Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

(1)

Page 1 Chapter 2.2: Public Key Cryptography

2.2: Public Key Cryptography

• Principles of public key cryptography

• Number theory and algebraic foundations

• Classical public key cryptography

• Newer public key cryptography Chapter 2: Security Techniques Background

• Secret Key Cryptography

• Public Key Cryptography

• Hash Functions

• Authentication

Chapter 3: Security on Network and Transport Layer

Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks

Principles of Public Key Cryptography

Also called asymmetric cryptography

• Different from secret key cryptography, algorithms for encoding and decoding differ considerably

• Working with two keys

→ A private keyd (known only to the owner)

→ A public keye (known by possibly everyone)

• Public key cryptography principle (e.g. RSA):

plaintext

plaintext cipher text

cipher text encryption

decryption public key e private key d

• More easily configurable than secret key cryptography, but slower

• Often combined with secret key: authentication and distribution of a secret key (e.g. Diffie-Hellman for establishment of a shared secret)

Lehrstuhl für Informatik 4

Kommunikation und verteilte Systeme

Applications of Public Key Cryptography

Digital signatures(e.g. RSA, ElGamal, DSS)

• Associate a value with a message, like a checksum

• This value can only be generated by using the private key d ( = decryption)

• It is readable for everyone knowing the public key e ( = encryption)

• Similar to hand-written signature (authenticity without the chance to forge it)

Authentication(zero knowledge proof systems)

• A generates a random number and encrypts it with the public key of B

• B decrypts the message with its private key and sends back the random number to A

• If A gets back the original random number, B is authenticated plaintext

plaintext signed message

signed message signing

verification private key d public key e

Kommunikation und verteilte Systeme Security in Public Key Algorithms

Security in many public key algorithms is based on the difficulty to factorise and compute discrete logarithms

Factorising

→Find the prime factors for a given number

→One of the oldest problems in number theory, very time consuming

→Most popular method: Quadratic Sieve Discrete logarithm

→Problem to find the inverse to modular exponentiation:

Find an x with a^x= b mod n for given a and b

→Not all discrete logarithms have solutions

→Very time consuming process to find solutions for big numbers

→Frequently used method: Index-Calculus method

(2)

Basics for Public Key Cryptography:

Number Theory / Modular Arithmetic

Number theory provides basic knowledge to understand how and why public key algorithms work

→ Necessary concepts for understanding public key algorithms

→ Most public key algorithms are based on modular arithmetic Modular arithmetic

→Operates on a ring (Z_n, +, ⋅), where

Z_nis a set of non-negative integers smaller than some positive integer n

+: Z_n×Z_n→Z_nis a function that

• is associative and commutative

• has a neutral element 0∈Z_n

• has a inverse element x-1 to each x∈Z_n, i.e. x + x-1 = 0

⋅: Z_n×Z_n→Z_nis an associative function (it is not necessarily commutative)

+ and ⋅have left and right exchangeability

→Needed for public key cryptography: addition, multiplication, exponentiation

→Computations of these functions are performed modulo n

Arithmetic Operations modulo n

0 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 0 2 3 4 5 6 7 8 9 0 1 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 4 5 6 7 8 9 0 1 2

3 5 6 7 8 9 0 1 2

4 3 6 7 8 9 0 1 2

5 4 3 7 8 9 0 1 2

6 5 4 3 8 9 0 1 2

7 6 5 4 3 9 0 1 2

0 1 2 3 4 5 6 7 8 9 0

1 2 3 4 5 6 7 8 9 + Arithmetic computing modulo n

• Arithmetic operations are performed as usual, but the result is replaced by its remainder when divided by n (e.g. 3 + 9 = 12 ≡2 mod 10)

Modular addition

• Given: c = x + k mod n, with c, x, k∈Zn

→if x + k < n : c = a + b

→if x + k≥n : c = j, where x + k = i ⋅n + j and j < n

• Can be used to encrypt digits:

each number x out of a range of numbers is

unambiguously mapped onto another

number c from this range

• Caesar Cipher: add a constant k to each number

• Decryption needs subtraction. This can be replaced by an addition of the inverse value

Modular multiplication

• Given: c = x⋅k mod n, with c, x, k∈Z_n

→if x⋅k < n : c = x⋅k

→if x⋅k≥n : c = j,

where x⋅k = i ⋅n + j and j < n

• Encryption only works with special keys k Example for n = 10: only k∈{1, 3, 7, 9} is usable as (simple) cipher key

→only for these values the mapping is unambiguous

→for other values of k, an information loss occurs

• Only use keys k relatively prime to n

→k and n share no other common factor than 1

• Decryption works by multiplication of cipher text c with the multiplicative

inverse k^-1, i.e. k⋅k^-1= 1 mod n (e.g. 7^-1= 3 mod 10, because 7 ⋅3 = 1 mod 10)

→Multiplicative inverse for n = 10 only exists for 1,3,7, and 9

Arithmetic Operations modulo n

0 0 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 0

0 2 4 6 8 0 2 4 6 8 0 3 6 9 2 5 8 1 4 7 6 5 4 3 2 1 0 4 8 2 6 0 4 8 2

0 0 5 0 5 0 5 0 5

8 2 0 6 2 8 4 0 6

6 9 2 0 7 4 1 8 5

4 6 8 0 0 8 6 4 2

2 3 4 5 6 0 9 8 7

0 1 2 3 4 5 6 7 8 9 0

1 2 3 4 5 6 7 8 9

*

Kommunikation und verteilte Systeme Arithmetic Operations modulo n

Modular exponential

• Given: c = x^kmod n, with c, x, k∈Z_n

→if x^k< n : c = x^k

→if x^k≥n : c = j,

where x^k= i ⋅n + j and j < n

• Note: difference to modular multiplication:

x^kmod n ≠ x^k+nmod n

• Encryption only works with special keys k

• Decryption needs an inverse k^-1with x^k^⋅^k^-1= 1

• But: inverse k^-1does not exist in each case

0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1

1 2 4 8 6 2 4 8 6 2 1 3 9 7 1 3 9 7 1 3 4 5 6 7 8 9 1 4 6 4 6 4 6 4 6

5 1 5 5 5 5 5 5 5

6 6 1 6 6 8 6 6 6

1 3 9 1 7 9 3 1 7

6 2 4 8 1 8 4 2 6

1 9 1 9 1 1 9 1 9

0 1 2 3 4 5 6 7 8 9 0

1 2 3 4 5 6 7 8 9 x^y

(3)

Euclidean algorithm

→ Determines the greatest common divisor (gcd) of x and n

→ Given x and n, it finds an y with x ⋅y = 1 mod n (if one exists)

→ If x is relatively prime to n: gcd(x, n) = 1

→ Idea: Replace x and n with smaller numbers with the same gcd If one number becomes zero, the other one is the gcd

→ Faster algorithm: the smaller the numbers are, the faster the computation of gcd is. Replace the bigger number with its remainder divided by the smaller number

Finding Modular Inverses

Example:

gcd(6, 14)?

→gcd(6, 14-6)

→gcd(6,8)

→gcd(6,2)

→gcd(4,2)

→gcd(2,2)

→gcd(2,0)

→= 2

• Finding multiplicative inverses to x is a very time consuming process

• If x has 100 digits, no Brute Force attack is possible

• Useful: x relatively prime to n →a multiplicative inverse x-1 mod n exists

• Computing multiplicative inverse by the Euclidean Algorithm

The Euclidean Algorithm

The algorithm

• Note: gcd(0, y) = y

• In general:

if d denotes a divisor of x and y

⇒x = i ⋅d, y = j · d

⇒x - y = i ⋅d - j ⋅d = (i - j)⋅d

⇒If x > 0, replace gcd(x, y) with gcd(x-y, y)

• Efficiency: x and y should be as small as possible

• Assume, d is the maximum of all divisors (achieved by division x mod y)

⇒gcd(x, y) = gcd(x mod y, y)

• If y > x, exchange x and y

function int gcd(int x, int y) begin

int r2 = x;

int r1 = y;

int q;

int help;

while (r1 > 0) begin

q = r2 / r1;

help = r1;

r1 = r2 % r1 // (r2 mod r1) r2 = help;

end return r2;

end

Multiplicative Inverse by Euclidean Algorithm

How to find a multiplicative inverse x^-1to x mod n, such that x ⋅^x^-1= 1 mod n, with the euclidean algorithm?

Multiplicative inverse for x mod n: a u exists with u ⋅x = 1 mod n

⇒ u ⋅x differs from 1 by a multiple of n

⇒ There is a v with u ⋅x + v ⋅n = 1

Computing gcd(x, n) can compute such a v and a u, if gcd(x, n) = 1

⇒ If gcd(x, n) = 1, u is the multiplicative inverse to x Could there be more than one u mod n with u ⋅x = 1 mod n?

→ Suppose: m ⋅x = 1 mod n

⇒m ⋅x⋅u = u mod n But u ⋅x = 1 mod n

⇒m ⋅1 = u mod n

⇒m = u

Kommunikation und verteilte Systeme Computing the Multiplicative Inverse

Initialisation:

u_-2= 1, v_-2 = 0, u_-1= 0, v_-1 = 1, r_-2 = x, r_-1 = y, i=0 Repeat:

if r_n-1= 0 ⇒gcd(x, y) = r_n-2

else divide r_n-2by r_n-1to get quotient q_nand remainder r_n Keep track of:

u_i= u_i-2- q_i⋅u_i-1, v_i= v_i-2- q_i⋅v_i-1

-595 i q_i r_i u_i v_i -2

-1 0 1 2 3 4 5

0 1 2 6 15

2 407 595 407 188 31

2 1 0

1 0 1 -1

3 -19 288

0 1 0 1 -2 13 -197

407 Example:

r₅= 0 ⇒gcd(407, 595) = r₄= 1,

multiplicative inverse u₄(= 407-1 mod 595) = 288

(4)

Finding Prime Numbers

Problem with Euclidean algorithm: how to find x mod n with gcd(x, n) = 1?

Naive method: divide x by all numbers ≤

⇒Takes too long of your lifetime

Practical solutions: there is no hundred percent that large number is prime

But: there are tests for determining that a number is probably prime

→ Use properties

1.) gcd(x, n) = 1, if x and n are relatively prime

(x and n are relatively prime, if there are integers u and v with u⋅^{x + v}⋅^{n = 1)} 2.) Φ(n), the totient function, denotes the number of integers relatively prime to n

n

The Euler Function Φ⁽ⁿ⁾

ComputingΦ⁽ⁿ⁾

• If n is prime ⇒all numbers 1, ..., n - 1 are relatively prime to n

⇒Φ(n) = n - 1

• If n is a product of primes p and q

⇒There are p·q candidates {(j·p + i·q)| i=1..q, j=1..p} for numbers relatively prime to n

⇒But from them, there are p multiples of q and q multiples of p

⇒(p + q - 1) numbers are not relatively prime to n

⇒Φ(n) = p·q - (p + q - 1) = (p - 1)·(q - 1)

• If n is a prime or a product of different primes

⇒x·y mod n = x·y mod Φ^{(n) mod n}

• Example for n = 10 (= 5 ⋅2) Relatively prime to n: {1, 3, 7, 9}

⇒Φ(n) = (5 - 1) ⋅(2 - 1) = 4

⇒Column i + 4 is the same as column i

• Important special case: y = 1 mod Φ⁽ⁿ⁾

⇒for any x: x·y = x mod Φ(n) = x mod n

0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1

1 2 4 8 6 2 4 8 6 2 1 3 9 7 1 3 9 7 1 3 4 5 6 7 8 9 1 4 6 4 6 4 6 4 6

5 1 5 5 5 5 5 5 5

6 6 1 6 6 8 6 6 6

1 3 9 1 7 9 3 1 7

6 2 4 8 1 8 4 2 6

1 9 1 9 1 1 9 1 9

0 1 2 3 4 5 6 7 8 9 0

1 2 3 4 5 6 7 8 9 x^y

i = 2 i + 4

Euler's Theorem and Fermat's Theorem

→ Good rule for determining primes

→ But: what about n with a^{n - 1}= 1 mod n, where n is no prime?

→ Find primes by a simple prime test

• Choose an a with a < n and compute a^{n - 1}mod n.

• If the result is not 1, n is no prime

• If the result is 1, n may be a prime

(e.g., if n has 100 digits, the probability for n to be no prime is 10^-13) Euler's Theorem

• For any a relatively prime to n holds: a·Φ(n) = 1 mod n If n is prime: Φ(n) = n - 1. In this case:

Fermat's Theorem

• If n is a prime and 0 < a < n⇒a·n - 1 = 1 mod n

Kommunikation und verteilte Systeme Prime Tests

• If the simple prime test fails:

A cryptosystem like RSA might fail, a message cannot be decrypted

An attacker might be able to compute keys easier

• "Solution": test n with other values for a

Problem: Carmichael numbers (very rare)

No primes, but for all a holds: a^{n - 1}= 1 mod n

• Enhanced prime test is needed:

Miller-Rabin prime test

• Improved method to find prime numbers

• Probabilistic prime test

• Basic foundation: for a prime n holds:

1.) n - 1 can always be expressed by 2^b⋅c, where c is an odd number 2.) Each square root (modulo n) of 1 can only be ±1

(e.g. 4 is a square root of 1 mod 15, because 4 ⋅4 = 16 = 1 mod 15, thus 15 can not be a prime)

Some Carmichael numbers:

561 = 3 ⋅11 ⋅17 1105 = 5 ⋅13 ⋅17 41041 = 7 ⋅11 ⋅13 ⋅41 825265 = 5 ⋅7 ⋅17 ⋅19 ⋅73

(5)

Miller-Rabin Algorithm

• Use Fermat's theorem: a^{n - 1}= 1 mod n

• Pick a random number n and test if it is prime

• Test n with the division by smaller primes to speed up the process

• If you think a prime has been found: pick an a by random Miller-Rabin algorithm:

compute r = a^cmod n

if r = 1 mod n // is the first mod n-square root 1?

⇒n is prime // else: a^n-1only can become 1 by squaring -1 in else for i = 0 to b - 1 do // one of the b square operations

if r = -1 mod n // now: test on allowed square root. Because the

⇒n is prime // result before was not 1, it only can become else // 1 by squaring -1. Search for a -1

r = r²mod n // prepare testing the next square root

⇒n is not prime // only non-allowed square roots found

Miller-Rabin Algorithm - Example

Choose n = 15 as a possible prime

→ n - 1 = 14 = 2 ⋅7

→ b = 1, c = 7

→ Pick randomly a = 5

→ Compute a^c= 5⁷= 78125 = 5 mod 15 (this is not 1 nor -1,

and: 5²= 25 = 10 mod 15)

→ no prime found

Other variant: pick randomly a = 4

→ Compute 4⁷= 16384 = 4 mod 15 (this is not 1 nor -1, and:

4²= 16 = 1 mod 15)

→ This means, 4 is a square root of 1 mod 15

→ no prime found

Choose n = 13 as a possible prime

→ n - 1 = 12 = 2²⋅3

→ b = 2, c = 3

→ Pick randomly a = 5

→ Compute 5³= 125 = 8 mod 13

→ Compute 8²= 64 = -1 mod 13

→ -1 is an allowed square root of 1, thus 13 is (possibly) prime Other try: pick randomly a = 3

→ compute 3³= 27 = 1 mod 13

→ 13 is (possibly) prime

Kommunikation und verteilte Systeme Classical Public Key Cryptography

• RSA

• Public-key cryptography standard (PKCS)

• Rabin cryptosystem

• Diffie-Hellman cryptosystem

• ElGamal cryptosystem

• Merkle-Hellman cryptosystem

Kommunikation und verteilte Systeme RSA

Developed by Rivest, Shamir, and Adleman Purpose: encryption and decryption of data

• Variable key length

→Long key used for high security needs

→Short key used for efficient encryption processes

→Common key length: 512 bit

• Variable plaintext length

→Must be shorter than the key

• Cipher text blocks

→Length of the key

Much slower than secret key algorithms like DES or IDEA

• Only used for short messages

• Important purpose: transmission of secret keys

(6)

RSA Key Generation

n is public, but factorisation into p and q is computationally infeasible Generate a public key and a corresponding private key

1.) Choose two large primes p and q of 256 bit each (p and q must be a secret!)

2.) Compute n = p ⋅q

3.) Compute Φ(n) = (p - 1)⋅(q - 1) 4.) Choose e relatively prime to Φ⁽ⁿ⁾ 5.) Find d with d ⋅e = 1 mod Φ⁽ⁿ⁾

(d is the multiplicative inverse to e)

⇒<e, n> is public key

⇒<d, n> is private key Why do these keys work?

• We use modular arithmetic (mod n) with p ⋅q = n

• d and e were chosen to be d ⋅e = 1 mod Φ⁽ⁿ⁾

• Because n is product of distinct primes, for all x:

⇒x^d^⋅^e= x^{1 mod}^Φ⁽ⁿ⁾= x mod n

Usage Scenarios for RSA

Encryption and decryption

• Encrypt message m using the public key of the receiver:

c = m^emod n

• Decrypt cipher text c with the private key of the receiver:

m = c^dmod n Digital signatures

• Similar to encryption/decryption process

• Sender encrypts message m with his private key:

s = m^dmod n

• Each receiver can read the signed message using the public key of the sender:

m = s^emod n

Kommunikation und verteilte Systeme Why is RSA (relatively) secure?

Breaking RSA means finding d from knowing e and n…

• Attacker only knows: d is the exponential inverse to e mod Φ⁽ⁿ⁾

• Simple approach: knowing p and q you can compute Φ⁽ⁿ⁾ (this is a kind of trapdoor)

• However: an attacker does not know p and q

• Attacker needs to factorise n to obtain p and q

→Factorising large numbers is difficult

→The best algorithms are too slow

→And: Brute Force attack is less efficient than factorising But it is possible to misuse RSA!

• Assume that an attacker knows the context of a message from A

• The attacker could encrypt messages with the public key e_A

• If a match is found, the attacker has found the message

Kommunikation und verteilte Systeme How to determine p, q, e and d

1.) Finding big primes p and q

• For a 10-digit number, the chance of finding a prime is 1 in 23

• For a 100-digit number, the chance is only 1 in 230

→ Pick random numbers until you find a prime

→ Use Fermat's theorem and the Rabin-Miller algorithm to test if a random number is prime

2.) Finding d and e for p and q

• Choose e as relatively prime to (p - 1) · (q - 1)

a.) by choosing e at random and test if it is relatively prime to (p - 1) · (q - 1) b.) by choosing e first and then determine matching p and q

→ RSA is not less secure if always the same e is chosen

→ If e is small or its binary representation has few '1's, the operations for encryption and signature verification will become much more efficient

→ Use Euclidean algorithm to determine d with e ⋅d = 1 mod Φ⁽ⁿ⁾

Note: do not choose a small d; d is a secret, thus it should be hard to determine

(7)

Using small public keys

Let “e” be a small constant

→ Public key operations become faster, while leaving private key operations unchanged

→ Popular values for “e” are 3 and 65537 Case of “e = 3”

→ Maximizes performance

→ Apparently it does not weaken security of RSA

(when some practical constraints on its use are considered)

→ Problems with e = 3

• Small messages m with m³mod n = m³.

→Problem: it only takes the cubic root to decrypt

→Solution: padding message with a random number before encryption

• If a message is sent to 3 or more receivers, m can be derived from the three encrypted values and the public keys of the receivers

• Find p and q so that 3 is relatively prime to (p - 1) · (q – 1)

(practical problem: there are many numbers which 3 is not relatively prime to)

Using small public keys

Case of “e = 65537”

• Is equivalent to 2¹⁶+ 1, and it is prime

• The binary representation contains only two 1s

→ Only 17 multiplications are necessary to to compute any m^e

→ Much faster than the 768 (on the average) multiplications necessary for a randomly chosen 512 bit value

• The problems mentioned for e = 3 are avoided

Public Key Cryptography Standard (PKCS)

How could different implementations interwork?

→ Standards for encoding of information that will be encrypted or signed Public Key Cryptography Standard

→ Set of standards PKCS#1 - PKCS#9

→ Definition of encoding RSA public keys, RSA private keys, RSA signatures, short RSA-encrypted messages (typically secret keys), and short RSA-signed messages (typically a message digest)

→ Designed to deal with

• Encrypting guessable messages

• Signing smooth numbers

• Multiple recipients of a message for e = 3

• For e = 3, encrypting messages that are less than a third of the length of n

• For e = 3, signing messages where the information is in the high-order part

Kommunikation und verteilte Systeme Example: PKCS#1

PKCS#1 (encryption)

• Standard format for messages to be encrypted with RSA Consists of

• Preceding 0: the message remains smaller than the modulus

• 2: denotes a message which is to be encrypted

• Random bytes (padding):

– Each byte is chosen independently to make it harder to guess the message

– Independent padding for each recipient

– Make message long enough to avoid problems with m³< n for e = 3

• Next 0: marks the beginning data

0 2 ≥8 random non-zero bytes 0 data

(8)

Example: PKCS#1

PKCS#1 (signature)

• Standard format for messages to be signed with RSA

• Data are typically a Message Digest of 128 Bit

→Padding is required Consists of:

• Preceding 0: the message remains smaller than the modulus

• 1: denotes a message which is to be signed

• Random bytes (padding): make the data bigger than 128 byte

• Next 0: marks the begin of data

• Digest type standardises, how to tell another party which digest function was used

0 1 ≥8 bytes of ff₁₆ 0 digest type and message digest

Rabin Cryptosystem

Rabin cryptosystem

• “Secure” because of the difficulty to find square roots modulo a composite number

• Nearly as difficult as factorising large numbers Rabin algorithm

• Choose primes p and q, both congruent to 3 mod 4

→p and q form the private key

→n = p ⋅q is the public key

• Encryption of message m in the range {0, ..., n - 1}

c = m²mod n

Decryption in the Rabin Cryptosystem

Decryption is more complex

• Receiver knows p and q

• Solve the two congruencies using the so-called Chinese remainder problem

• Compute: t₁= c(p + 1) / 4mod p t₂= p - c(p + 1) / 4mod p t₃= c(q + 1) / 4mod q t₄= q - c(q + 1) / 4mod q

• Choose integers a = q ⋅(q^-1mod p) and b = p ⋅(p^-1mod q)

• Possible solutions are

m₁= (a ⋅t₁+ b ⋅t₃) mod n m₂= (a ⋅t₁+ b ⋅t₄) mod n m₃= (a ⋅t₂+ b ⋅t₃) mod n m₄= (a ⋅t₂+ b ⋅t₄) mod n

• One of these results equals m…

• If m is normal text, it is no problem to find the right m_i

• Otherwise, add a known header to m before encryption

Kommunikation und verteilte Systeme Diffie-Hellman Cryptosystem

Oldest public key cryptosystem

• Offers better performance than RSA

• Less general than RSA (does neither encryption nor signatures)

Purpose: two persons can agree upon a secret number (e.g. a shared key), which cannot be computed by intercepting the publicly exchanged messages

• After the exchange of two public messages both communication partners know a secret number

• Having agreed on a secret number, they can use e.g. DES for communication

→Diffie-Hellman actually used for key establishment

→Remaining problem: no authentication between the partners

(9)

Diffie-Hellman Algorithm

Algorithm for key establishment

• Choose a prime p with 512 bit

• Choose a number g < p with some restrictions

→p and g are public!

••A randomly chooses a 512 bit number SA _aand computes T_a= g^Samod p

••B randomly chooses a 512 bit number SB _band computes T_b= g^Sbmod p

→S_aand S_bare secret

•

•A and BA B exchange T_aand T_b

••A computes kA _AB= T_b^Samod p = g^Sa^⋅^Sbmod p

••B computes kB _AB= T_a^Sbmod p = g^Sa⋅Sbmod p

→

→A and BA B both compute the same secret key g^Sa^⋅^Sb

Note: It is impossible to compute g^Sa^⋅^Sbfast enough knowing only T_aand T_bdue to the difficulty to compute discrete logarithms, i.e. to compute S_a from knowing g^Sa

Bucket-Brigade Attack on Diffie-Hellman

Problem in Diffie-Hellman: no authentication between AA and BB

→If AA obtains T_b, he cannot know for sure if B has sent it Bucket-Brigade attack

An attacker OO obtains T_aand establishes a common secret with AA Attack method: p and q are known publicly

••A sends gA ^Soto O O (but believes it is sent to BB)

••O computes gO ^Sxand sends it to BB

•

•B computes gB ^Sband sends it to OO

•

•O sends gO ^Soback to AA

••O establishes kO _AOand k_BO

••A and BA B communicate via OO

→ Diffie-Hellman is only secure against passive attacks (i.e. just watching messages)

→ Protection against active attacks: use trustful and public location to publish g^Sifor all persons II in advance

AA g^Sa= 8389

8389 OO g^So= 5876

5876 5876

BB g^Sb= 9267

9267 shared key k_AO

5876^Sa= 8389^So

shared key k_BO 9267^So= 5876^Sb

Kommunikation und verteilte Systeme Diffie-Hellman for Encryption

Encryption algorithm using Diffie-Hellman

• Each participant chooses a private key S_i

• Each participant computes a public key <p, g, T_i> with T_i= g^Simod p

• Publish all public keys at a trusted public place

• Assume, B publishes <p, g, T_b>

• A computes k_AB= T_b^Samod p

• A uses k_ABas secret key with B to compute a cipher text

• A transmits the cipher text and g^Samod p to B

• B computes k_ABto decrypt the message

→The secret key is transmitted only together with the message For a better security, p and g should have these properties:

• p should be a strong prime number, i.e. (p-1)/2 is prime, too

• It is desirable to have g^x≠1 mod p, x = 0 mod (p - 1) [if p is a strong prime number, this is true for all g≠-1 mod p with g(p - 1) / 2= -1 mod p)

• But: this is a costly way for choosing p and g!

Kommunikation und verteilte Systeme ElGamal Cryptosystem

• Mainly used for digital signatures

• Secure because of the difficulty to calculate discrete logarithms in a finite field

• Uses same kind of key as Diffie-Hellman Additionally provides a scheme for signatures

• Each person has a long-time key – public key: <g, p, T>

– private key: S with g^Smod p = T

• For each message m to be signed, a new key pair S_m, <g, p, T_m> has to be generated

• For the message m to be signed, compute a message digest d_m= MD(m|T_m)

• Compute the signature X = S_m+ d_m· S mod (p - 1)

• Transmit m together with X and T_m

• To verify signature, compute g^X, d_m, and T_m· T^dmmod p Check: g^X= g^{Sm + dm}^⋅^S= g^Sm· g^dm^⋅^S= T_m· T^dmmod p

(10)

Digital Signature Standard (DSS)

Digital Signatures with DSS

• DSS algorithm is called Digital Signature Algorithm (DSA)

• Algorithm to create digital signatures based on ElGamal

• Difference to ElGamal is the speed of operations (3 times faster):

Instead using a p of 512 bit, for some operations only use a prime q of 160 bit, for which holds: p = k ⋅p + 1

Note: using ElGamal means to generate a key pair <S_m, T_m> for each message m which has to be signed

• If a pair of keys is used only for two different messages, it would expose the signer's private key:

→ With only two uses, S_mcan be deducted

→ By knowing S_m, the secret key S easily can be computed

Digital Signature Algorithm

Digital Signature Algorithm

• Generate and publish a 512-bit prime p and a 160-bit prime q with p = k · q + 1

• Generate and publish a g with g^q= 1 mod p (use Fermat's theorem) Note: g must not be 1

• Generate a long-term public/private key pair <T, S> as in ElGamal

• For each message m generate a separate key pair <T_m, S_m> by choosing S_mand compute T_m= ((g^Smmod p) mod q)

• For m, compute the message digest d_m

• Compute the signature X = S_m^-1· (d_m+ S · T_m) mod q

• Transmit m, T_m, and X Signature verification

• Calculate the mod q inverse of the signature, X^-1

• Calculate the message digest d_m

• Calculate x = d_m· X^-1mod q and y = T_m· X^-1mod q

• Calculate z = (g^x· T^ymod p ) mod q

• If z = T_m, the signature is verified

Kommunikation und verteilte Systeme Merkle-Hellman Cryptosystem

Knapsack Problem

• Pack a knapsack optimally with n objects of different weights a₁, ..., a_nand overall size g

• Search for an order (k_i), k_i∈{0, 1} for i = 1, ..., n with

• This is an NP hard problem

Merkle-Hellman cryptosystem

• Based on the knapsack problem

• Special type of knapsack problem:

The sizes of the objects form a fast growing sequence with

There is a solution in O(n):

Start with the biggest object and find a new smaller knapsack with one object less

n

i i

i 0

a k g

=

∑ ⋅ =

i

j 1 i

j 1

a₊ a

=

>∑

Kommunikation und verteilte Systeme Merkle-Hellman in Cryptography

Principle:

Use a simple Knapsack problem as private key and transform it into a hard one which is used as public key. A message m = (m₁, m₂, ..., m_n, ...) is seen as a solution for the problem, i.e.

if m_i= 1, m_iis in the knapsack Example:

• A chooses a Knapsack problem a with a = (a_i) = (2, 5, 9, 21, 45, 103, 215, 450, 946) as key

• A chooses a prime p = 2003 and a number k = 1289

• A generates a hard Knapsack problem e = (e_i) with e_i= k ⋅a_imod p

→e = (575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570)

• B encrypts a message m = (1, 0, 1, 1, 0, 0, 1, 1, 1) to A by using e

→c = 1⋅575 + 0⋅436 + 1⋅1586 + 1⋅1030 + 0⋅1921

+ 0⋅569 + 1⋅721 + 1⋅1183 + 1⋅1570 = 6665 (this value is transmitted)

• A computes g = k^-1 ⋅ c mod p = 317⋅6665 mod 2003 = 1643

• A solves 1643 for (a_i) by choosing the biggest fitting number in (a_i) till 1643 is reached:

(2, 5, 9, 21, 45, 103, 215, 450, 946)

→1 0 1 1 0 0 1 1 1

(11)

Modern Public Key Cryptosystems

Classic public key cryptosystems are well analysed

• The performance of classic public-key cryptosystems is acceptable

• Security: classic public key cryptosystems are not perfectly secure, but computationally secure

Modern public key cryptosystems improve the classic ones:

• Performance: modern public key cryptosystems have a better performance than the classic ones

• Security: modern public key cryptosystems also offer better security (with the same key length)

• Example: Elliptic Curve Cryptosystem

→Provide security equivalent to classical public key schemes

→Shorter key lengths, resulting in faster computing, less complex chips

Definition: Let p > 3 be prime. The elliptic curvey²= x³+ ax + b over Z_pis the set of solutions (x,y) ∈Z_p×Z_pfor the congruence

y²≡x³+ ax + b (mod p), where a, b∈Z_pare constants, so that

4a³+ 27 b²≡O (mod p),

together with a special point O called the point of infinity.

Elliptic Curves – Definition

Kommunikation und verteilte Systeme Addition Operation

Let E be an elliptic curve over Z_p, P = (x₁, y₁), Q = (x₂, y₂).

If x₂= x₁and y₂= -y₁, then Q = -P, P + Q := O; otherwise P + Q := (x₃, y₃), with x₃= λ²– x₁– x₂

y₃= λ(x₁– x₃) – y₁ and

Finally, P + O = O + P = P.

2 1

1

y - y

, if P Q x - x

λ 3 x a

, if P Q 2 y

⎧ ≠

= ⎨⎪⎪⎪ + =

⎪⎩

Kommunikation und verteilte Systeme Elliptic Curve - Example

2, 9 yes

4 10

no 7

9

3, 8 yes

9 8

2, 9 yes

4 7

no 8

6

2, 9 yes

4 5

no 8

4

5, 6 yes

3 3

no 8

1

4, 7 yes

5 2

[no solution]

y no

in QR(11)?

6 x³+x+6 mod 11 0

x

Points on the elliptic curve E: y²=x³+x+6 in Z₁₁

Let α= (2,7). Then αis a primitive element:

(2,4)

= 12α (5,9)

= 11α

(8,8)

= 10α (10,9)

= 9α

(3,5)

= 8α (7,2)

= 7α

(7,9)

= 6α (3,6)

= 5α

(10,2)

= 4α (8,3)

= 3α

(5,2) = α+ α 2α =

(2,7) α =

→E = {O, (2,4), (2,7), (3,5), (3,6), (5,2), (5,9), (7,2), (7,9), (8,3), (8,8), (10,2), (10,9)}

i.e. (x,y) = (3,5) and (x,y) = (3,6) are points on the elliptic curve