comp3441/9441, lecture 5, session 1 2013 - cse.unsw.edu.aumeyden/3441/w5.pdf · comp3441/9441,...

COMP3441/9441, Lecture 5,

session 1 2013

Ron van der Meyden

(University of New South WalesSydney, Australia)

April 8, 2013

R. van der Meyden COMP3441/9441, Lecture 5, session 1 2013

Overview

I Key distribution

I Public Key Cryptography

I Signatures

I Public Key Infrastructure

I Computational Complexity and Public Key Cryptography


Key Distribution


Key Distribution: the problem

Alice and Bob, who have never met, wish to communicateover an insecure line. Eve, an eavesdropper, is listening in onthe line. To use shared key cryptography, they need toestablish a shared key. How can they do this?


A non-solution

A −→ B: K

A −→ B: EK (M)

B knows K ,EK (M), computes DK (EK (M)) = M

Problem: E also knows K ,EK (M), so can compute M


An idea suggesting the problem is solvable

Suppose that EKA(EKB

(M) = EKB(EKA

(M))

A −→ B: EKA(M)

B −→ A: EKB(EKA

(M))

A knows KA,EKB(EKA

(M)), computes

DKA(EKB

(EKA(M))) = DKA

(EKA(EKB

(M)))EKB

(M)

A −→ B: EKB(M)

B knows KB ,EKB(M), computes DKB

(EKB(M)) = M


Eve knows EKA(M), EKB

(EKA(M)), EKB

(M) and should not beable to compute M from this.

Problem: It is hard to find a good cipher E such thatEKA

(EKB(M)) = EKB

(EKA(M))

(Implementable if A and B are communicating by snail mailand each has a padlock.)


Modular Arithmetic

Let x , y , n be integers, n > 0.

x ≡ y mod n if there exists an integer k such thatx = k · n + y .

For every integer x , there is an integer y ∈ {0, 1, . . . , n − 1}such that x ≡ y mod n. Write this y as x mod n.


If x ≡ x ′ mod n and y ≡ y ′ mod n then

I x + y ≡ x ′ + y ′ mod n

I x · y ≡ x ′ · y ′ mod n

I xy ≡ (x ′)y mod n

NB: it does not follow that xy ≡ xy ′ mod n.Example: x = 2, y = 1, y ′ = 4, n = 3


Diffie-Hellman-Merkle’s solution

Let q be a natural number and 2 ≤ a ≤ q − 1

I A generates a number XA, B generates XB

I A −→ B: aXA mod q

I B −→ A: aXB mod q

A knows XA and aXB mod q and computes

(aXB mod q)XA mod q = aXA·XB mod q

B knows XB and aXA mod q and computes

(aXA mod q)XB mod q = aXA·XB mod q

shared key is aXA·XB mod q


E knows aXA mod q and aXB mod q.

No efficient way to compute aXA·XB mod q from these isknown.

In particular, no efficient way is known to compute the discretelogarithm: i.e., given a, b, q, solve ax ≡ b mod q for x .


Note: to increase Eve’s set of possible candidates for aXA·XB ,want ax mod q to have a large set of possible values as xvaries.

Question: How can we ensure this set is large? How largecan it be, as a function of q?


Some Number Theory

A natural number n > 1 is prime if it has no divisors otherthan 1 and n.

Some facts:

Euclid: There exist an infinite number of primes.

Prime Factorization: Every number n > 1 can be written ina unique way as a product

n = pm11 . . . pmk

k

where p1 < . . . < pm are primes.


Generators

a is a generator modulo n if a, a2, a3, . . . , an−1 mod nincludes all numbers 1, 2, 3, . . . , n − 1 mod n

Fact: If q is prime then generators mod q exist.

Example: 2 and 3 are generators mod 5 (and the only ones)

So: in the Diffie-Hellman-Merkle protocol, we choose q to bea prime, and choose a to be a generator mod q, giving q − 1different possible key values.


Finding Primes

Prime Number Theorem: The number of primes less thann is about n

ln n

So, if we need a random prime of length m bits, a randomguess has probability

1/ ln(2m) = 1/(m ln 2) > 1/m

of finding a prime.

Implementations use this strategy: guess and verify (until youfind one)


Primality testing

How to test that an m bit number q is prime?

Brute force: for all numbers x ≤ √q, test if q is divisible by x(cost = 2m/2 checks, so not feasible)

In 2002, primality testing was shown to be computable inpolynomial time:

Manindra Agrawal, Neeraj Kayal, Nitin Saxena, PRIMES is inP, Annals of Mathematics 160 (2004), no. 2, pp. 781793

Current best algorithm (Lenstra and Pomerance) takes timeO(((ln n)6)).


Probabilistic Primality testing

Prior to 2002, the approach used was based on probabilisticalgorithms, that run efficiently, with a high probability ofreturning the correct answer.

(Examples: algorithms by Miller & Rabin, and by Solovay &Strassen.)

Since the polynomial time algorithms are more difficult toimplement, the probabilistic ones are still in use.


Public Key Cryptography


A public key cryptosystem is

I a pair of efficiently computable encryption and decryptionfunctions E , D (parameterized by a key K )

I an efficient way of generating a pair of keys K , K−1 sothat

I DK−1(EK (M)) = M for all messages M, andI it is hard to compute K−1 from K .


Given a public key cryptosystem, even in the presence of aneavesdropper, A can securely send M to B by

B generates K ,K−1

B −→ A: K

A −→ B: EK (M)

B knows K−1, EK (M), and computes DK−1(EK (M)) = M

E does not know K−1 so cannot easily do this.


Comments

I A public key cryptosystem must be able to withstandadaptive chosen plaintext cryptanalysis

Eve learns K so can compute

EK (M1), EK (M2), . . .

for messages M1, M2, . . . of Eve’s choosing.

I If the message space is small, Eve can mount a bruteforce attack:

Fix: pad messages with a long random string N :

B −→ A: KA −→ B: EK (M,N)


Some history of public key cryptography

I Merkle 1975, public key cryptography: a weak systemrequiring O(n) messages and having an attack of O(n2)

I 1976 Diffie & Hellman: key exchange

I Merkle and Hellman (1978): a system based onknapsacks, since cracked

I Rivest Shamir and Adleman (1978): RSA, most widelyadopted system


Later revelations

Classified work at GCHQ (Govt Comms HQ, UK) revealed in1997:

I 1970: James Ellis invented public-key cryptography

I 1973: Clifford Cocks invented (essentially) RSA

I 1973: Malcolm Williamson, invented Diffie-Helman keyexchange

There have also been claims from NSA in 1997 they knewabout it in 1960’s, motivated by requirements of a 1962Kennedy nuclear arms memo. (But no details released yet.)


More Number Theory

n and m are relatively prime if their only common divisor is 1.

Theorem: if a and n are relatively prime then there exists aunique number b mod n such that ab ≡ 1 mod n.

In this case we can write b as a−1, so we have a · a−1 ≡ 1mod n.


Proof: Uniqueness first: suppose that for two numbers1 ≤ b1, b2 < n we have ab1 ≡ ab2 mod n.

Then n divides ab1 − ab2 = a(b1 − b2).

Since a and n are relatively prime, n divides b1 − b2, sob1 ≡ b2 mod n, and in fact we must have b1 = b2 since bothare less than n.

Now consider a.1 mod n, a.2 mod n, ..., a.(n− 1) mod n.

They are all different, by the above. None can be 0. (Else, ndivides ab, so divides b < n.) So by the pigeon hole principle,one of these numbers must equal 1.

Pigeon hole principle: If there are K pigeons sitting in Kholes, at most one per hole, then every hole has a pigeon in it!


Fermat’s Little Theorem (FLT): If p is prime and1 ≤ a ≤ p − 1 then ap−1 ≡ 1 mod p


The reduced set of residues mod n is the set of numbersx ∈ {1, . . . , n − 1} such that x and n are relatively prime.

Euler’s totient function: φ(n) is the size of the reduced set ofresidues mod n

Euler’s generalization of Fermat’s little theorem: If aand n are relatively prime, then aφ(n) ≡ 1 mod n.

Fact: If n = p · q where p and q are prime, thenφ(n) = (p − 1) · (q − 1)


RSA Public Keys

I De facto standard for public key cryptography

I Widely used, e.g., in web browsers

I standardized in 1990’s for finance applications inAustralia, France(USA: resistance due to patents, NSA attempts to limituse)

I patented in US, expired Sept 20, 2000

I not proved secure, but has withstood extensivecryptanalysis


I Choose two random primes p and q, Define n = p · q.

I Choose e such that e and (p − 1) · (q − 1) are relativelyprime.

I Let d be a solution of

ed ≡ 1 mod (p − 1) · (q − 1)

Discard p, q.

Public encryption key K = (e, n) EK (M) = Me mod n

Private decryption key K−1 = (d , n) DK−1(M) = Md mod n

(where M is represented as a number < n)


By choice, there exists k such that ed = k(p − 1)(q − 1) + 1.

Fact: For all M and k we have that p dividesMk(p−1)(q−1)+1 −M

Proof: this is obvious if p divides M .

Suppose p does not divide M , then by FLT, Mp−1 ≡ 1 mod pso

Mk(p−1)(q−1) ≡ (M (p−1))k(q−1) mod p≡ (1)k(q−1) mod p≡ 1 mod p

SoMk(p−1)(q−1)+1 ≡ M mod p

i.e. p divides Mk(p−1)(q−1)+1 −M .


Similarly, for all M , we have that q divides Mk(p−1)(q−1)+1−M

Since p and q are distinct primes, for all M , we have thatpq = n divides Mk(p−1)(q−1)+1 −M , i.e.

Mk(p−1)(q−1)+1 ≡ M mod n

Thus:

DK−1(EK (M)) = (Me mod n)d mod n= (Me)d mod n= Me·d mod n= Mk·(p−1)·(q−1)+1 mod n= M


Solving x · y ≡ 1 mod m

Apply the extended Euclid algorithm

Algorithm GCD(a,b): % assumption: a > bif b= 0 then return (a,1,0)

else let q = a div blet (d,k,l) = GCD(b, a mod b)return (d,l, k-lq)

If m and x are relatively prime and m > x , andGCD(m, x) = (1, i , j) then x · j ≡ 1 mod m


Computing Exponentiation

Remark: we can compute a2k

mod n in O(k) multiplications:

a2 mod n = a · a mod n

a4 mod n = a2 · a2 mod n...

a2k

mod n = a2k−1 · a2k−1

mod n

If x = x0 + x1 · 2 + x2 · 22 + . . . + xk · 2k is the binarydecomposition of x then

ax mod n = Πi=1...k: xi=1 a2i

So k + log2k multiplications suffice to compute ax mod n


Security of RSA

RSA has withstood cryptanalysis, but

I it has not been proved to be secure

I factoring n would suffice to compute d . Factorization isthought not to be NP-complete.

I in theory, factorization can be done efficiently on aquantum computer

I it is not known that factorization is the only way to crackRSA.


Key Size Issues

How large should the modulus n be in bits?

Computers & factorization algorithms keep getting faster.

US restricted export to modulus 512 bits until Jan 2000

Aug 1999 - 512 bit modulus cracked in 7 months using 300workstations

May 2005 - 663 bit modulus cracked by the equivalent of 75years work for a single 2.2 GHz Opteron-based computer.


Key Size Issues

2009: 768 bit modulus cracked in 6.5 months using 80processors. (T. Kleinjung et alhttp://eprint.iacr.org/2010/006.pdf)

a 1024-bit RSA modulus is still about one thousand times harder to factor than a 768-bit one. Ifwe are optimistic, it may be possible to factor a 1024-bit RSA modulus within the next decade bymeans of an academic effort on the same limited scale as the effort presented here. From apractical security point of view this is not a big deal, given that standards recommend phasingout such moduli by the end of the year 2010 (cf. [28,29]). See also [22].

Another conclusion from our work is that we can confidently say that if we restrict ourselves to anopen community, academic effort as ours and unless something dramatic happens in factoring, wewill not be able to factor a 1024-bit RSA modulus within the next five years (cf. [30]). Afterthat, all bets are off.

stay tuned:http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

Exercise: what is the modulus size in websites you visit usinghttps?


http://eprint.iacr.org/2010/006.pdf

http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

Public Key Infrastructure


Mallory’s (man in the middle) attack on public keys

Alice Mallory Bob

I Alice −→ Bob: Hey Bob, I’ve got a really juicy secret totell you, what’s your public key?

I Bob −→ Alice (Mallory): Hi Alice, Its KB , Regards, Bob

I Mallory (Bob) −→ Alice: Hi Alice, Its KM , Regards, Bob

I Alice −→ Bob (Mallory): {Secret}KM

I Mallory decrypts using K−1M , reads Secret

I Mallory (Alice) −→ Bob: {Secret}KB


The attack from Alice’s viewpoint

I Alice −→ Bob?: Hey Bob, I’ve got a really juicy secretto tell you, what’s your public key?

I Bob? −→ Alice: Hi Alice, Its KM , Regards, Bob

I Alice −→ Bob?: {Secret}KM


The attack from Bobs viewpoint

I Alice? −→ Bob: Hey Bob, I’ve got a really juicy secretto tell you, what’s your public key?

I Bob −→ Alice?: Hi Alice, Its KB , Regards, Bob

I Alice? −→ Bob: {Secret}KB


Diffie/Hellman’s solution:

A secure online directory D serving Public key requests.

I each user trusts D

I each user has a shared key with D

I n users→ use n secure channels to get n2 secure channels

Kohnfelder’s solution: Signed certificates for offlinename-key binding validation


Real World Certificates

“A document containing a certified statement, especially as tothe truth of something”

I Birth certificates

I Marriage certificates

I Degree certificates

I Doctors certificates


(Basic) Public Key Certificates

The information:

I Subject: name of person/entity holding the key,

I Public Key: key value

I Certificate Authority Name: a name N

Signed using N’s signature key


Certificate Distribution Methods

Certificate gets integrity and verifiability from the signature, sodoes not need secure storage/transmission.Can be distributed

I Along with the signed document

I As part of a protocol (e.g. SSL)

I using directory Services (e.g. X.500, LDAP)

I on web-pages

I using finger

I by email ...


Public Key Certificate Standards

Aspects to be standardised:

I Certificate Syntax

I Certificate Semantics

I Rules for Operation of certificate infrastructure

I Legal Issues, Liability


X.509 (version 3) certificate structure

I Certificate Version

I Certificate Serial Number

I CA’s signature algorithm ID

I CA’s X.500 name

I Validity period

I Subjects X.500 name

I Subjects Public Key information (AlgorithmIdentifier,Public Key value)

I (optional) Issuer unique identifier

I (optional) subject unique identifier

I (optional) Extension fields


X.500 names

X.500: an ITU/ISO standard (1984-1988) for directory services

Vision: everyperson/company/division/computer/peripheral/deviceassigned a distinguished name for use in directories

X.500 names constructed from Attributes

E.g. {Country=Australia, Organisation=University of NewSouth Wales, Department=Computer Science andEngineering, Name=John Smith }


comp3441/9441, lecture 5, session 1 2013 - cse.unsw.edu.aumeyden/3441/w5.pdf · comp3441/9441,...

Documents