Download Public Key Cryptography

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts
no text concepts found
Transcript 
Public Key Cryptography
CS 470
Introduction to Applied Cryptography
Instructor: Ali Aydin Selcuk
CS470, A.Selcuk
Public Key Cryptography
1
Public Key Cryptography
“New Directions in Cryptography”, Diffie&Hellman, 1976:
Two fundamental problems in cryptography can be solved
by an asymmetric “trapdoor one-way function”:
• key distribution
• source authentication
An asymmetric encryption function:
• Encryption & decryption keys are different.
• Knowledge of the encryption key is not sufficient for
deriving the decryption key efficiently.
• Hence, the encryption key can be made “public”.
CS470, A.Selcuk
Public Key Cryptography
2
Public Key Cryptography
Key distribution solution:
• Alice makes her encryption key K public
• Everyone can send her an encrypted message:
C = EK(P)
• Only Alice can decrypt it with the private key K-1:
P = DK-1(C)
Source Authentication Solution:
• Only Alice can “sign” a message, using K-1.
• Anyone can verify the signature, using K.
Only if such a function could be found...
CS470, A.Selcuk
Public Key Cryptography
3
Diffie-Hellman Key Exchange
Public parameters:
p: A large prime
g: A generator of Zp*. ie., {gi | 0 ≤ i ≤ p-2} = {1, 2,...,p-1}.
,   {0, 1, 2,...,p-2} are secret.
Alice
g
Bob
mod p
g mod p
computes
(g) mod p
computes
(g) mod p
K = g mod p
CS470, A.Selcuk
Public Key Cryptography
4
Security of DH
• Discrete Logarithm Problem: Given p, g, g mod p,
what is ? (easy in Z, hard in Zp.)
• DH Problem: Given p, g, g mod p, g mod p,
what is g mod p?
• Conjecture: DHP is as hard as DLP.
(note: Neither is proven to be NP-complete.)
• “Safe prime”: If (p-1)/2 is also a prime.
• Best known method for DLP: “Number Field Sieve”
with running time e(1.923 + O(1)) ((ln p)^(1/3)) ((ln ln p)^(2/3)).
CS470, A.Selcuk
Public Key Cryptography
5
Efficiency of DH
Generating a large prime
• Generate a random number & test for primality.
• Primality testing is efficient.
• Density of primes:
Prime Number Theorem: For π(n) denoting the
number of primes ≤ n, we have
π(n) ~ n / ln n.
That is,
lim n → (π(n) ln n) / n = 1.
CS470, A.Selcuk
Public Key Cryptography
6
Efficiency of DH
How to compute (g mod p) for large p, g, ?
xn =
(xk)2
(xk)2x
if n = 2k
if n = 2k + 1
“Repeated squaring”: Start with the most significant bit of
the exponent.
E.g. Computing 325 mod 20. 25 = (11001)2
y0 =
y1 =
y2 =
y3 =
y4 =
3(1) mod 20 = 3
3(11) mod 20 = 32 3 mod 20 = 7
3(110) mod 20 = 72 mod 20 = 9
3(1100) mod 20 = 92 mod 20 = 1
3(11001) mod 20 = 12 3 mod 20 = 3
Further efficiency with preprocessing xi, i < 2k, for some k.
CS470, A.Selcuk
Public Key Cryptography
7
Structure of Zp*
For a prime p, let Zp* denote all non-zero elements of Zp.
Fermat’s (Little) Theorem: For all x  Zp*, we have
xp-1 ≡ 1 (mod p).
Let <g> denote the numbers generated by powers of g in
Zp*; <g> = {g, g2,…, gp-1}.
E.g. for Z5*:
<1> = {1}
<2> = {2,4,3,1}
<3> = {3,4,2,1}
<4> = {4,1}
• “order” of 1 is one; of 4 is two; of 2 & 3 is four.
• 2 & 3 are “generators” of Z5* (they have order p-1).
• Fact: For every prime p, Zp* has a generator.
CS470, A.Selcuk
Public Key Cryptography
8
Number Theory Review
Euclid’s algorithm to compute gcd(m,n): Divide repeatedly
until no divisor is left:
m = q0 n + r 0 ,
n = q1 r 0 + r 1 ,
r 0 = q2 r 1 + r 2 ,
0 ≤ r0 < n
0 ≤ r1 < r 0
0 ≤ r2 < r 1
....
rk-2 = qkrk-1 + rk ,
rk-1 = qk+1rk .
0 ≤ rk < rk-2
(why is convergence guaranteed?)
Theorem: gcd(m,n) = rk.
Proof: rk divides all ris, hence rk | m,n.
Conversely, if d | m,n, then d | ri , including rk.
CS470, A.Selcuk
Public Key Cryptography
9
Extended Euclid’s Algorithm
• Compute u, v, such that gcd(m,n) = um + vn.
• Maintain ui, vi, such that ri = uim + vin. (“loop invariant”)
When the last r is reached, u & v are found.
• Given ri-2 = ui-2m + vi-2n and ri-1 = ui-1m + vi-1n, we have
ri = ri-2 – qiri-1
= (ui-2m + vi-2n) – qi (ui-1m + vi-1n)
= (ui-2 – qiui-1)m + (vi-2 – qivi-1)n
Hence,
ui = ui-2 – qiui-1 and vi = vi-2 – qivi-1.
• Initial conditions: For r0 = m – q0n, we have r-1=n, r-2=m.
u-1 = 0, v-1 = 1
u-2 = 1, v-2 = 0.
CS470, A.Selcuk
Public Key Cryptography
10
Extended Euclid’s Algorithm
E.g. Compute gcd(100, 18) with the u, v coefficients:
i
-2
-1
0
1
2
3
ri
100
18
10
8
2
0
qi
–
–
5
1
1
4
ui
1
0
1
-1
2
–
vi
0
1
-5
6
-11
–
(*)
 gcd(100, 18) = 2, 2 = 2*100 – 11*18.
CS470, A.Selcuk
Public Key Cryptography
11
Number Theory Review
Def: m, n  Z are relatively prime if gcd(m,n) = 1.
Def: Zn*: the numbers in Zn relatively prime to n.
e.g.,
Z6* = {1, 5},
Z7* = {1, 2, 3, 4, 5, 6}.
Def: (n) = |Zn*|.
e.g., (6) = 2, (7) = 6.
Theorem: If n is prime, (n) = n – 1.
Theorem (Euler): For all m  Zn*, we have
m(n) ≡ 1 (mod n).
(This result generalizes Fermat’s theorem to composite
values of n.)
CS470, A.Selcuk
Public Key Cryptography
12
Number Theory Review
Chinese Remainder Theorem: For n1, n2,..., nk pairwise
relatively prime, the system
x ≡ r1 (mod n1)
x ≡ r2 (mod n2)
...
x ≡ rk (mod nk)
has a unique solution in Zn, where n = n1n2...nk.
E.g., x ≡ 1 (mod 3), x ≡ 1 (mod 4)  x ≡ 1 (mod 12).
But x ≡ 1 (mod 2), x ≡ 1 (mod 4) is either 1 or 5 in Z8,
whereas x ≡ 1 (mod 2), x ≡ 2 (mod 4) has no solutions.
CS470, A.Selcuk
Public Key Cryptography
13
Related documents