csis 0327 computer & network security -...
TRANSCRIPT
![Page 1: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/1.jpg)
1
CSIS 0327 Computer & Network Security
September 2006
Public Key CryptoSystems:RSA and Others
Dr Lucas Hui(CYC307, 28592190, [email protected])
![Page 2: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/2.jpg)
2
Problem of Symmetric Encryption• A key is owned by more than one person• No ‘nonrepudiation’ property
– A third party cannot determine whether a message is generated by the message sender or receiver
• Key management problem is complicate– N persons needs N(N1) pair of keys– E.g. 5 persons (15), Ki,j is the key for communication of i and j
• Person 1 keeps K1,2 , K1,3 , K1,4 and K1,5
• Person 2 keeps K1,2 , K2,3 , K2,4 and K2,5
• Person 3 keeps K1,3 , K2,3 , K3,4 and K3,5
• Person 4 keeps K1,4 , K2,4 , K3,4 and K4,5
• Person 5 keeps K1,5 , K2,5 , K3,5 and K4,5
– Complicate procedures exist for • A new coming subject, • An exiting subject• Subjects renewing their keys
![Page 3: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/3.jpg)
3
Symmetric Encryption CryptoSystem
Secure channel
• Y = EK(X), X = DK(Y)
Decryption Algo D
Cryptanalyst
Encryption Algo E
Key source
Mesg source
Mesg DestinationY
K
X
X’ , K’
X
Both A and B have K, and so either one alone can generate X !!
Person BPerson A
![Page 4: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/4.jpg)
4
Public key system• A.k.a. asymmetric key system • Each party X has two keys, one private key Xprv, one public key
Xpub (E.g. A has private key Aprv and public key Apub)• The private key and public key together forms a key pair
– You cannot generate a random private key V, and a random public key U, and just call them a key pair
– You have to use a sophisticated ‘keygeneration’ procedure to generate a keypair
• Private key is secret to the owner, public key is open to public• Xpub(Xprv(M)) = Xprv(Xpub(M)) = M• Mathematically, given the public key, it is extremely difficult to find
the private key• Mathematically, given the private key, it is extremely difficult to find
the public key• Security strength always depends on key length• Can be used in digital signature, encryption, and other advanced
usage
![Page 5: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/5.jpg)
5
• Data Encryption : A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv
• Digital Signature: A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub
• The ‘encryption’ and ‘signature’ functions can be used together, or just use one function.
• Often combined with hash functions and symmetric key systems
• Public Key Cryptosystem examples:– RSA– DSA (for digital signature only)– Elliptic curves
![Page 6: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/6.jpg)
6
Public Key Cryptosystem• A has public key Apub, & private key Aprv• From Apub, almost impossible to find Aprv• From Aprv, almost impossible to find Apub• Apub is known to all; Aprv is secret to A
A : Aprv
Aprv
Apub
M M C’
Apub
Apub Aprv
M C” M
![Page 7: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/7.jpg)
7
Data Encryption using Public Key Cryptosystems
• A sends a confidential message M to B– A sends Bpub(M) to B, B decrypts with Bprv– No other subjects can read M
• Provide no authenticity– Any other subject can pretend to be A, to send
Bpub(M) to B
A : M B C
Bprv
Bpub
M C B :
![Page 8: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/8.jpg)
8
Confidentiality in Public Key Cryptosystem
Decryption Algo D
Cryptanalyst
Encryption Algo E
Key Pair source
Mesg source
Mesg DestinationY
Bpub
X
X’ , Bprv’
X
Bprv
Secret Channel
![Page 9: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/9.jpg)
9
Symmetric Key Vs Pub Key SystemSymmetric Key Encryption• Needed to work
– Sender & receiver use same algo & same key for encryption & decryption
• Needed for security– Key must be kept secret– Practically impossible to
decipher a message– Knowledge of algo +
samples of ciphers must be insufficient to determine the key
Public Key Encryption• Needed to work
– One algo, a pair of keys, 1 for encryption, 1 for decryption. Sender & receiver must have a matched pair of keys
• Needed for security– One of the two keys must
be kept secret– Practically impossible to
decipher a message – Knowledge of algo + one
of the keys + samples of ciphers must be insufficient to determine the key
![Page 10: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/10.jpg)
10
Digital Signature using Public Key Cryptosystems
• A sends a signed message M to B– A sends Aprv(M) to B, B decrypts with Apub– Only A has Aprv, so Aprv(M) must be generated
by A• No confidentiality
– Any one tapping Aprv(M) can decrypt it with Apub
A : M B C
Apub
Aprv
M C B :
M
![Page 11: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/11.jpg)
11
Authenticity in Public Key Cryptosystem
Decryption Algo D
Cryptanalyst
Encryption Algo E
Key Pair source
Mesg source
Mesg DestinationY
Aprv
X
X’ , Aprv’
X
Apub
Secret Channel
![Page 12: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/12.jpg)
12
Confidentiality & Authenticity in Public Key Cryptosystem
Dec Alg
Cryptanalyst
Enc Alg
Key Pair source
Mesg source
Mesg Destination
Y
Aprv
X
X’ , Aprv’, Bprv’
X
Apub
Secret Channel
Enc Alg
Dec Alg
Key Pair source
BprvBpub
![Page 13: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/13.jpg)
13
Requirement of PKC• Practical publickey cryptosystem depends on
discovery of a suitable trapdoor oneway function fk
– Y = fk(X) computationally easy, if k and X are known
– X = fk1(Y) computationally easy, if k and Y are
known– X = fk
1(Y) computationally infeasible, if Y is known, k is unknown
– E.g. fk is using the public key, and fk1 is using the
private key
![Page 14: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/14.jpg)
14
Modular Arithmetic I
• modular arithmetic is 'clock arithmetic' • a congruence a = b mod n says when divided by n
that a and b have the same remainder – 100 = 34 mod 11
• Note: the above expression is a common, but a bit relaxed way of writing “100 mod 11 = 34 mod 11”, or “100 =mod 11 34”
– usually have 0 <= b <= n1 – 12 mod 7 = 5 mod 7 = 2 mod 7 = 9 mod 7 – b is called the residue of a mod n
• can do arithmetic with integers modulo n with all results from 0 to n – 1
![Page 15: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/15.jpg)
15
Modular Arithmetic II
• Addition– a+b mod n
• Subtraction – ab mod n = a+(b) mod n
• Multiplication – a . b mod n, derived from repeated addition, can get
a.b=0 where neither a,b=0 – Eg. 2 . 5 mod 10
• Division– a/b mod n, is multiplication by inverse of b: a/b = a .
b1 mod n. (If n is prime, b1 mod n exists s.t b.b1 = 1 mod n)
– Eg. 2 . 3=1 mod 5 hence 4/2 = 4 . 3 = 2 mod 5
![Page 16: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/16.jpg)
16
Modular Arithmetic III• Integers modulo n with addition and multiplication
form a commutative ring with the laws of – Associative: (a+b)+c = a+(b+c) mod n – Commutative: a+b = b+a mod n – Distributive: (a+b).c = (a.c)+(b.c) mod n
• also can chose whether to do an operation and then reduce modulo n, or reduce then do the operation, since reduction is a homomorphism from the ring of integers to the ring of integers modulo n– a +/ b mod n = [ a mod n +/ b mod n] mod n – (the above laws also hold for multiplication)
• if n is constrained to be a prime number p then this forms a Galois Field modulo p denoted GF(p) and all the normal laws associated with integer arithmetic work
![Page 17: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/17.jpg)
17
Exponentiation in GF(p)
• many encryption algorithms use exponentiation raising a number a (base) to some power b (exponent) mod p – b = ae mod p
• exponentiation is basically repeated multiplication, which take s O(n) multiples for a number n
• A better method is the squareandmultiply algorithm, only takes O(log2 n) multiples for a number n
![Page 18: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/18.jpg)
18
Square & Multiply Exponentiation
• b = me mod p• Represents e in binary form (e.g. m20 be m10100)• Let e = ek e k1 e k2 … e1 (ek is the most significant bit, e1
is the least significant bit)– d = 1 – for j = k downto 1 do {– d = d * d mod p– if ej == 1 then {d = d * m mod p}– }– Return d
• E.g. compute m10100 (mod p), then – We have d = 1, 1, m1, m10, m100, m101, m1010, m10100.
• Need (n1) ‘squaring’ (n is number of bits in e) & (k – 1) ‘multiplication’ (k is number of ‘1bit’ in e)
![Page 19: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/19.jpg)
19
Square & Multiply Exponentiation Examples(sq): squaring, (X): multiplying by m
To compute m10000 :
To compute m11111 :
m10 m100 m1000 m10000
m1 m10 m100 m1000 m10000
(sq)
m10 m100 m1010 m10100
m1 m10 m101 m1010 m10100
(sq)(X)
To compute m10100 :
m10 m110 m1110 m11110
m1 m11 m111 m1111 m11111
(sq)(X) (X) (X) (X)
1 0 1 0 0
![Page 20: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/20.jpg)
20
Two Important Theorems∀ ϕ(n) is the Euler totient function (no. of positive numbers
< n and relatively prime to n)• Note that 1 is relatively prime to every other integer• Theorem (Euler's Generalization, Euler Totient Thm)
– let gcd(a,n)=1 then – aϕ(n) mod n = 1
• Fermat's Theorem – let p be a prime and gcd(a,p)=1 then – ap1 mod p = 1
![Page 21: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/21.jpg)
21
Discrete Logarithm Problem
• The inverse problem to exponentiation is that of finding the discrete logarithm of a number modulo p – find x where ax = b mod p
• While exponentiation is relatively easy, finding discrete logarithms is generally a hard problem, with no easy way
• Note that talking logarithm in real number is very easy, so the modulo arithmetic plays an important role here
![Page 22: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/22.jpg)
22
RSA• Invented by Ron Rivest, Adi Shamir, and Len
Adleman in MIT (1978)• reversible publickey system (can be used in both
encryption and digital signature)• security based on factorization• RSA key generation
– Generate large primes p, q.– Compute n (the modulus) = p * q– Compute ϕ(n) = (p1)(q1)– Generate e relatively prime to (p1)*(q1) (I.e. gcd(ϕ(n) ,
e)=1 )– Compute d = e1 mod ((p1)*(q1))– Public key is (e,n), Private key is (d,n)– 1024bit RSA means n has 1024 bits– the data must have value < n (since taking mod n).
![Page 23: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/23.jpg)
23
RSA• Public key is (e,n), Private key is (d,n)• RSA Encryption basic scheme
– m (< n) is the message– use public key (e,n) to encrypt, compute c = m e
mod n– use private key (d,n) to decrypt, compute m = c d
mod n• Digital signature
– m (< n) is the message– use private key (d,n) to sign (“encrypt”), compute s
= m d mod n– use public key (d,n) to verify (“decrypt”), check
whether m ?= s e mod n
![Page 24: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/24.jpg)
24
RSA• execution slower than block ciphers• Tricks to speed up RSA
– Mathematical technique : addition chain, Chinese Remainder Theorem
– Encryption hardware : cryptocard– Assembly code, microcode implementation for
software systems– Short exponent (for public key only) : e.g. 3, 216+1
• security based on factorization• Attack on RSA mainly on factorization• Patent issued Sep 29, 1983. Expired at 2000
![Page 25: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/25.jpg)
25
Attack on RSA• Given (d,n), find e• by factorization
– Factor n into p and q– Compute e = d1 mod ((p1)*(q1))– prevent by using large n (standard in 1999 : more than 700
bit modulus, therefore using 1024bit RSA is popular)• Special mathematical attack on special cases, e.g.:
– if m e < n, then we can solve the equation directly– if p and q has some special property, the RSA system is
easier to break– usually prevented by checking in the key generation time
(when generating p and q)• Timing attack: depends on running time of decryption• Remark (by Shamir) : Cryptography is not broken,
only bypassed!!
![Page 26: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/26.jpg)
26
Timing Attack on RSA• Find the private key (bit by bit) by the running time of decryption (only
need ciphertexts)• Square&multiply exponentiation : 1 square operation per key bit, and 1
multiply operations per key bit which is “1” (d = d * m)• [Simplified illustration] : for certain d & a, the operation “d = d * m” takes
a long time. So long that we can distinguish whether “d=d*m” is executed or not (use this to determine a “1” bit or a “0” bit in the exponent)
• Determine the private key bit by bit by above, from leftmost bit.• In real case, not that easy to achieve, but still a threat.• Countermeasures exists• Inspire other approaches like power consumption, sound generated by
machine (announced by Shamir, Dec 2004) etc.
![Page 27: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/27.jpg)
27
Countermeasures of Timing Attack on RSA
• Constant exponentiation time : compute x=d*m in all cases
• Random delay• Blinding : transforming the message m to another
value before performing exponentiationBlinding example (compute m = cd mod n)5. Generate a secret random number r between 0 and
n16. Compute c’ = c * re mod n (e is the public key)7. Compute m’ = c’d mod n by exponentiation ( = cd rde
mod n = cd r mod n, since red mod n = r mod n)8. Compute m = m’ r 1 mod n
(= cd rde r –1 mod n = cd r r –1 mod n) = cd mod n
![Page 28: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/28.jpg)
28
RSA Example (with small p,q)• RSA key generation
– Generate primes p, q. (say p = 7, q = 13)– Compute n (the modulus) = p * q ( n = 91)– Compute ϕ(n) = (p1)(q1) (ϕ(n)= 6*12 = 72)– Generate e relatively prime to (p1)*(q1) (say e = 5) – Compute d = e1 mod ((p1)*(q1)) (d = 29, since 5*29 = 145 =
2*72+1)– Public key is (e,n), Private key is (d,n) (public key is (5,91), private
key is (29, 91)– This is a 7bit RSA (and can only handle data up to 6bits, so nbit
RSA can only handle (n1)bit data objects)• RSA usage
– Let the message m = 5, for digital signature usage, the signed value is 5 29 mod 91 = 31. For verificaiton purpose, 31 5 mod 91 = 5
– Let the message m = 5, for data encryption usage, the cipher is 5 5 mod 91 = 31. For decryption, 31 29 mod 91 = 5
– Let the message be 14, for data encryption usage, the cipher is 14 5 mod 91 = 14. For decryption, 14 29 mod 91 = 14
![Page 29: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/29.jpg)
29
Calculation of inverse • ‘Primitive’ method : try and error
– E.g. Inverse of 20 mod 33– Try : 33*1 + 1 , 33* 2 + 1 , 33* 3 + 1, etc– We get : 34, 67, 100, 133, ….– We knows that 20 * 5 = 100– So 20 –1 mod 33 = 5– Only work for small numbers
• Extended Euclid’s Algorithm– The General Solution
![Page 30: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/30.jpg)
30
Euclid’s Algorithm • To find GCD (Greatest Common Divisor)• Divide C0 by C1, let Quotient = Q2, Rem = C2
14
31131
1612914517441193
5501769C (Remainder)Q (Quotient)
![Page 31: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/31.jpg)
31
Euclid’s Algorithm• To find GCD of d and f (i.e. ? = gcd(d,f) )• Set up the table of Q and C• Initialize
– C0 = f– C1 = d
• Iterate– Divide Ci1 by Ci, let Quotient = Qi+1,
Remainder = Ci+1
• Until Ci is 0 • Answer is Ci1.
![Page 32: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/32.jpg)
32
Extended Euclid’s Algorithm• To find multiplicative inverse (i.e. find d –1 (mod) f )• Principle : Try to set up equation of the form
– Ai f + Bi d = Ci (**)• Initially :
– A0 = 1, B0 = 0, C0 = f– A1 = 0, B1 = 1, C1 = d
• Iteratively :– Find A i+1, B i+1, C i+1 from A i, B i, C i (and C i1 ),
preserving condition (**)• Finally :
– Cn = 1, so An f + Bn d = 1– Which means (Bn) d = 1 + ( An) f,– Or B n = d 1 (mod f)
![Page 33: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/33.jpg)
33
Calculation of inverse• To find multiplicative inverse (of 550 mod 1769)
? (Ans)
????55010
176901CBAQ
![Page 34: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/34.jpg)
34
One Step• How to find A i+1, B i+1, C i+1 from A i, B i, C i ,C i
1?• E.g.
– A0 f + B0 d = Co
– A1 f + B1 d = C1
– To find : A2 f + B2 d = C2
– Divide C 0 by C 1, let Quotient = Q 2, Rem = C 2– Now C1 Q2 + C2 = C0
– So C2 = C0 (C1) (Q2)– Now, by ‘design’, let
• B2 = B0 – (B1 ) (Q2 )• A2 = A0 – (A1 ) (Q2 )
– We satisfy (**) : A2 f + B2 d = C2
![Page 35: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/35.jpg)
35
Why satisfy (**) : A2 f + B2 d = C2
Since: A2 f + B2 d
= (A0 – A1 Q2) f + (B0 – B1 Q2) d
= A0 f + B0 d – A1 Q2 f – B1 Q2 d
= (A0 f + B2 d) – Q2 (A1 f + B1 d)
= C0 – C1 Q2
= C2
![Page 36: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/36.jpg)
36
Calculation of inverse• Find inverse of 550 mod 1769
? (Ans)
119??355010
176901CBAQ
![Page 37: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/37.jpg)
37
Calculation of inverse• Find inverse of 550 mod 1769
? (Ans)
1193 = 0 3*11 = (13*0)355010
176901CBAQ
![Page 38: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/38.jpg)
38
Calculation of inverse• Find inverse of 550 mod 1769
? (Ans)
7413 = 1 4*(3)4 = 0 – 4*14
119313
55010
176901
CBAQ
![Page 39: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/39.jpg)
39
E.g. Calculation of inverse• Completed table (550 1 mod 1769 = 550)
1550 (Ans)1714
311937113742311645141292991
45165174134411931355010
176901CBAQ
![Page 40: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/40.jpg)
40
Summary of Extended Euclid’s Algorithm
• To find the inverse of d mod f• Set up the table of Q,A,B,C• Initialize
– A0 = 1, B0 = 0, C0 = f– A1 = 0, B1 = 1, C1 = d
• Iterate– Divide Ci1 by Ci, let Quotient = Qi+1, Rem = Ci+1
– Compute Bi+1 = Bi1 – (Bi) (Qi+1)– Compute Ai+1 = Ai1 – (A1) (Qi+1)
• Until Ci is 1 (if Ci goes to 0 without equal to1, that means GCD(d,f) is not 1, and there is no answer)
• Answer is Bi.
![Page 41: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/41.jpg)
41
Why RSA works?Proof of med = m (mod n) in RSA
• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k
• Proof 1: (a simple and incomplete proof)For message m, m ed (mod n)= m k(p1)(q1)+ 1 (mod n)= ( m (p1)(q1) ) k * m 1 (mod n)= ( 1 ) k * m (mod n) (if gcd(m,n) =1)= m (mod n)
(This proof does not cover cases where m is a multiple of p or q)
![Page 42: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/42.jpg)
42
Why RSA works? : Proof of med = m (mod n) in RSA (2)
• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k
• Proof 2: (a complete proof)Step 1: Try to prove: for message m, m ed = m (mod p)Observe p is a prime, so gcd (m,p) = 1 or p[Case 1.1:] If gcd(m,p) = 1, we have m ed (mod p) = m k(p1)(q1)+ 1 (mod p) = ( m (p1) ) (q1)k * m 1 (mod p) = ( 1 ) (q1)k * m (mod p) = m (mod p)[Case 1.2:] gcd(m,p) = p, so m is a multiple of p, thus m ed (mod p) = 0 = m (mod p)In both cases, we have proven that m ed = m (mod p).
![Page 43: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/43.jpg)
43
Why RSA works? : Proof of med = m (mod n) in RSA (3)
• Known facts: n = p * q where p, q are primes d = e 1 mod (p1)(q1) or: e d = k(p1)(q1) + 1 for integer k
• Proof 2: (a complete proof cont’d)Step 1: we have proven: for message m, m ed = m (mod p).Step 2: by similar arguments, we can prove m ed = m (mod q).Step 3: Try to prove: m ed = m (mod n):From step 1: m ed – m = 0 (mod p), so m ed – m is a multiple of p.From step 2: m ed – m = 0 (mod q), so m ed – m is a multiple of q.Since p and q are different primes, so m ed – m must be a multiple of
p*q = n.So we have proven m ed – m = 0 (mod n), or m ed = m (mod n).
![Page 44: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/44.jpg)
44
Blind Signature : achieve anonymity• In ecash systems, let the customer to generate an e
cash note number, without letting the bank to know the number. But the bank can still sign on it.
• To establish the secret identity of a spy• To protect RSA from timing attack, etc.
![Page 45: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/45.jpg)
45
Anonymity of Ecash
• Usually achieved by cryptographic techniques.• Idea : Bank (B) does not know the Customer’s (C)
identification, when an ecash token is issued.• Example :
– C receives a “ecash request software” from B– C uses the software to generate a ‘note number’ X
(can have more details)– C sends a request to B, asking B to sign on X– B, after authenticating the request, knowing that the
request is generated from a valid software, sign on X, the result is a valid ecash token (with number X)
– B issue the token to C, and deduce C’s money– But B does not know X!!! How?
![Page 46: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/46.jpg)
46
Idea of Blind Signature
This is a document
Normal Signing This is a document
James Ho
‘Blinding’
This is a document
This is a document
James Ho
Blind Signing
‘Unblinding’
The
“blind signer”
![Page 47: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/47.jpg)
47
Using ‘blindsignature’ in Ecash• Example :
– C receives a “ecash request software” from B– C uses the software to generate a ‘note number’ X (can
have more details)– C transforms X into another number Y– C sends a request to B, asking B to sign on Y– B, after authenticating the request, knowing that the
request is generated from a valid software, sign on Y, the result is a transformed valid ecash token
– B issue the transformed token to C, & deduce C’s money– C extract the valid token (with note number X) from the
transformed token– In some “notso anonymous’ schemes, C’s identification
can be opened. The scheme is very complicated.
![Page 48: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/48.jpg)
48
Blind Signature Scheme Eg.Customer C wants B to sign on a ‘note number’ X• RSA scheme is used, (d,n) is B’s private key, (e,n) is B’s
public key• C generates a ‘blinding factor’ R• C computes Y = (X Re) mod n, and sends to B• B signs on Y : compute Z =
Yd mod n = (XRe)d mod n = (Xd Red) mod n.
(Since R ed = R mod n, so Z = (Xd R) mod n.)• B sends Z = (Xd R) mod n to C, C multiplies Z by R1
(mod n), and obtain Xd mod n, which is the signed ‘note number’ by B.
• Problem how can B knows that C are not presenting meaningful message (like ‘B owes C one million’) for B to sign?
Reference: “Frontiers of Electronic Commerce”, Kalakota & Winston, 1996, AddisonWesley.
![Page 49: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/49.jpg)
49
Blind Signature Scheme: Secret ID establishment
• C is a spy, B is head of the government treasury department
• C wants to use a secret ID (say “Little sparrow”)• C wants B to sign a message like
– “The government agrees to pay Little sparrow 1 million dollars”
• But, C does not want B to know the fact that Little Sparrow is his secret identity
• Solution 1: use a blind signature scheme.• Problem of solution 1: B wants to know that the
document to be signed is of the correct content.
![Page 50: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/50.jpg)
50
Blind Signature Scheme: Secret ID establishment (2)
• Solution 2: To protect the blind signer B, and C as well.• C generates 10 different secret IDs, each one make the
message “The government agrees to pay XXX 1 million dollars” where XXX is the secret ID.
• C blinds every message with different blinding factor, and send to B for blind signatures
• B randomly chooses 9 messages, and asks C to supply the blinding factors.
• C gives the 9 blinding factors.• B retrieves the plain text of the 9 message by the 9 blinding
factors received from C. If all 9 messages are normal request of the correct format, then B can believe (with high probability) that the remaining unopened message is a normal request
• B blindly sign on the unopened message, and send it to C.• Key idea: C does not know B’s choices!!
![Page 51: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/51.jpg)
51
El Gamal Signature Scheme• Key generation:
– Generate a prime p, a random number g (often known as ‘generator’), and a random number x
– Private key is x– Compute y = gx mod p, the public key is (y,g,p)
• To sign a message m:– Choose a random number k such that gcd (k, p1) = 1– Compute a = gk mod p– Find k1 mod p1, and compute b = (m – x*a) k1 mod p1.
This means find b such that m = x*a + k*b (mod p1)– The signer keeps k in secret– The signature is (a,b)– Note: the signature size is double as the message size
![Page 52: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/52.jpg)
52
El Gamal Signature Scheme (2)• To sign a message m:
– Choose a random number k such that gcd (k, p1) = 1– Compute a = gk mod p– Find k1 mod p1, and compute b = (m – x*a) k1 mod
p1. The signature is (a,b)• To verify a signature (a,b):
– Check whether ya * ab = gm (mod p). Iff yes, the signature is correct.
• The El Gamal Encryption scheme is different from the El Gamal signature scheme
![Page 53: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/53.jpg)
53
DSA (Digital Signature Algorithm)• Designed by NIST and NSA, and is the US federal
standard signature scheme (used with SHA hash alg.)• Based on variant on the El Gamal and Schnorr
algoirthm• Have to work together with a hash function (designed to
be SHA)• A ‘signature only’ algorithm, cannot be used as an
encryption engine.• The DSA routine can be used to perform RSA and El
Gamal encryption! (Most likely not intended by the designer)
![Page 54: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/54.jpg)
54
Elliptic Curve Cryptography (simplified illustration)
• Elliptic Curve (E.C.):– y2 + axy + by = x3 + cx2 + dx + e
• Consider an E.C. over a finite field (e.g. “mod p” where p is prime)• Consider operations of points on an E.C. + O (a point of “infinity”)• Two points P(x,y) & Q(x,y) can be added together: R = P + Q• P + O = P• P(x,y), then –P = (x, y)• For “mod p” finite field, R(x3,y3) = P(x1,y1) + Q(x2,y2) is given by
– x3 = L2 – x1 – x2 (mod p)– y3 = L(x1x3) – y1 (mod p)– where L = (y2y1)/(x2x1) (mod p) if P != Q,– or L = (3(x1)2 + a)/(2 y1) (mod p) if P == Q.
• Scalar Multiplication– Repeated addition of the same point– 4P = P + P + P + P
![Page 55: CSIS 0327 Computer & Network Security - matlesiouxx.free.frmatlesiouxx.free.fr/Cours/HKU/Courses/CSIS0327/Lectures/c0327-3-pks.pdf · 2 Problem of Symmetric Encryption • A key is](https://reader030.vdocuments.us/reader030/viewer/2022041205/5d57910288c993f9568b5b07/html5/thumbnails/55.jpg)
55
Elliptic Curve Cryptography• ECDLP
– Elliptic Curve DL• Given P and G, and for some n: P = nG. n is called the elliptic
curve discrete logarithm of P. – Known P, G and P = nG, to find n is difficult.
• ECC– A publickey cryptosystem based on the structure of the group
of points of an elliptic curve– Suppose that the base point G on E has prime order r,
• The private key s is a integer modulo r.• The corresponding public key W is a point on E defined by W = sG
• Advantages– More complex math structure, so that the key is much shorter
than other public key cryptosystems’ such as RSA to achieve the same security level.