Outline Encryption Models
Total Page:16
File Type:pdf, Size:1020Kb
Public Key Cryptosystems Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F05 Textbook: —Cryptography: Theory and Applications“, Douglas Stinson, Chapman & Hall/CRC Press, 2002 Reading: Chapter 5 upto section 5.7 Outline n Concepts behind public key crypto n Some number theory n RSA cryptosystem n Primality testing n Factoring numbers and other attacks CSG252 Classical Cryptography 2 Encryption Models Plaintext Plaintext Message Encryption Ciphertext Decryption Message source Algorithm Algorithm Destination Encryption Decryption Key Key Symmetric encryption: Shared key Shared key Asymmetric encryption: Early 70’s Private key Published in 76 Public key Cannot provide unconditional security CSG252 Classical Cryptography 3 1 Applications n Symmetric algorithms vs. asymmetric algorithms (public-key crypto systems) n About 1000 times faster! n However, require a shared key! n Practice: n Use public key crypto to establish a shared key n Examples n Email: n Choose a key for the symmetric algorithm K, encrypt it with the public key of the destination n Use the key K to encrypt the message and integrity protect it n IPSec/IKE: n IKE: establish a session key (using either public-key cryptosystem or shared secrets) n IPSec uses the session key to provide confidentiality and integrity CSG252 Classical Cryptography 4 Number Theory * n Zn : abelian group of numbers < n, relatively prime to n n Euclidean Algorithm (a, b): n Computes the gcd(a, b) n Extended Euclidean Algorithm(a, b): n Computes r, s, t s.t. sa + bt = r = gcd(a, b) -1 n If r = 1 s = a mod b n If r ≠ 1 ? n Time complexity less than O(k3) if a and b are encoded in less than k bits. CSG252 Classical Cryptography 5 Chinese Remainder Theorem n Assume that m1, …, mr are pairwise relatively prime positive integers n Chinese Remainder Theorem (CRT): n Suppose a1, …, ar are integers s.t. ≡ n x a1 (mod m1) ≡ n x a2 (mod m2) n … ≡ n x ar (mod mr) n There exists a unique x mod m1m2…mr that satisfies all previous equations r x = a M y mod M = = −1 i i i M i M / mi ; yi M i i=1 CSG252 Classical Cryptography 6 2 Other Known Results n If G is a multiplicative group of order n then the order of any element of G divides n * φ n Order of Zn = (n) ∈ * φ(n) ≡ n If b Zn , then b 1 (mod n) n How about when n is prime? * n If p is prime then Zp is a cyclic group CSG252 Classical Cryptography 7 RSA Cryptosystem n Due to Rivest-Shamir-Adleman in 1977 n Let n = pq, where p and q are primes n P = C = Zn n K = {(n, p, q, a, b) : ab ≡ 1 (mod φ(n))} n Encryption: b n ek(x) = x mod n n Decryption: a n dk(y) = y mod n n Public key: n and b n Private key: p, q, a CSG252 Classical Cryptography 8 Example n p = 101; q = 113 n = 11413 n φ(n) = 11200 = 26527 n Let b = 3533 b-1 = 6597 n How is b chosen? n Encrypt plaintext: 9726 3533 n Ciphertext = 9726 mod 11413 = 5761 n Decryption ciphertext: 5761 6597 n Plaintext = 5761 mod 11413 = 9726 CSG252 Classical Cryptography 9 3 Use of RSA n Encryption (A wants to send a message M to B): n A uses the public key of B and encrypts M (i.e., ekB(M)) n Since only B has the private key, only B can decrypt M (i.e., M = dkB(M) n Digital signature (A wants to send a signed message to B): n Based on the fact that ekA(dkA(M)) = dkA(ekA(M)) n A encrypts M using its private key (i.e., dkA(M)) and sends it to B n B can check that ekA(dkA(M)) = M n Since only A has the decryption key, only him can generate this message CSG252 Classical Cryptography 10 Security of RSA n Security of RSA is based on the belief that: b n x mod n is a one-way function n The trapdoor is the knowledge of the factorization of n into pq n Conjecture: n RSA is as difficult as factoring numbers CSG252 Classical Cryptography 11 RSA Implementation n RSA Parameters Generation n Generate two large primes: p, q n n ← pq, and φ(n) ← (p -1)(q -1); n Choose a random b (1< b <φ(n)) s.t. gcd(b, φ(n)) =1 -1 n a ← b mod φ(n) n Public key is (n, b) and private key is (p, q, a) n p and q should be at least 512 bits long each n n is at least 1024 bits long n Computation Complexity: n Exponentiation cost: SQUARE-AND-MULTIPLY c 2 n (m1) mod n can be computed in O(log(c)xk ) n Modular inverse: Extended Euclidean Alg. -1 3 n (m1) mod n can be computed in O(k ) n Modular Muliplication: 2 n (m1m2) mod n can be computed in O(k ) CSG252 Classical Cryptography 12 4 Prime Numbers Generation n Density of primes (prime number theorem): n π(x) ~ x/ln(x) n E.g., a random number of 512 bits has probability: 1/ln(512) = 1/355 to be prime n Sieve of Erathostène n Try if any number less than SQRT(n) divides n − ≈ b ’ n Fermat‘s Little Theorem does not detectb (nC1)/a2 mromd n =ic∆ h ael « n numbers n-1 0 if a ≡ 0mod p n b ≡ 1 mod n ≈ a ’ ∆ = 1 if a is a quadratic residuemod p « p n E.g., 561 is the smallest Carmichael num b−e1 rif a is a quadratic non - residuemod p n Solovay-Strassen primality test n If n is not prime at least 50% of b fail to satisfy the following: 3 n Jacobi symbol can be computed in less than O((logn) ) CSG252 Classical Cryptography 13 n Jacobi symbol is a generalization of the Legendre symbol: Computing Jacobi Symbol ei k ≈ a ’ k ≈ a ’ n Definition: = ei Ω = ∆ ÷ n ∏ pi ∆ ÷ ∏∆ ÷ i=1 « n ◊ i=1 « pi ◊ n No need to factor n to compute the Jacobi symbol n Use the following rules [n is positive odd]: ≈ m1 ’ ≈ m2 ’ n m ≡ m (mod n) Ω ∆ ÷ = ∆ ÷ 1 2 « n ◊ « n ◊ ≈ 2 ’ À 1 if n ≡ ±1(mod8) ∆ ÷ = à n « n ◊ Õ−1 if n ≡ ±3(mod8) ≈ m m ’ ≈ m ’≈ m ’ ∆ 1 2 ÷ = ∆ 1 ÷∆ 2 ÷ n « n ◊ « n ◊« n ◊ À ≈ n ’ Œ−∆ ÷ if ≈ m ’ Œ « m ◊ m ≡ n ≡ 3(mod 4) n ∆ ÷ = à « n ◊ ≈ n ’ Œ ∆ ÷ otherwise ÕŒ « m ◊ CSG252 Classical Cryptography 14 n Rabin-Miller primality test n If n is not prime then it is not pseudoprime to at least 75% of random a < n : k n n-1 = 2 m, m n b ← a mod n; n Ifb ≡ 1 mod n then return(n prime) n For i=0 to k-1 do n If b ≡ -1 mod n then return(n prime) n Else b ← b2; n return(n composite) n Probabilistic test, deterministic if the Generalized Riemann Hypothesis is true n Deterministic polynomial time primality test [Agrawal, Kayal, Saxena‘2002] CSG252 Classical Cryptography 15 5 Attacks on RSA n Factoring n Many factoring algorithms were proposed: quadratic sieve, elliptic curve factoring, number field sieve, Pollard‘s rho-method n Capable of factoring a 512 bits modulus ≈ 155 digits in 1999 using 8400 MIPS-years n Other attacks: n Computing φ(n) n Decryption exponent: if a is known! n Las Vegas algorithm (5.10) that will factor n with probability ² n Semantic Security CSG252 Classical Cryptography 16 Rabin Cryptosystem n Motivation: n The difficulty of factoring does not necessarily prove RSA security n Hardness of factoring leads to security proof of Rabin‘s cryptosystem against chosen-plaintext attack n Scheme: n n = pq (p and q are two primes and p ≡ q ≡ 3 mod 4) * n P = C = Zn ; K = {(n, p, q)} 2 n eK(x) = x mod n √ n dK(y) = y mod n n Note: ≡ ≡ * n Conditions: p q 3 mod 4 and Zn is for simplification of decryption and security proof purpose CSG252 Classical Cryptography 17 Rabin Cryptosystem n Observation: n Is the encryption function injective? n Solution? n How can we decrypt? n Solution: CRT n Consider x s.t.: x ≡ ± y( p+1)/ 4 mod p x ≡ ± y(q+1)/ 4 mod q n x2 ≡ y mod n n When can we use this technique of decoding? n Example: n n = 7x11 n Decrypt y = 23 CSG252 Classical Cryptography 18 6 Security of Rabin Cryptosystem n If Rabin cryptosystem can be broken then we can build a Las Vegas probabilistic algorithm with success probability ² n Rabin Oracle Factoring(n) n External RabinDecrypt n Choose a random r; n Let y ← r2; n x ← RabinDecrypt(y); n Ifx = ±r mod n return(failure) n Else return(p=gcd(x+r, n) ; q=n/p); n Conclusion: n Rabin cryptosystem is secure against a chosen plaintext attack n Additional security results: n Rabin cryptosystem is insecure against a chosen ciphertext attack CSG252 Classical Cryptography 19 CSG252 Classical Cryptography 20 7.