD
two numbers a, b are relatively prime if have
no common divisors apart from 1
▫ eg. 8 & 15 are relatively prime since factors of 8 are
1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only
common factor
conversely can determine the greatest common
divisor by comparing their prime factorizations
and using least powers
▫ eg. 300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
25
BK
TP.HCM
Notations
26
BK
TP.HCM
Ring vs. Field
Consider the two equations
2x + 2y ≡ 22 mod 56
2x + 2y ≡ 22 mod 31
We cannot reduce the first equation to x + y ≡ 11 mod
56.
We can reduce the second equation to x + y ≡ 11 mod
31.
Why? (need to multiply by the multiplicative inverse of 2)
As all numbers have multiplicative inverses we can
easily solve systems of linear equations in a field. Not so
simple in rings.
27
BK
TP.HCM
Euclidean Algorithm
28
BK
TP.HCM
Extended Euclidean Algorithm
29
BK
TP.HCM
Square and Multiply Algorithm(1/2)
See Figures 9.7 in the text book.
Compute y = ax mod n. Large a; x; n (say 300
digits long).
Let b(r ) … b(0) be the binary representation of
the exponent x (an r + 1 bit number)
Square and multiply algorithm requires r + 1 to
2(r + 1)
multiplications (1000 to 2000 multiplications for
300 digit exponents)
30
BK
TP.HCM
Square and Multiply Algorithm(2/2)
z=1;
for i=r downto 0
z=z*z mod n
if (b(i) = 1)
z = z*a mod n
endif;
endfor;
31
BK
TP.HCM
Fermat's Little Theorem
ap-1 ≡ 1 mod p
▫ where p is prime and gcd(a,p)=1
also ap ≡ a mod p
useful in public key and primality testing
32
BK
TP.HCM
Euler Phi Function
when doing arithmetic modulo n
complete set of residues is: 0..n-1
reduced set of residues is those numbers
(residues) which are relatively prime to n
▫ eg for n=10,
▫ complete set of residues is {0,1,2,3,4,5,6,7,8,9}
▫ reduced set of residues is {1,3,7,9}
number of elements in reduced set of residues
is called the Euler Phi Function ø(n)
33
BK
TP.HCM
Euler Phi Function
to compute ø(n) need to count number of
residues to be excluded
in general need prime factorization, but
▫ for p (p prime)
ø(p)
▫ for p.q (p,q prime; p ≠ q)
ø(pq)
= p-1
=(p-1)x(q-1)
eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
34
BK
TP.HCM
Euler's Theorem
a generalisation of Fermat's Theorem
aø(n) ≡ 1 mod n
▫ for any a,n where gcd(a,n)=1
eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11
35
BK
TP.HCM
Public-Key Cryptography
developed to address two key issues:
▫ key distribution – how to have secure
communications in general without having to trust
a KDC with your key
▫ digital signatures – how to verify a message
comes intact from the claimed sender
public invention due to Whitfield Diffie & Martin
Hellman at Stanford Uni in 1976
▫ known earlier in classified community
36
BK
TP.HCM
Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
▫ a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
▫ a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
is asymmetric because
▫ those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
37
BK
TP.HCM
Public-Key Cryptography
38
BK
TP.HCM
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
▫ it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
▫ it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
▫ either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
39
BK
TP.HCM
Inverse Problems
Most PKC algorithms rely on difficult inverse
problems.
Factorization Problem: Given large p and q it is
easy to compute n = p*q. But given n it is
impractical to factorize n into the constituent
primes.
Discrete Logarithm Problem: Let α = ga mod p.
Given a; g; p computing α is trivial. However
given α ; g and p it is impractical to compute a
40
BK
TP.HCM
Factoring Problem
For a large n with large prime factors, factoring
is a hard problem
have seen slow improvements over the years
▫ as of May-05 best is 200 decimal digits (663) bit with
LS
biggest improvement comes from improved
algorithm
▫ cf QS to GNFS to LS
41
BK
TP.HCM
Factoring Problem
For a large n with large prime factors, factoring
is a hard problem
See Table 9.4
▫ have seen slow improvements over the years
 as of May-05 best is 200 decimal digits (663) bit with LS
▫ biggest improvement comes from improved
algorithm
▫ QS(Quadratic Sieve) to GNFS(Generalized Number
Field Sieve) to LS(Lattice Sieve)
42
BK
TP.HCM
Discrete Logarithm Problem
the inverse problem to exponentiation is to find
the discrete logarithm of a number modulo p
that is to find x such that y = gx (mod p)
this is written as x = dlogg y (mod p)
whilst exponentiation is relatively easy, finding
discrete logarithms is generally a hard problem
BK
TP.HCM
Public-Key Cryptosystems
Authentication and Secrecy
44
BK
TP.HCM
Public-Key Applications
can classify uses into 3 categories:
▫ encryption/decryption (provide secrecy)
▫ digital signatures (provide authentication)
▫ key exchange (of session keys)
some algorithms are suitable for all uses, others
are specific to one
45
BK
TP.HCM
Diffie Helman Key Exchange
46
BK
TP.HCM
DH Example
47
BK
TP.HCM
RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
RSA scheme is a block cipher
Plaintext and ciphertext are integers between 0
and (n-1)
A typical size for n is 1024 bits, or 309 decimal
digits
48
BK
TP.HCM
RSA Key Setup
each user generates a public/private key pair
by:
selecting two large primes at random - p, q
computing their system modulus n=p.q
▫ note ø(n)=(p-1)(q-1)
selecting at random the encryption key e
 where 1<e<ø(n), gcd(e,ø(n))=1
solve following equation to find decryption key d
▫ e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: PU={e,n}
keep secret private decryption key: PR={d,n}
49
BK
TP.HCM
RSA Use
to encrypt a message M the sender:
▫ obtains public key of recipient PU={e,n}
▫ computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
▫ uses their private key PR={d,n}
▫ computes: M = Cd mod n
note that the message M must be smaller than
the modulus n (block if needed)
50
BK
TP.HCM
Why RSA Works
because of Euler's Theorem:
▫ aø(n)mod n = 1 where gcd(a,n)=1
in RSA have:
▫
▫
▫
▫
n=p.q
ø(n)=(p-1)(q-1)
carefully chose e & d to be inverses mod ø(n)
hence e.d=1+k.ø(n) for some k
hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
51
BK
TP.HCM
RSA Example - Key Setup
Select primes: p=17 & q=11
Compute n = pq =17 x 11=187
Compute ø(n)=(p–1)(q-1)=16 x 10=160
Select e: gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
1.
2.
3.
4.
5.
52
BK
TP.HCM
RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
53
BK
TP.HCM
Efficient Encryption
encryption uses exponentiation to power e
hence if e small, this will be faster
▫ often choose e=65537 (216-1)
▫ also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
▫ using Chinese remainder theorem
if e fixed must ensure gcd(e,ø(n))=1
▫ ie reject any p or q not relatively prime to e
54
BK
TP.HCM
Efficient Decryption
decryption uses exponentiation to power d
▫ this is likely large, insecure if not
can use the Chinese Remainder Theorem
(CRT) to compute mod p & q separately. then
combine to get desired answer
▫ approx 4 times faster than doing directly
only owner of private key who knows values of
p & q can use this technique
55
BK
TP.HCM
RSA Key Generation
users of RSA must:
▫ determine two primes at random - p, q
▫ select either e or d and compute the other
primes p,q must not be easily derived from
modulus n=p.q
▫ means must be sufficiently large
▫ typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse
algorithm to compute the other
56
BK
TP.HCM
Generating Large Primes
Say we need to generate a 150 digit prime
Generate a random odd number with 150 digits
Check if it is a prime
If not increment number by two and check again
till we \stumble upon" a prime
57
BK
TP.HCM
Prime Distribution
prime number theorem states that primes occur
roughly every (ln n) integers
but can immediately ignore evens
so in practice need only test 0.5 ln(n)
numbers of size n to locate a prime
▫ note this is only the “average”
▫ sometimes primes are close together
▫ other times are quite far apart
58
BK
TP.HCM
Primality Testing
Traditionally sieve using trial division
▫ ie. divide by all numbers (primes) in turn less than the
square root of the number
▫ only works for small numbers
Alternatively can use statistical primality tests
based on properties of primes
▫ for which all primes numbers satisfy property
▫ but some composite numbers, called pseudo-primes,
also satisfy the property
Can use a slower deterministic primality test
59
BK
TP.HCM
Miller Rabin Algorithm
a test based on Fermat’s Theorem
algorithm is:
TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq
2. Select a random integer a, 1<a<n–1
3. if aq mod n = 1 then return (“maybe prime");
4. for j = 0 to k – 1 do
j
5. if (a2 q mod n = n-1)
then return(" maybe prime ")
6. return ("composite")
60
BK
TP.HCM
Probabilistic Considerations
if Miller-Rabin returns “composite” the number is
definitely not prime
otherwise is a prime or a pseudo-prime
chance it detects a pseudo-prime is < 1/4
hence if repeat test with different random a then
chance n is prime after t tests is:
▫ Pr(n prime after t tests) = 1-4-t
▫ eg. for t=10 this probability is > 0.99999
61
BK
TP.HCM
RSA Security
possible approaches to attacking RSA are:
▫ brute force key search (infeasible given size of
numbers)
▫ mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)
▫ timing attacks (on running of decryption)
▫ chosen ciphertext attacks (given properties of
RSA)
62
BK
TP.HCM
Timing Attacks
developed by Paul Kocher in mid-1990’s
exploit timing variations in operations
▫ eg. multiplying by small vs large number
▫ or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
▫ use constant exponentiation time
▫ add random delays
▫ blind values used in calculations
63
BK
TP.HCM
Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
• attackers chooses ciphertexts & gets decrypted
plaintext back
• choose ciphertext to exploit properties of RSA to
provide info to help cryptanalysis
• can counter with random pad of plaintext
• or use Optimal Asymmetric Encryption Padding
(OASP)
64
BK
TP.HCM
El Gamal
Based on the difficulty of discrete log problem
(like DH)
All entities agree on a prime p (say 200 digits
long) and a generator g
Alice chooses a random value a as her private
key (a < p also has typically the same number of
digits as p)
Alice compute α = ga mod p as her public key.
65
BK
TP.HCM
El Gamal
66
BK
TP.HCM
El Gamal Example
67
Related documents
Here - UMD MATH
Here - UMD MATH
TEST #2 Directions: Solve five of the following eight problems: three
TEST #2 Directions: Solve five of the following eight problems: three
Hypertrophic Cardiomyopathy
Hypertrophic Cardiomyopathy
Payment Request Form - Case Western Reserve University
Payment Request Form - Case Western Reserve University
A talk on the motor side. The free energy for... myosin and its ATP binding
A talk on the motor side. The free energy for... myosin and its ATP binding
Additional testing in HCM
Additional testing in HCM
Lemma 2.8. Let p and q 1,q2, ..., qn all be primes and let k be a
Lemma 2.8. Let p and q 1,q2, ..., qn all be primes and let k be a
Fall 2016 Midterm
Fall 2016 Midterm
Homework 3
Homework 3
CS 3333 Mathematical Foundations of CS
CS 3333 Mathematical Foundations of CS
Hypertrophic Cardiomyopathy - Dr. Ben
Hypertrophic Cardiomyopathy - Dr. Ben
Solving Linear Congruence
Solving Linear Congruence