Mathematical Background of Public Key Cryptography Gerhard Frey
Total Page:16
File Type:pdf, Size:1020Kb
Mathematical Background of Public Key Cryptography Gerhard Frey University of Duisburg-Essen Institute for Experimental Mathematics [email protected] G.A.T.I CIRM -May 12-16, 2003 1 1 Data security and Arithmetic Problem: A open¡¡! B " C (A; m; B) 7! (B; m; A) The transfer of the message has to be “secure”. This has (at least) 3 aspects: 2 ² Reliability (engineers) ² Correctness (coding theory, engineers and mathematicians) ² Authenticity, privateness (cryptogra- phy, mathematicians, computer scien- tists, engineers) Solutions have to be simple, efficient and cheap! 3 There was a basic decision some sixty years ago: Messages are stored and transmitted as numbers. This makes it possible to apply Arithmetic to data security. 4 We shall concentrate to the third aspect which uses ENCRYPTION provided by cryptography. This is, in the true sense of the word, a classic discipline: We find it in Mesopotamia and Caesar used it. 5 Encryption Devices 6 The devices shown are examples for symmetric procedures: There is a common secret amongst the partners which enables them to de- and encrypt. In principle they are used till today, in refined versions. The new standard is called AES. Typically the historical examples are in- volving secret services and military and the information is exchanged amongst a community in which each member is to be trusted. 7 This has changed dramatically becau- se of electronic communication in public networks. So data security has become a public challenge. There are millions of partners in nets. Key exchange necessary for symmetric systems cannot be rely on personal trust and communication. 8 Solution: PUBLIC KEY CRYPTOSYSTEMS ( Diffie-Hellman 1976) Each member A of the network has two keys: ² a private key sA produced by him- self never leaving the private secure environment ² a public key pA published in a direc- tory. pA is related to sA by a (known) One-Way function. For key exchange and for encryption/decryption A uses both keys (and the public key of the partner B if necessary). There is no practically useable leakage of information about sA; sB ! 9 BASIC IDEA: One Way Functions (Informal)Definition: Let A and B be two finite sets of num- bers and f a map from A to B. f is a one way function if a computer can calculate f(a) in · 50 ms but with very high probability (1¡10¡30) it is impossible to find for given value f(a) the argument a during the next 1000 years by using all known methods and all existing computers. 10 Here enters MATHEMATICS ² to construct candidates for one way functions ² to bring them in such a shape that computation is fast ² to analyze possible attacks We shall concentrate us to systems ba- sed on the Discrete Logarithm 11 2 Abstract DL-Systems Recall: We want ² exchange keys ² sign ² authenticate ² (encrypt and decrypt) with simple protocols clear and easy to follow implementation rules based on secure crypto primitives with a well understood mathematical background. 12 Assume that A ½ N is finite and that B ½ Endset(A). 2.1 Key Exchange Assume that the elements of B commu- te: For all a and b1; b2 2 B we have b1(b2(a)) = b2(b1(a)): Then we can use A; B for a key exchange system in the following way: 13 We fix a (publicly known) base point P0 2 A. The members of the crypto community Qi choose si 2 B and publish pi := si(P0). Then si(pj) = sj(pi) is the shared secret of Qi and Qj. 14 The security depends (not only) on the complexity to find from the knowledge of randomly chosen a 2 A and given a1; a2 in B ± fag all elements b 2 B with b(a) = a1 modulo F ixB(a2) = fb 2 B; b(a2) = a2g: The efficiency depends on the “size” of elements in A; B and on the complexity of evaluating b 2 B. 15 2.2 Signature Scheme of El Gamal- Type Again we assume that B ½ Endset(A): In addition we assume that there are three more structures: 1. h : N ! B; a hash function 2. ¹ : A £ A ! C a map into a set C in which equality of elements can be checked fast 3. º : B £ B ! D ½ Homset(A; C) with º(b1; b2)(a) = ¹(b1(a); b2(a)): 16 Signature: a 2 A is given (or introduced as part as the public key). P chooses b and publishes b(a): Let m be a message. P chooses a random element k 2 B. P computes Á := º(h(m) ± b; h(k(a)) ± k) in D: P publishes (Á; m; k(a)): Verification: V computes ¹(h(m)(b(a)); h(k(a))(k(a))) and compares it with Á(a): 17 2.3 The most popular realization A ½ N a cyclic group of prime order p (with composition written multiplicative- ly. with a numeration. Choose a0, a generator of A. » ¤ B = AutZ(A) = (Z=p) identified with f1; :::; p ¡ 1g by b(a) := ab: C = A and ¹ = multiplication in A º = addition of endomorphisms h = a hash function from N to f1; :::; p ¡ 1g. 18 We translate the Signature scheme: to this situation: P chooses randomly and secretly, his private key x 2 f1; :::; p ¡ 1g and x publishes his public key Y := a0. To sign a message m, P chooses a se- cond random number k and computes k s := h(m)x + h(a0)k mod p: The signed message consists of k (m; a0; s) To check the authenticity of (P; m) one computes k s h(m) h(a0) S = a0;T = Y ;H = a0 : and checks whether S = T ± H: 19 The security considerations for the crypto primitive boil down to the complexity of the com- putation of the Discrete Logarithm: For randomly chosen a1; a2 2 G com- pute n 2 N with n a2 = a1 : Challenge: Construct groups with numerations of large prime order such that the computation of the dis- crete discrete logarithm has the requi- red complexity. Time or space needed (probabilistical- ly) for the computation of the logarithm: 20 polynomial in p. Time and space needed to write down the elements and the group law of G and execute a group composition: polynomial in log(p). 21 2.4 Generic Systems We use the algebraic structure “group”. This allows “generic” attacks.. Shanks’ Baby-Step-Giant-Step Method (deterministic) Take P; Q 2 G. Find k with Q = k ¢ P . Principle: Looking up an element in an ordered set is inexpensive. p Baby step: For i = 0; :::; S · p compute (i ¢ P; i): Giant step: Compute Q ¡ i ¢ S ¢ P 22 . Compare the two lists. If i0 ¢ P = Q ¡ i1 ¢ S ¢ P then k = i0 + i1 ¢ S: p Complexity:O( p) Disadvantage: p ² needs O( p) space 23 Pollard’s ½-Algorithm(probabilistic)1 Principle: Random walk in G closes with high probability after p ¼ 1:03 p steps. Controlled random walk (simplest ver- sion) : The result xi of the i¡th step should depend only on xi¡1. So partite G “randomly” into three sets Tj of size ¼ p=3 and take xi = P + xi¡1 if xi¡1 2 T1; xi = Q + xi¡1 if xi¡1 2 T2; xi = 2xi¡1 if xi¡1 2 T3: There are efficient methods to detect collisions. 1Pollard’s method is used for the “world record” w.r.t. Certicom challenge: Compute DL in an 108-bit elliptic curve. 24 Security hierarchy We measure the complexity of a DL- system by the function ® 1¡® Lp(®; c) := exp(C(logp) (loglogp) ) with 0 · ® · 1 and c > 0. Best case: ® = 1:Exponential com- plexity. Worst case: ® = 0: Polynomial complexity The case between...: 0 < ® < 1: The complexity is subexponential. 25 2.5 Very special examples Example 1: G := Z=p . Numeration: f : G ! f1; ¢ ¢ ¢ ; pg given by f(r + pZ) := [r]p where [r]p is the smallest positive repre- sentative of the class of r modulo p. The function © is given by r1 © r2 = [r1 + r2]p which is easy to compute from the know- ledge of ri. 26 Security? Given: b with b = e(n; a) = [na]p. Solve b = na + kp with k 2 Z. The Euclidean algorithm solves this in O(log(p)) operations in Z=p: ® = 0! We do not get a secure Discrete Loga- rithm System. 27 Example 2: G = Z=p. Choose a pri- me q such that p divides q ¡ 1. Choose ³ 6= 1 in Z=q with ³p = 1 (i.e. ³ is a primitive p-th root of unity). Numeration:For 1 · i · p define i zi := [³ ]q and for ¯i = i + pZ 2 G f(¯i) := [zi ¡ z1 + 1]q: Addition: ai = f(xi + pZ) 2 f1; cdots; q ¡ 1g x +x a1 © a2 = [[³ 1 2]q ¡ z1 + 1]q: = [(a1 + z1 ¡ 1)(a2 + z1 ¡ 1) ¡ z1 + 1]q n e(n; 1) = n ± 1 = [z1 ¡ z1 + 1]q: 28 Security? For fixed a and random b 2 A find n in N with n b = e(n; a) = n ± a = [a ¡ z1 + 1]q: This means: For one fixed p-th root of unity and one random p-th root of unity in the multi- plicative group of Z=q one has to deter- mine the exponent needed to transform the fixed root of unity into the random element. 29 The best known method to compute this discrete logarithm is subexponential in q. It usually is compared with factorizati- on (this is no accident).