Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Outline • • • • Review of RSA Discrete logarithms Testing for primality Key management in public-key cryptosystem • Diffie-Hellman Key exchange Revisit proof of RSA If (a×b)≡(a×c) mod n then b≡c mod n True if a is relatively prime to n Suppose b > c ab – ac = kn a(b-c) = kn kn b-c = gcd(a,n)=1 a Ex. 2x1 mod 8 = 2 2x5 mod 8 = 2 b-c = qn 1 ≡ 5 mod 8 Proof of Fermat’s law Recall: p is a prime, Zp is a Galois Field Any a multiplied by {1,2,…,p-1} will span {1,2,…,p-1} in some order {a mod p, 2a mod p,…, (p-1)a mod p} 等於 {1,2,…,p-1} 的重排 1 左邊集合內元素都與 p 互質 2 ax ≡ ay mod p => x ≡ y mod p 左邊集合內的元素都不同 Proof for Euler’s theorem aø(n)≡ 1 mod n, gcd(a,n)=1 n is a prime => Fermat’s theorem Arbitrary n: ø(n) means the number of integers that is relatively prime to n, denote the set of integers as R x1 , x2 , , x ( n ) Multiply each by a, modulo n: S (ax1 mod n) , (ax2 mod n) , , (ax ( n ) mod n) S is a permutation of R !!! * a is relatively prime to n, and xi is relative prime to n => so does axi * There is no duplicate in S RSA concept n=pq, p and q are primes a a2 a3 1 2 3 4 . . . pq-2 pq-1 a … a(n)-1 a(n) a(n) a (n) a… a(n) a(n) a(n) Euler’s formula: 1 1 1 1 . . . 1 1 a ( n ) 1 (mod n) 2. a ( n )1 a (mod n) k ( n ) 1 a a (mod n) 3. 1. ak(n)+1 (ae)d a ae RSA algorithm : key generation and encryption/decryption Example: 1. 2. 3. 4. Select primes p and q (pq). Calculate n=pq. Calculate (n)=(p-1)(q-1) Select e that is relative prime to and less than (n) 5. Determine d such that de ≡ 1 mod (n), and d< (n) (d is the multiplicative inverse of e, find it using Extended Euclid’s algorithm) p=17, q=11 n= 17x11 = 187 (n)= 16x10 = 160 e=7 d = 23 RSA encryption/decryption example Public key: KU={e,n}={7,187} Private key: KR={d,n}={23,187} Computational issues in RSA Select primes p and q (pq) Calculate d such that d ≡ e-1 mod (n) How to select a large prime? (Chap. 8.3) How to compute multiplicative inverse? => Extended Euclid’s algorithm (Chap. 4.4) Encryption: M = Cd mod n How to compute exponentiation fast? Computation issues – encryption/decryption Modular exponentiation: M = Cd mod n Fast algorithm use the property: (a x b) mod n = (a mod n) x (b mod n) mod n 1123 mod 187 =(1116×114×112×111) mod 187 =[(1116 mod 187)×(114 mod 187)×(112 mod 187)×(111 mod 187)] mod 187 =…=88 Write exponential d as binary number: bkbk-1…b1b0 ex. 2310 = 101112 = 24+22+21+20 j 2j 2 C mod n C mod n C mod n mod n b 0 b j 0 j d Pseudo-code for fast exponentiation: ab mod n Timing attacks c=0; /* c will be the exponent at last */ d=1; /* d will be the ab mod n at last */ for(i=k; i>=0; i--){ /* k+1 bits for b */ c = 2*c; d = (d*d) mod n; if ( bi == 1 ){ c = c+1; d = (d*a) mod n } } If this bit is 1, exec. time will be slower Resist to timing attacks Constant exponentiation time Random delay return the results of exponentiation after a fixed time Add random delay to the exp. execution time Blinding Multiply ciphertext by a random number Outline Review of RSA Discrete logarithms Testing for primality Key management in public-key cryptosystem Diffie-Hellman Key exchange The power of an integer, modulo n Euler’s formula (1):aø(n)≡ 1 mod n, gcd(a,n)=1 General form (2): am ≡ 1 mod n, gcd(a,n)=1 There is at least one m (m(n)) satisfies (2) For any 0<a<n, the least positive m satisfies (2) is referred as The order of a (mod n) The exponent to which a belongs (mod n) The length of the period generated by a Example: modulo 19 Primitive root of 19: 1. period = 18 2. Span {1,…,18} 4? ≡ 17 mod 19 period = 9 period = 3 Euler’s formula Discrete logarithms For real numbers: y = xr => logx y = r For prime integer p, and its primitive root a There is a unique i such that b ≡ ai mod p where 0 ≤ i ≤ (p-1) Given b, a, and p, we can find a unique i => inda,p (b) = i • Unique discrete logarithm mod m to some base a exist only if a is a primitive root of m Example: discrete log, mod 19 Calculation of discrete log Equation: b = ai mod p Calculation of power is straightforward Calculation of discrete log (if exists) is hard !!! => The same complexity of factoring primes ( (ln p e 1/ 3 (ln(ln p ) 2 / 3 Not feasible for large primes Outline Review of RSA Discrete logarithms Testing for primality Key management in public-key cryptosystem Diffie-Hellman Key exchange How to select a large prime? In RSA, we have to select two primes p and q (pq) select e or d (that is relatively prime to (n)) p, q, e, d must be sufficiently large to avoid exhaustive search attack However, no useful method to generate arbitrarily large primes Sol: pick at random an odd number of the desired order of magnitude, and test whether it is a prime Test for primality Miller-Rabin algorithm: decide whether a number is a prime with a bounded error probability Given an odd integer n for test Ex. n = 29 Factor (n-1) as 28 = 22 (7) n-1 = 2kq, k > 0, q odd Recall Fermat’s theorem: an-1≡1 mod n if n is a prime Choose an integer a, 1<a<n-1 k-1 k generate aq,a2q,…,a2 q,a2 q mod n See next page a = 10 107,102x7,104x7 mod 29 =17, 28, 1 Test for primality (cont.) For a given integer a k-1 k generate aq,a2q,…,a2 q,a2 q mod n … square If n is a prime, kq 2 a =an-1≡1 mod n However, we don’t have to test until k a2 q 2q mod n = -1=(n-1) a If this number aq mod n = 1 or -1 If this number k q 2 q 2 Then (a ) mod n = 1 Then (a ) mod n = 1 (aq)4 mod n = 1 … k (aq)2 mod n = 1 Repeated use of Miller-Rabin Algorithm Fermat’s theorem: an-1≡1 mod n , for all 0<a<n, if n is a prime • It has been shown that, for one random chosen integer a, the probability of false positive is less than 1/4 (n 非質數,但是偵測為質數) Run M-R test 2 times with different a => Prob = (1/4)2 Run M-R test t times with different a => Prob = (1/4)t How many integers to test to find a prime? Prime number theory: the primes near n are spaced on the average one every ln (n) integers Density of prime? 1 n no. of primes n = ln (n) Discard even integers, and ending with digit 5 => test about 0.4ln (n) numbers Ex. prime on the order of magnitude of 2200 (200 bits) => 0.4ln (2200) = 55 trails to find a prime How to generate public/private keys? Q: select e or d that is relatively prime to (n)? A: Extended Euclid’s algorithm Test gcd(e, (n)) = 1? Calculate the multiplicative inverse at the same time if they are relatively prime Procedure: Generate a series of random numbers, test each against (n) How many random numbers to test? The prob. that two random numbers are relatively prime is about 0.6 (problem 8.1) Outline Review of RSA Discrete logarithms Testing for primality Key management in public-key cryptosystem Diffie-Hellman Key exchange Key management (Ch 10.1) Two issues for public-key cryptosystem Distribution of public keys The use of public-key encryption to distribute secret keys (keys for symm. cipher) Distribution of public keys Public announcement Public available directory Public-key authority Public-key certificates 1. Public announcement Ex. post public keys to public forums, such as USENET newsgroup and Internet mailing list Drawback: the opponent can pretend to be another user 2. Public available directory Some trusted entity maintains a publicly available dynamic directory of public keys {A, KUa } {B, KUb } … Register the public key Register the public key Attack: an opponent invades the public-key directory, and counterfeit public keys 3. Public-key authority Central authority: 1. Maintain directory of public keys 2. Each participant knows the public key for the authority A can confirm the message from the authority N1 :認證B的身份 N2 :認證A的身份 4. Public-key certificates 憑證 Certificate: contain public key and other information, generate from the certificate authority Application must be in person or by secure channel 1. Anyone can read, verify 2. Only CA can create Time: verify currency of certificate Simple secret key distribution Public-key scheme has slow data rate use public key to distribute secret key use secret key scheme for data encryption intercept session key (secret key) KUe || IDA E KUa[ Ks ] Ks E KUe[ Ks ] Secret key distribution with confidentiality and authentication Against active and passive attacks Authenticate B Authenticate A Confidentiality (only B can read) authentication (only A can create it) A hybrid and hierarchical scheme Use public-key scheme to distribute master key A MKA Ks KDC MKA MKB C B MKB Ks Use master keys with KDC to distribute session key Advantage: 1. Use master key to distribute session keys, instead of using public-key scheme => faster ! 2. Backward compatible to old KDC scheme (master + session key) Outline Review of RSA Discrete logarithms Testing for primality Key management in public-key cryptosystem Diffie-Hellman Key exchange Diffie-Hellman key exchange Purpose: enable two users to exchange a key securely that can then be used for subsequent encryption of message A Setup up a secret key K B • The issue of distribution of secret keys Diffie-Hellman algorithm: take advantage of the hard problem – discrete logarithm Protocol of D-H key exchange Public: q, a (q is a prime; a<q, is a primitive root of q) Discrete log ? Verify D-H algorithm Both users get the same secret key K User A gets: Eq: K (YB ) X A mod q (a X B mod q) X A mod q ( A mod q) ( A mod q) mod q A2 mod q a X B X A mod q User B gets: (YA ) XB mod q a the same X AXB mod q Other issues about D-H Brute-force attack: Ex. 3a mod 353 = 40 Try all 3x mod 353, 0<x<353, until it equal 40 Use D-H algorithm as public-key system KDC {User, Public Key} {A, YA (aX A} {B, YB (aXB} YB A E K[Message] K (YB ) X A mod q B