Eindhoven University of Technology MASTER Kleptography
Total Page:16
File Type:pdf, Size:1020Kb
Eindhoven University of Technology MASTER Kleptography cryptography with backdoors Antheunisse, M. Award date: 2015 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Master Thesis Kleptography Cryptography with Backdoors Author: Milou Antheunisse (student number: 780190) Supervisor: Prof. Dr. Tanja Lange Eindhoven University of Technology Department of Mathematics and Computer Science October 26, 2015 Abstract In a black-box cryptosystem, only the input and output of the system are accessible for the user. This means that the user does not have any knowledge of the internals of the device. This principle has been used regularly, for example in the Capstone project, launched by the US government in 1993. In 1996, Adam Young and Moti Yung showed that black-box cryptography should not be trusted. They designed an attack for black-box cryptosystems: SETUP (Secretly Embedded Trapdoor with Universal Protection). The SETUP mechanism enables the attacker to exfiltrate users' private information without the users noticing. This field of study is denoted by the term \kleptography". First, a general introduction to cryptography is presented. This chapter serves as a step- ping stone towards the next chapter on kleptography. Formal definitions of SETUP are given, followed by a distinction between weak, regular and strong SETUP. Furthermore, the notion of leakage bandwidth is introduced. SETUP implementations in RSA key gen- eration, ElGamal key generation and signature scheme and Diffie-Hellman key exchange are shown and explained in detail. Finally, some measures are given to protect against a SETUP attack. I Contents List of Algorithms IV List of Examples V List of Figures VII 1 Introduction 1 1.1 Motivation . .1 1.2 Thesis Outline . .1 2 An Introduction to Cryptography 3 2.1 Terminology . .3 2.1.1 Encryption and Decryption . .3 2.1.2 Symmetric vs. Asymmetric Cryptography . .4 2.2 Number Theory . .4 2.2.1 Euclidean Algorithm . .5 2.2.2 Prime Numbers . .7 2.2.3 Congruences . .9 2.2.4 Discrete Logarithm and Integer Factorization . 16 2.3 Classical Cryptosystems . 16 2.3.1 Caesar Cipher . 16 2.3.2 Vigen`ereCryptosystem . 17 2.3.3 Vernam Cipher . 18 2.4 Modern Cryptosystems . 18 2.4.1 Cryptographic Primitives . 19 2.4.2 Diffie-Hellman Key Exchange . 22 2.4.3 ElGamal . 23 2.4.4 RSA . 27 2.5 Applications of Cryptography . 29 2.5.1 Bank Cards and Credit Cards . 29 2.5.2 Online Banking . 30 2.5.3 Pretty Good Privacy . 30 3 Kleptography 33 3.1 Background Information . 33 3.1.1 Subliminal Channels . 33 3.1.2 Key Escrow . 37 3.2 A History of Kleptography . 39 3.3 SETUP . 40 3.3.1 Secretly Embedded Trapdoor with Universal Protection . 41 3.3.2 Definition of SETUP . 41 3.3.3 Weak SETUP . 42 3.3.4 Strong SETUP . 43 3.3.5 Weak, Regular or Strong SETUP? . 43 III CONTENTS 3.3.6 Leakage Bandwidth . 43 3.4 SETUP in RSA . 44 3.4.1 SETUP in RSA Key Generation I . 44 3.4.2 SETUP in RSA Key Generation II (PAP) . 46 3.5 SETUP in ElGamal . 53 3.5.1 SETUP in ElGamal Key Generation I . 53 3.5.2 SETUP in ElGamal Key Generation II . 58 3.5.3 SETUP in ElGamal Signature Scheme . 63 3.6 SETUP in Diffie-Hellman . 71 3.6.1 SETUP in Diffie-Hellman Key Exchange . 72 4 Conclusions 83 4.1 SETUP Attacks . 83 4.2 Protection against SETUP Attacks . 84 4.3 Further Research . 84 4.4 Final Words . 85 A SETUP in RSA 87 A.1 SETUP in RSA Key Generation I . 87 A.2 SETUP in RSA Key Generation II (PAP) . 88 B SETUP in ElGamal 91 B.1 SETUP in ElGamal Key Generation I . 91 B.2 SETUP in ElGamal Key Generation II . 93 B.3 SETUP in ElGamal Signature Scheme . 95 C SETUP in Diffie-Hellman 97 C.1 SETUP in Diffie-Hellman Key Exchange . 97 D Safe Primes 99 IV List of Algorithms 2.1 Euclidean algorithm . .5 2.2 Extended Euclidean algorithm . .6 A.1 SETUP in RSA key generation I . 87 A.2 SETUP in RSA key generation I - Modulus factoring by attacker . 87 A.3 SETUP in RSA key generation II (PAP) . 88 A.4 SETUP in RSA key generation II (PAP) - Modulus factoring by attacker . 89 B.1 SETUP in ElGamal key generation I . 91 B.2 SETUP in ElGamal key generation I - Recovery of private key by attacker . 92 B.3 SETUP in ElGamal key generation II . 93 B.4 SETUP in ElGamal key generation II - Recovery of private key by attacker . 94 B.5 SETUP in ElGamal signature scheme I - First signature . 95 B.6 SETUP in ElGamal signature scheme I - Second signature . 95 B.7 SETUP in ElGamal signature scheme I - Recovery of private key by attacker . 95 B.8 SETUP in ElGamal signature scheme II - First signature . 96 B.9 SETUP in ElGamal signature scheme II - Second signature . 96 C.1 SETUP in Diffie-Hellman key pair generation - First key pair generation . 97 C.2 SETUP in Diffie-Hellman key pair generation - Second key pair generation . 97 C.3 SETUP in Diffie-Hellman key pair generation - Recovery of private key by attacker . 97 V List of Examples 2.1 Euclidean algorithm . .6 2.2 Extended Euclidean algorithm . .7 2.3 Residue classes, complete residue system and reduced residue system . .9 2.4 Modular inverse using extended Euclidean algorithm . 10 2.5 Chinese remainder theorem . 15 2.6 Caesar cipher . 17 2.7 Vigen`erecryptosystem . 17 2.8 Kasiski's method . 18 2.9 Vernam cipher . 18 2.10 The Diffie-Hellman key exchange method . 23 2.11 Key pair generation, encryption and decryption with ElGamal . 25 2.12 Authentication with ElGamal signature scheme . 26 2.13 Key pair generation, encryption and decryption with RSA . 29 3.1 Authentication with ElGamal signature scheme with subliminal channel . 36 3.2 SETUP in RSA key generation I . 45 3.3 SETUP in RSA key generation II - U and U +1 ....................... 48 3.4 SETUP.