1 cosc 350: codes and ciphers public-key cryptography march 26, 2002 prof. dorothy e. denning
DESCRIPTION
3 Origins of Public Key Concept credited to Diffie and Hellman, 1976 “New Directions in Cryptography” Motivation - They wanted a scheme whereby Alice could send a message to Bob without the need for Alice and Bob to share a secret or for a Trusted Third Party -- called “public-key” because Alice & Bob need only exchange public keys to set up a secret channel Invented earlier by British at CESGTRANSCRIPT
1
COSC 350: Codes and Ciphers
Public-Key Cryptography
March 26, 2002
Prof. Dorothy E. Denning
2
Public-Key Cryptography
Each user has a unique public-private key pairAlice - KApriv, KApub
Bob - KBpriv, KBpub
The public key can be given to anyoneThe private key is not shared with anyone, including a trusted
third party (authentication server)The public key is a one-way function of the private-key (hard
to compute private key from public one)Used for key distribution/agreement, message encryption, and
digital signatures
3
Origins of Public Key
Concept credited to Diffie and Hellman, 1976“New Directions in Cryptography”
Motivation - They wanted a scheme whereby Alice could send a message to Bob without the need for Alice and Bob to share a secret or for a Trusted Third Party -- called “public-key” because Alice & Bob need only exchange public keys to set up a secret channel
Invented earlier by British at CESGhttp://www.cesg.gov.uk/about/nsecret.htm
4
5
Public-Key Agreement
Method whereby Alice and Bob can agree on a secret key to use with DES, AES, or some other symmetric encryption algorithm
They do this after exchanging only public keysThey each compute a secret session key K from their
own private key and the other’s public key. They both arrive at the same K independently
6
Diffie-Hellman Method
Shared prime p and generator gAlice: private xa and public ya = gxa mod p
xa = logg ya mod p (hard to compute)
Bob: private xb and public yb = gxb mod pThey swap public keysAlice computes: K = ybxa mod p = gxb xa mod pBob computes: K = yaxb mod p = gxa xb mod p
7
Math Strength
Depends on difficulty of computing the discrete logarithm
The best known methods are exponentially hard - same as factoring
e.g., given n, find p, q where n = p * qNeed to use numbers on the order of 768 bits (230
digits) or biggerImplementations typically use 512 (155), 1024 (310)
or 2048 (621) bits (digits).
8
On The Fly Approach
Alice and Bob generate xa, xb, ya, yb on the flyThey exchange ya and yb and compute KWhat are drawbacks?What applications are appropriate?
9
Permanent
Alice and Bob generate permanent keys and deposit ya and yb in public database (key center)
Alice gets yb from database (or from Bob)Alice computes K = ybxa mod p = gxb xa mod p Alice -> Bob: ya, C = EK(M)
(or Bob could get ya from database)Bob computes K = yaxb mod p = gxa xb mod p Bob decrypts C with K to get MWhat are drawbacks?
10
Hybrid Approach
Alice & Bob generate xa, xb and deposit public keys ya, yb
Alice gets yb from database (or from Bob)Alice generates temporary pair xt, yt Alice computes K = ybxt mod p = gxb xt mod p Alice -> Bob: yt, EK(M)
Bob computes K = ytxb mod p = gxt xb mod p and decrypts M
11
Public-Key Encryption
The public and private keys are used for message encryption and decryption for purpose of secrecy
Alice encrypts message to Bob with Bob’s public key
Bob decrypts messages to him with his private keyIn practice, public-key encryption is used to encrypt
and decrypt messages that contain symmetric keys (e.g., for DES/AES), and the symmetric keys are used to encrypt/decrypt the data
12
Sending Messages
To send message M to Bob, only Bob’s keys usedAlice -> Bob: C = EBpub(M)Bob decrypts: M = DBpriv(C)
In practice, use to distribute symmetric key KAlice -> Bob: CK = EBpub(K), CM = EK(M) Bob decrypts: K = DBpriv(CK), M = DK(CM)Alice and Bob then use K to encrypt/decrypt messages
13
RSA Method
Ron Rivest, Adi Shamir, Leonard Adleman1977 -- all at MIT at the time
Basic idea: an exponentiation cipher where the modulus is the product of two large primes
Mathematical strength is derived from the difficulty of factoring a number into its primes
14
15
At Crypto 82
16
RSA
Pick primes p and q and compute n = p * qPick e, d such that e * d = 1 mod (n)
(n) = (p-1) * (q-1)(e, n) is public key(d, n) is private key - (p, q) also part of private key, but not
used after computation of d and eEncrypt: C = Me mod nDecrypt: M = Cd mod n
17
Example
p = 53, q = 61, n = 53 * 61 = 3233pick e = 71compute d such that
71 * d = 1 mod (52 * 60) get d = 791
Let M = 1704C = 170471 mod 3233 = 3106.M = 3106791 mod 3233 = 1704.
18
Theory
Proof sketch for (n) = (p-1) * (q-1)(n) = # primes < n relatively prime to nconsider the n=pq numbers 0, 1, ..., pq-1all are relatively prime to n except for 0 and
p-1 elements: q, 2q, 3q, ..., (p-1)qq-1 elements: p, 2p, 3p, ..., (q-1)p
so (n) = pq - [(p-1) + (q-1) + 1]= pq - p - q + 1 = (p-1)(q-1)
19
Factoring
Given a number n, find primes p1, p2, ..., pk such that n = p1 * p2 * ... * pk
For RSA, there are known to be only 2 factors:n = p * q
Factoring arbitrary numbers is harder than factoring special types of numbers, e.g., numbers of the form n = 2s - 1 (Mersenne number)
Breaking RSA can be no harder than factoring, but could be easier
20
History of FactoringYear # Digits Method1970 41 Continued Fraction - Morrison-Brillhart1980 501982 551983 621984 721991 100 Quadratic Sieve1993 120 Quadratic Sieve1994 129 Quadratic Sieve (RSA predicted 40 quadrilllion years!)1996 130 Number Field Sieve (1000 MIPS yrs)1999 140 Number Field Sieve (2000 MIPS yrs, 8.9 CPU yrs)2000 155 Number Field Sieve (35.7 CPU yrs) (512 bits)???? 174 RSA challenge not yet factored (576 bits)
21
Proposed Advances
• The Weizmann Institute Key Locating Engine (TWINKLE)– code breaking machine design by Adi Shamir– 6-by-6-inch electro-optical computer– measures light from diodes to perform calculations to break keys
• Daniel Bernstein proposal to NSF– special purpose hardware to facilitate sieving and matrix reduction– trades time for memory– would allow factorization of numbers with 3 times as many bits
for large n• might need 3,072-bit key instead of 1,024-bit key
22
Quadratic Sievefastest algorithm for numbers up to 110 digitsAug. 93 - Mar. 94 - 129-digit number factored in effort led
by Arjen LenstraUsed double large prime variation of the multiple
polynomial QS600 people, 1,600 machines on the Internet using e-mail to
communicateEquivalent to about 5,000 MIPS years
1 MIPS year is computation over 1 year at rate of 1 M instructions/sec
23
Number Field Sieve
fastest method for numbers > 110 digits1996 - 130-digit number factored on the Internet --
again led by LenstraTook only 500 MIPS years!Lenstra estimated that 50,000 Pentium PCs could
break a 155 digit (512-bit key) in a few daysT = exp((1.923 + O(1))(ln(n)1/3(ln(ln(n)))2/3)
24
RSA-512 Factored
Factored August 22, 1999Used General Number Field Sieve
line sieving and lattice sieving35.7 CPU years; 8000 MIPS yearsElapsed time: 7.4 months
Polynomial selection: 9 weeksSieving: 3.7 months produced over 124 million relations
11 sites participatedMatrix solution: 224 CPU hours and 3.2 GB memory on Cray C916 to solve matrix with about 6.7 million rows and columns
25
QS and NFS
Use random square factoringFind x and y such that x2 = y2 mod nThen
x2 - y2 = 0 mod n => (x-y)(x+y) = 0 mod nIf x y mod n then
gcd(x-y, n) yields a prime factor of n probability of this is at least 1/2
So trick is generating numbers that are squares
26
Random Square Factoring
• Two-phase process– 1) Sieving/collection
• Find number to put into a matrix• Takes gobs of time for large numbers• Effort can be distributed
– 2) Matrix reduction/solution• Find entries in matrix that, when combined, give pairs (x, y) of
squares• Takes reasonable time, but not distributable• Uses gobs of memory
27
factor n = 24961factor base = {-1,2, 3, 5, 13, 23}compute m = sqrt n = 157
i z b factorization of b a v1 0 -312 -1 * 23 * 3 * 13 157 1 1 1 0 1 02 1 3 3 158 0 0 1 0 0 03 -1 -625 -1 * 54 156 1 0 0 0 0 04 2 320 26 * 5 159 0 0 0 1 0 05 -2 -936 -1 * 23 * 32 * 13 155 1 1 0 0 1 06 4 960 26 * 3 * 5 161 0 0 1 1 0 07 -6 -2160 -1 * 24 * 33 * 5 151 1 0 1 1 0 0
a = z + mb = a2 - n so b = a2 mod n
want x, y such that x2 = y2 mod n
b3 * b6 * b7 = a32 * a62 * a72 = (a3 * a6 * a7)2 mod n
x = a3 * a6 * a7 mod n = 156 * 161 * 151 mod n = 23405
y2 = b3 * b6 * b7 mod n = 210 * 34 * 56 mod ny = - 25 * 32 * 53 mod n = 13922
gcd (x-y, n) = gcd (9483, 24961) = 109 = first factor
compute n/109 = 229 = second factor
28
Generating Primes
• For RSA, need to generate primes p, q• Other ciphers also require prime numbers• Guaranteed - prove the number has no factors
– must attempt to factor, which is not feasible for very large numbers
• Probabilistic - no guarantee– but can say with some very high probability that
number is prime– much faster - practical even for very large numbers
29
Sieve of Eratosthenes
Invented around 200 B.C.Finds all primes less than NWrite down all numbers 2, 3, 4, 5, ..., NDelete multiples of 2 greater than 2Delete multiples of 3 greater than 3Continue up to sqrt(N)When done, have all primes < NTotally impractical for 200 digit numbers!
30
Practical Method
Prick random n-bit number pSet low-order and high-order bit to 1Is p divisible by small primes 3, 5, 7, 11, …?
go up to primes < 256 or 20003, 5, 7 - eliminates 54% of odd numbersall primes < 256 eliminates 76%
Do Rabin-Miller test 5 times. If pass all 5 tests, consider p to be prime
31
Rabin-Miller TestProbabilistic testDetails in SchneierSuppose p passes the test.The probability that p is prime is at least 3/4. Thus,
the probability that p is not prime is at most 1/4.Do test t times. If p passes all t times, then the
probability that p is not prime is at most (1/4)t. for t = 5, this is 1/1024
32
Odds of SuccessPick p at random - what are the chances that it is prime?Let z = # primes between 1 and NPrime Number Theorem:
z approaches N/ln(N) as z gets largeFor N = 10,000,000 N/ln(N) = 620,421 and z = 664,579
So odds are about 7/100For 100 digit numbers, odds are 1/115
33
Strong Primes
Defeat certain factoring methodsProperties
(p-1)/2 and (q-1)/2 should be primegcd(p-1, q-1) should be small both p-1 and q-1 should have large prime
factors, denoted p’ and q’both p’-1 and q’-1 should have large prime factors
Schneier recommends against using strong primes
34
Practical Considerationsfor Exponentiation Ciphers
Block messages according to the modulus sizeUse method of fast exponentiation
repeated squaring and multiplication for each 0 bit, square (multiply by itself)for each 1 bit, multiply and then square
(no square on last bit)if exponent has t bits, # of multiplies is T where
t <= T <= 2t - 1
35
Example
25 = 1 1 0 0 1a25 mod n = a16 * a8 * a mod nhow many multiplies?
89 = 1 0 1 1 0 0 1a89 mod n = a64 * a16 * a8 * a mod nhow many multiplies?
36
Fast Exponentiationfunction fastexp(a, z, n) - “return az mod n”a1 := a; z1 := z; x:= 1;while z1 != 0 do begin while z1 mod 2 = 0 do begin “square a1 while z1 is even” z1 := z1 div 2; a1 := (a1 * a1) mod n end; z1 := z1 - 1; x := (a1 * x) mod n “multiply”end;fastexp := x;end
37
Digital Signatures: Objectives
Message integrity and authenticitydetect tampering and bogus messages
Source/sender authenticitydetect forgeries
Non-repudiationsender cannot disavow signing a messagea third party -- court -- can resolve dispute
38
Public-Key Signatures
Signer has a public-private key pairThe signature is produced with the private key
only signer can do thisThe signature is validated with the public key
anyone can do this, including the intended recipient and a third party judge
No keys of the receiver are used
39
Sending a Signed Message
Alice sends a signed message to Bob using her private key. Bob validates with her public key
Alice -> Bob: (M, S) where S = signApriv(h(M)) for hashing function h
Bob checks: validateApub(M, S)
Hashing function h is public and not keyedS is function of entire message M
40
RSA Signatures
Let (e, n) be Alice’s public key and (d, n) her private key
Alice -> Bob: (M, S) where S = signApriv(h(M)) = (h(M))d mod n
Bob checks: validateApub(M, S):
h1 = h(M)h2 = Se mod n [ = (h(M))d e mod n = h(M) ]if h1 = h2 then accept else reject
41
Why Hashing
Reduces time to sign and space for signatureAlso important for securitySuppose don’t hash: what happens if you ask Alice
to sign a message sent to her?C = EApub(M) = Me mod n
S = signApriv(M) = Md mod n
42
Digital Signature Standard (DSS)
FIPS PUB 186, adopted 1994Uses variant of methods invented by ElGamal and
Schnorr, which in turn were based on Diffie-Hellman
Uses exponentiations in modular arithmetic where security is based on difficulty of computing the discrete log (as for DH)
Uses SHA for hashing
43
DSSpublic values shared by group
p - prime number - 512-1024 bitsq - 160-bit value (most computation mod q)g = h(p-1)/q mod p where h < (p-1) and g > 1
user private keyx - any number less than q
user public keyy = gx mod p
44
45
Notes
Verification is slower than with RSABoth RSA and DSS are used extensively -- many
products support bothDSS not designed for encryption -- use with Diffie-
Hellman key exchange
46
Encrypt & Sign With RSA
Alice generates K & computes CK = EBpub(K)CM = EK(M) S = signApriv(M)
Alice -> Bob: CK, CM, S Bob computes
K = DBpriv(CK) M = DK(CM) validateApub(M, S)
47
ciphertextkey
ciphertextmessage
signature
Dear Bob …
Love,Alice
hash sign
enc
enc dec
dec
ok?
random K
KBobpub
KSAlicepriv
Dear Bob …
KK
Alice Bob
sent to Bob
KBobpriv
KSAlicepub
certificate
password
password
48
E-Mail In PracticeAlice composes message M to Bob and clicks button “send
signed and encrypted”Alice’s system prompts Alice for password, which unlocks her
private signature keyAlice’s system looks up Bob’s public key-encrypting key. It
generates K, and computes CK, CM, and SWhen Bob gets message, he clicks on button “decrypt and
validate”Bob’s system prompts him for a password, which unlocks his
private key-encrypting key. It decrypts CK and then CMBob’s system looks up Alice’s public signature key and
validates S. It displays M and whether S was OK
49
Login AuthenticationChallenge-Response
Alice logs onto serverServer sends Alice a challenge MAlice returns M and her signature S of itServer validates S and knows it is Alice
50
Elliptic Curve Cryptography
Can implement schemes analogous to Diffie-Hellman and DSA using elliptic curves mod p instead of the integers mod p
Computing discrete logs is thought to be much harder in elliptic curve than integers mod p
Comparable security with shorter keys160 bits comparable to 1024 RSA/DH108 bits broken in 4 months using 9,500 computers
So less storage needed for keysOrder of magnitude speedup
51
Elliptic Curves
An elliptic curve is a set of points (x,y) that solve an equation of a particular form, e.g.,
y2 mod p = x3 + ax + b mod p where a, b < p and
4a3 + 27b2 != 0 mod p (then a group)Can compute over the numbers on an elliptic curve -
there is a group operationTutorial at
<http://www.certicom.com/research/online.html>
52
EC Arithmetic Rules
1. infinity + infinity = infinity2. (x, y) + infinity = (x, y)3. (x, y) + (x, -y) = infinity4. (x1, y1) + (x2, y2)5. 2 (x, y)
scalar multiplication by doubling and adding
53
<http://www.certicom.com/research/online.html>
Elliptic curve over real numbers
54
<http://www.certicom.com/research/online.html>
55
<http://www.certicom.com/research/online.html>
56
Elliptic curve overfinite field Fp
(integers mod p)where p = 23
<http://www.certicom.com/research/online.html>
57
EC Diffie-Hellman
Global values: p, a, b, P - P is (x, y) point on curveAlice’s private key dA (integer), public key QA = dA PBob’s private key dB, public key QB = dB PAlice and Bob exchange QA and QB
Alice computes secret value (also point on curve)S = dA QB = dA dB P
Bob computes secret valueS = dB QA = dB dA P
Alice and Bob compute symmetric key K from Se.g., K = x where S = (x, y)
58
Key Lengths
Symmetric RSA,DH/DSA
ECC,Hash
Breakable 56 512 112
Adequate 80 1,024 161
StrongNear term
128 3,072 256
Long term 256 15,360 512
Don B. Johnson, “ECC, Future Resiliency and High Security Systems”
59
Public Key Cryptography StandardsPKCS #1: RSA Cryptography Standard PKCS #2: incorporated into PKCS #1 PKCS #3: Diffie-Hellman Key Agreement Standard PKCS #4: incorporated into PKCS #1 PKCS #5: Password-Based Cryptography Standard PKCS #6: Extended-Certificate Syntax Standard PKCS #7: Cryptographic Message Syntax Standard PKCS #8: Private-Key Information Syntax Standard PKCS #9: Selected Attribute Types PKCS #10: Certification Request Syntax Standard PKCS #11: Cryptographic Token Interface Standard PKCS #12: Personal Information Exchange Syntax Standard PKCS #13: Elliptic Curve Cryptography Standard PKCS #15: Cryptographic Token Information Format Standard
http://www.rsasecurity.com/rsalabs/pkcs/