Download Presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Elliptic curve wikipedia , lookup

Transcript
Cryptography:
Helping Number Theorists Bring
Home the Bacon Since 1977
Dan Shumow SDE
Windows Core Security
[email protected]
Windows Core Security
1
© 2006 Microsoft Corp
Outline
• Introduction
• Symmetric Key Encryption
• Key Distribution:
Diffie-Hellman Key Generation
• Elliptic Curve Cryptography
Windows Core Security
2
© 2006 Microsoft Corp
Introduction
• Cryptography, what is it and why should
we care?
– Cryptography is the science of communicating
secretly.
– Today so much communication is done over
the internet and radio waves, and these
media are very prone to eavesdropping.
Cryptography allows people to communicate
securely across these media.
Windows Core Security
3
© 2006 Microsoft Corp
Cryptography
Allows Alice to communicate with Bob
without being overheard by Eavesdropper
Eve.
Eve
Bob
Alice
Windows Core Security
4
© 2006 Microsoft Corp
Symmetric Key
Encryption
•
•
•
•
•
Alice and Bob share a key K.
They use an encryption function c=Ek(p).
p is the plaintext and c is the ciphertext.
It has to be reversible: p=Dk(c).
If Alice wants to send Bob a message m
she computes c = EK(m) and sends Bob c.
• Bob computes m = DK(c).
Windows Core Security
5
© 2006 Microsoft Corp
Symmetric Key
Encryption
• Want it to be hard to compute p given c.
So if Eve doesn’t know K it is hard for her
to compute m even if she intercepts c.
• Want Ek and Dk to be easy to compute. So
there is little overhead to communication
• Want K to be hard to calculate given p and
c. Otherwise if Eve can guess parts of the
message she can recover the key.
Windows Core Security
6
© 2006 Microsoft Corp
Symmetric Key
Encryption
Examples:
– Substitution Ciphers: Substitute each letter in
the alphabet for another one.
– One Time Pads: A key that is the same length
as the message, used only once.
– Modern Ciphers
• Stream Ciphers: RC4
• Block Ciphers: DES, AES
Windows Core Security
7
© 2006 Microsoft Corp
Symmetric Key
Encryption
Attacks on Encryption Algorithms:
– Substitution Ciphers: Frequency Attacks
– One Time Pads are provably secure.
– Modern Attacks:
• Linear Cryptanalysis looks for a linear relationship
between plaintext and ciphertext. (Known
Plaintext Attack.)
• Differential Cryptanalysis looks at how differences
in plaintext cause differences in ciphertext.
(Chosen Plaintext Attack.)
Windows Core Security
8
© 2006 Microsoft Corp
Symmetric Key
Encryption
Modern Encryption Algorithm Design
Techniques
– Confusion and Diffusion
• Diffusion means many bits of the plaintext
(possibly all) affect each bit of the ciphertext.
• Confusion means there is a low statistical bias of
bits in the ciphertext.
– Non-Linearity: The encryption function is not
linear (represented by a small matrix)
• Prevents Linear Cryptanalysis.
Windows Core Security
9
© 2006 Microsoft Corp
Symmetric Key
Encryption
Problem: Key Distribution
– Can’t keep using same key, Eve will
eventually recover K.
– Need to establish shared secret key:
• Could agree to physically meet and establish keys.
• But what if you want to communicate with
someone on the other side of the world?
Key distribution is a big problem.
Windows Core Security
10
© 2006 Microsoft Corp
Diffie-Hellman
Key Generation
Basic Idea:
1. Alice and Bob agree on an integer g.
2. (a) Alice secretly chooses integer x, computes
X = gx and sends it to Bob.
(b) Bob secretly chooses integer y, computes
Y = gy and sends it to Alice.
3. (a) Alice computes Yx=(gy)x=gxy.
(b) Bob computes Xy=(gx)y=gxy.
4. Alice and Bob both share gxy which they can
use to create a secret key.
Windows Core Security
11
© 2006 Microsoft Corp
Diffie-Hellman
Key Generation
Wait!! It’s not secure. If Eve overhears what
g, X, and Y are she can compute:
x = loggX and y = loggY
And use this information to calculate gxy.
To make this secure Alice and Bob pick a
large prime number P and reduce everything
mod P (take the remainder after division by
P)
Windows Core Security
12
© 2006 Microsoft Corp
Diffie-Hellman
Key Generation
New and Improved Idea:
1. Alice and Bob agree on an integer g and prime P.
2. (a) Alice secretly chooses integer x, computes
X = gx mod P and sends it to Bob.
(b) Bob secretly chooses integer y, computes
Y = gy mod P and sends it to Alice.
3. (a) Alice computes
Yx mod P =(gy)x mod P =gxy mod P.
(b) Bob computes
Xy mod P =(gx)y mod P =gxy mod P .
4. Alice and Bob both share the value gxy mod P which
they can use to create a secret key.
Windows Core Security
13
© 2006 Microsoft Corp
Diffie-Hellman
Key Generation
By adding the prime P into the equation we
now need to make sure that g is a
“generator” of P. This means that for every
integer x in {1,2,3,…,P-1} there exists an
integer d such that:
x = gd mod P.
d is called the “discrete log” of g mod P.
Windows Core Security
14
© 2006 Microsoft Corp
Diffie-Hellman
Key Generation
Why Does This Work?
1. Because the positive integers less than P
form a multiplicative, cyclic group with
generator g.
2. It is hard to compute the discrete log of a
generator mod P.
Given these two things:
1. This algorithm works.
2. It is hard for Eve to calculate gxy mod P.
Windows Core Security
15
© 2006 Microsoft Corp
Groups
•
A group is a set G with a binary operation
·:G×G→G
with the following properties:
1. Associativity: a(bc)=(ab)c
2. Identity Element: there exists e in G, such
that for all a in G ea=ae=a.
3. Inverses: for all a in G there exists an
element a-1 in G such that aa-1 = a-1a = e
Windows Core Security
16
© 2006 Microsoft Corp
Special Groups
•
Abelian Groups are groups that have a
fourth axiom
4. Commutative: for all a and b in G ab = ba
•
Cyclic Groups are groups that have a
generator g. Where g is an element of G
such that for all a in G: a = gx where x is
a positive integer.
Note that all Cyclic groups are Abelian.
Can you see why?
Windows Core Security
17
© 2006 Microsoft Corp
Special Groups
•
•
Multiplicative Groups are groups where
the operation is called multiplication.
Example: the group of n×n invertible
matrices.
Additive Groups are groups where the
operation is called addition. Additive
Groups are abelian. Example: the
integers.
Windows Core Security
18
© 2006 Microsoft Corp
Diffie-Hellman
Key Generation
What does this all mean for Diffie-Hellman
Key Generation?
Answer: It means that Diffie-Hellman will
work as a key exchange algorithm in any
cyclic group where computing discrete
logarithms is hard.
Windows Core Security
19
© 2006 Microsoft Corp
Elliptic Curve
Cryptography
• Elliptic Curves are a way of modifying existing
crypto systems like DH to make them “stronger.”
• “Stronger” means the expected time of an attack
is longer with equal key sizes.
• This allows us to use smaller key sizes and
therefore speed up the whole process.
• This makes ECC very useful for small devices
like phones or other embedded systems.
Windows Core Security
20
© 2006 Microsoft Corp
Elliptic Curves
• An Elliptic Curve is such an alternate
cyclic group. The group consists of all
points of the form: y2 = x3 + ax + b.
Where x, y, a, and b are all elements of a
field F.
Windows Core Security
21
© 2006 Microsoft Corp
Fields
• A field is a set that has mathematical
operations multiplication and addition that
behave in nice ways.
• Basically a field is any set that you can do
everything from your high school algebra
class in.
Windows Core Security
22
© 2006 Microsoft Corp
Fields
A field F is a set S along with two binary operations
(+,·) that have the following properties:
1. S contains two distinct elements 0 and 1
2. (S-{0},·) is a multiplicative group, with identity
1.
3. (S,+) is an additive group, with identity 0.
4. Multiplication is distributive on the left and the
right:
a·(b+c) = a·b+a·c
(a+b)·c = a·c+b·c
Windows Core Security
23
© 2006 Microsoft Corp
Elliptic Curves
Group operation: Let P = (xP,yP) and Q = (xQ,yQ) be points
on the an Elliptic Curve E. Then:
R = P + Q = (xR,yR)
is defined by:
xR= s2-xP-xQ
yR=-yP+s(xP-xR)
where:
s = (yP-yQ)/(xP-xQ) if xP≠xQ
or
s = (3xP2+a)/(2yP2) if xP=xQ
Identity: A “point at infinity” is added to the set of points on
the curve. This point is infinitely far along the y access.
Windows Core Security
24
© 2006 Microsoft Corp
Elliptic Curves
Intuition: If you have 2 points on this curve, they define a
line that intersects the curve at 1 other point. Addition is
derived from this. Inverses are reflections about the x
access.
Windows Core Security
25
© 2006 Microsoft Corp
Elliptic Curve
Cryptography
Newer and more Improved Idea:
1. Alice and Bob agree on an Elliptic Curve E (specified
by the field F and parameters a, b) and a base point g
on E.
2. (a) Alice secretly chooses integer x, computes
X = xg and sends it to Bob.
(b) Bob secretly chooses integer y, computes
Y = yg and sends it to Alice.
3. (a) Alice computes: xY = x(yg) =xyg.
(b) Bob computes: yX = y(xg) =yxg=xyg.
4. Alice and Bob both share the point xyg which they can
use to create a secret key.
Windows Core Security
26
© 2006 Microsoft Corp
Elliptic Curve
Cryptography
• In the preceding example all math is done in the
group defined by E. Exponentiation is taken to
be iterative addition.
• Because Elliptic Curves are groups we are
guaranteed that we can perform all these
operations.
• Computing logarithms in elliptic curves is
difficult, so Eve can not recover the secret
values and determine the shared value xyg.
Windows Core Security
27
© 2006 Microsoft Corp
References
• Eric W. Weisstein. "Elliptic Curve." From MathWorld--A
Wolfram Web Resource.
http://mathworld.wolfram.com/EllipticCurve.html
• Eric W. Weisstein et al. "Group." From MathWorld--A
Wolfram Web Resource.
http://mathworld.wolfram.com/Group.html
• Eric W. Weisstein. "Field." From MathWorld--A Wolfram
Web Resource. http://mathworld.wolfram.com/Field.html
• http://en.wikipedia.org/wiki/Group_%28mathematics%29
• http://en.wikipedia.org/wiki/Field_(mathematics)
• http://en.wikipedia.org/wiki/Elliptic_curves
Windows Core Security
28
© 2006 Microsoft Corp