Outline Encryption Models

Outline Encryption Models

Public Key Cryptosystems Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F05 Textbook: —Cryptography: Theory and Applications“, Douglas Stinson, Chapman & Hall/CRC Press, 2002 Reading: Chapter 5 upto section 5.7 Outline n Concepts behind public key crypto n Some number theory n RSA cryptosystem n Primality testing n Factoring numbers and other attacks CSG252 Classical Cryptography 2 Encryption Models Plaintext Plaintext Message Encryption Ciphertext Decryption Message source Algorithm Algorithm Destination Encryption Decryption Key Key Symmetric encryption: Shared key Shared key Asymmetric encryption: Early 70’s Private key Published in 76 Public key Cannot provide unconditional security CSG252 Classical Cryptography 3 1 Applications n Symmetric algorithms vs. asymmetric algorithms (public-key crypto systems) n About 1000 times faster! n However, require a shared key! n Practice: n Use public key crypto to establish a shared key n Examples n Email: n Choose a key for the symmetric algorithm K, encrypt it with the public key of the destination n Use the key K to encrypt the message and integrity protect it n IPSec/IKE: n IKE: establish a session key (using either public-key cryptosystem or shared secrets) n IPSec uses the session key to provide confidentiality and integrity CSG252 Classical Cryptography 4 Number Theory * n Zn : abelian group of numbers < n, relatively prime to n n Euclidean Algorithm (a, b): n Computes the gcd(a, b) n Extended Euclidean Algorithm(a, b): n Computes r, s, t s.t. sa + bt = r = gcd(a, b) -1 n If r = 1 s = a mod b n If r ≠ 1 ? n Time complexity less than O(k3) if a and b are encoded in less than k bits. CSG252 Classical Cryptography 5 Chinese Remainder Theorem n Assume that m1, …, mr are pairwise relatively prime positive integers n Chinese Remainder Theorem (CRT): n Suppose a1, …, ar are integers s.t. ≡ n x a1 (mod m1) ≡ n x a2 (mod m2) n … ≡ n x ar (mod mr) n There exists a unique x mod m1m2…mr that satisfies all previous equations r x = a M y mod M = = −1 i i i M i M / mi ; yi M i i=1 CSG252 Classical Cryptography 6 2 Other Known Results n If G is a multiplicative group of order n then the order of any element of G divides n * φ n Order of Zn = (n) ∈ * φ(n) ≡ n If b Zn , then b 1 (mod n) n How about when n is prime? * n If p is prime then Zp is a cyclic group CSG252 Classical Cryptography 7 RSA Cryptosystem n Due to Rivest-Shamir-Adleman in 1977 n Let n = pq, where p and q are primes n P = C = Zn n K = {(n, p, q, a, b) : ab ≡ 1 (mod φ(n))} n Encryption: b n ek(x) = x mod n n Decryption: a n dk(y) = y mod n n Public key: n and b n Private key: p, q, a CSG252 Classical Cryptography 8 Example n p = 101; q = 113 n = 11413 n φ(n) = 11200 = 26527 n Let b = 3533 b-1 = 6597 n How is b chosen? n Encrypt plaintext: 9726 3533 n Ciphertext = 9726 mod 11413 = 5761 n Decryption ciphertext: 5761 6597 n Plaintext = 5761 mod 11413 = 9726 CSG252 Classical Cryptography 9 3 Use of RSA n Encryption (A wants to send a message M to B): n A uses the public key of B and encrypts M (i.e., ekB(M)) n Since only B has the private key, only B can decrypt M (i.e., M = dkB(M) n Digital signature (A wants to send a signed message to B): n Based on the fact that ekA(dkA(M)) = dkA(ekA(M)) n A encrypts M using its private key (i.e., dkA(M)) and sends it to B n B can check that ekA(dkA(M)) = M n Since only A has the decryption key, only him can generate this message CSG252 Classical Cryptography 10 Security of RSA n Security of RSA is based on the belief that: b n x mod n is a one-way function n The trapdoor is the knowledge of the factorization of n into pq n Conjecture: n RSA is as difficult as factoring numbers CSG252 Classical Cryptography 11 RSA Implementation n RSA Parameters Generation n Generate two large primes: p, q n n ← pq, and φ(n) ← (p -1)(q -1); n Choose a random b (1< b <φ(n)) s.t. gcd(b, φ(n)) =1 -1 n a ← b mod φ(n) n Public key is (n, b) and private key is (p, q, a) n p and q should be at least 512 bits long each n n is at least 1024 bits long n Computation Complexity: n Exponentiation cost: SQUARE-AND-MULTIPLY c 2 n (m1) mod n can be computed in O(log(c)xk ) n Modular inverse: Extended Euclidean Alg. -1 3 n (m1) mod n can be computed in O(k ) n Modular Muliplication: 2 n (m1m2) mod n can be computed in O(k ) CSG252 Classical Cryptography 12 4 Prime Numbers Generation n Density of primes (prime number theorem): n π(x) ~ x/ln(x) n E.g., a random number of 512 bits has probability: 1/ln(512) = 1/355 to be prime n Sieve of Erathostène n Try if any number less than SQRT(n) divides n − ≈ b ’ n Fermat‘s Little Theorem does not detectb (nC1)/a2 mromd n =ic∆ h ael « n numbers n-1 0 if a ≡ 0mod p n b ≡ 1 mod n ≈ a ’ ∆ = 1 if a is a quadratic residuemod p « p n E.g., 561 is the smallest Carmichael num b−e1 rif a is a quadratic non - residuemod p n Solovay-Strassen primality test n If n is not prime at least 50% of b fail to satisfy the following: 3 n Jacobi symbol can be computed in less than O((logn) ) CSG252 Classical Cryptography 13 n Jacobi symbol is a generalization of the Legendre symbol: Computing Jacobi Symbol ei k ≈ a ’ k ≈ a ’ n Definition: = ei Ω = ∆ ÷ n ∏ pi ∆ ÷ ∏∆ ÷ i=1 « n ◊ i=1 « pi ◊ n No need to factor n to compute the Jacobi symbol n Use the following rules [n is positive odd]: ≈ m1 ’ ≈ m2 ’ n m ≡ m (mod n) Ω ∆ ÷ = ∆ ÷ 1 2 « n ◊ « n ◊ ≈ 2 ’ À 1 if n ≡ ±1(mod8) ∆ ÷ = à n « n ◊ Õ−1 if n ≡ ±3(mod8) ≈ m m ’ ≈ m ’≈ m ’ ∆ 1 2 ÷ = ∆ 1 ÷∆ 2 ÷ n « n ◊ « n ◊« n ◊ À ≈ n ’ Œ−∆ ÷ if ≈ m ’ Œ « m ◊ m ≡ n ≡ 3(mod 4) n ∆ ÷ = à « n ◊ ≈ n ’ Œ ∆ ÷ otherwise ÕŒ « m ◊ CSG252 Classical Cryptography 14 n Rabin-Miller primality test n If n is not prime then it is not pseudoprime to at least 75% of random a < n : k n n-1 = 2 m, m n b ← a mod n; n Ifb ≡ 1 mod n then return(n prime) n For i=0 to k-1 do n If b ≡ -1 mod n then return(n prime) n Else b ← b2; n return(n composite) n Probabilistic test, deterministic if the Generalized Riemann Hypothesis is true n Deterministic polynomial time primality test [Agrawal, Kayal, Saxena‘2002] CSG252 Classical Cryptography 15 5 Attacks on RSA n Factoring n Many factoring algorithms were proposed: quadratic sieve, elliptic curve factoring, number field sieve, Pollard‘s rho-method n Capable of factoring a 512 bits modulus ≈ 155 digits in 1999 using 8400 MIPS-years n Other attacks: n Computing φ(n) n Decryption exponent: if a is known! n Las Vegas algorithm (5.10) that will factor n with probability ² n Semantic Security CSG252 Classical Cryptography 16 Rabin Cryptosystem n Motivation: n The difficulty of factoring does not necessarily prove RSA security n Hardness of factoring leads to security proof of Rabin‘s cryptosystem against chosen-plaintext attack n Scheme: n n = pq (p and q are two primes and p ≡ q ≡ 3 mod 4) * n P = C = Zn ; K = {(n, p, q)} 2 n eK(x) = x mod n √ n dK(y) = y mod n n Note: ≡ ≡ * n Conditions: p q 3 mod 4 and Zn is for simplification of decryption and security proof purpose CSG252 Classical Cryptography 17 Rabin Cryptosystem n Observation: n Is the encryption function injective? n Solution? n How can we decrypt? n Solution: CRT n Consider x s.t.: x ≡ ± y( p+1)/ 4 mod p x ≡ ± y(q+1)/ 4 mod q n x2 ≡ y mod n n When can we use this technique of decoding? n Example: n n = 7x11 n Decrypt y = 23 CSG252 Classical Cryptography 18 6 Security of Rabin Cryptosystem n If Rabin cryptosystem can be broken then we can build a Las Vegas probabilistic algorithm with success probability ² n Rabin Oracle Factoring(n) n External RabinDecrypt n Choose a random r; n Let y ← r2; n x ← RabinDecrypt(y); n Ifx = ±r mod n return(failure) n Else return(p=gcd(x+r, n) ; q=n/p); n Conclusion: n Rabin cryptosystem is secure against a chosen plaintext attack n Additional security results: n Rabin cryptosystem is insecure against a chosen ciphertext attack CSG252 Classical Cryptography 19 CSG252 Classical Cryptography 20 7.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    7 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us