Page 1 Chapter 2.2: Public Key Cryptography
2.2: Public Key Cryptography
• Principles of public key cryptography
• Number theory and algebraic foundations
• Classical public key cryptography
• Newer public key cryptography Chapter 2: Security Techniques Background
• Secret Key Cryptography
• Public Key Cryptography
• Hash Functions
• Authentication
Chapter 3: Security on Network and Transport Layer
Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks
Page 2 Chapter 2.2: Public Key Cryptography
Principles of Public Key Cryptography
Also called asymmetric cryptography
• Different from secret key cryptography, algorithms for encoding and decoding differ considerably
• Working with two keys
→ A private keyd (known only to the owner)
→ A public keye (known by possibly everyone)
• Public key cryptography principle (e.g. RSA):
plaintext
plaintext cipher text
cipher text encryption
decryption public key e private key d
• More easily configurable than secret key cryptography, but slower
• Often combined with secret key: authentication and distribution of a secret key (e.g. Diffie-Hellman for establishment of a shared secret)
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Applications of Public Key Cryptography
Digital signatures(e.g. RSA, ElGamal, DSS)
• Associate a value with a message, like a checksum
• This value can only be generated by using the private key d ( = decryption)
• It is readable for everyone knowing the public key e ( = encryption)
• Similar to hand-written signature (authenticity without the chance to forge it)
Authentication(zero knowledge proof systems)
• A generates a random number and encrypts it with the public key of B
• B decrypts the message with its private key and sends back the random number to A
• If A gets back the original random number, B is authenticated plaintext
plaintext signed message
signed message signing
verification private key d public key e
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Security in Public Key Algorithms
Security in many public key algorithms is based on the difficulty to factorise and compute discrete logarithms
Factorising
→Find the prime factors for a given number
→One of the oldest problems in number theory, very time consuming
→Most popular method: Quadratic Sieve Discrete logarithm
→Problem to find the inverse to modular exponentiation:
Find an x with ax= b mod n for given a and b
→Not all discrete logarithms have solutions
→Very time consuming process to find solutions for big numbers
→Frequently used method: Index-Calculus method
Page 5 Chapter 2.2: Public Key Cryptography
Basics for Public Key Cryptography:
Number Theory / Modular Arithmetic
Number theory provides basic knowledge to understand how and why public key algorithms work
→ Necessary concepts for understanding public key algorithms
→ Most public key algorithms are based on modular arithmetic Modular arithmetic
→Operates on a ring (Zn, +, ⋅), where
Znis a set of non-negative integers smaller than some positive integer n
+: Zn×Zn→Znis a function that
• is associative and commutative
• has a neutral element 0∈Zn
• has a inverse element x-1 to each x∈Zn, i.e. x + x-1 = 0
⋅: Zn×Zn→Znis an associative function (it is not necessarily commutative)
+ and ⋅have left and right exchangeability
→Needed for public key cryptography: addition, multiplication, exponentiation
→Computations of these functions are performed modulo n
Page 6 Chapter 2.2: Public Key Cryptography
Arithmetic Operations modulo n
0 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 0 2 3 4 5 6 7 8 9 0 1 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 4 5 6 7 8 9 0 1 2
3 5 6 7 8 9 0 1 2
4 3 6 7 8 9 0 1 2
5 4 3 7 8 9 0 1 2
6 5 4 3 8 9 0 1 2
7 6 5 4 3 9 0 1 2
0 1 2 3 4 5 6 7 8 9 0
1 2 3 4 5 6 7 8 9 + Arithmetic computing modulo n
• Arithmetic operations are performed as usual, but the result is replaced by its remainder when divided by n (e.g. 3 + 9 = 12 ≡2 mod 10)
Modular addition
• Given: c = x + k mod n, with c, x, k∈Zn
→if x + k < n : c = a + b
→if x + k≥n : c = j, where x + k = i ⋅n + j and j < n
• Can be used to encrypt digits:
each number x out of a range of numbers is
unambiguously mapped onto another
number c from this range
• Caesar Cipher: add a constant k to each number
• Decryption needs subtraction. This can be replaced by an addition of the inverse value
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Modular multiplication
• Given: c = x⋅k mod n, with c, x, k∈Zn
→if x⋅k < n : c = x⋅k
→if x⋅k≥n : c = j,
where x⋅k = i ⋅n + j and j < n
• Encryption only works with special keys k Example for n = 10: only k∈{1, 3, 7, 9} is usable as (simple) cipher key
→only for these values the mapping is unambiguous
→for other values of k, an information loss occurs
• Only use keys k relatively prime to n
→k and n share no other common factor than 1
• Decryption works by multiplication of cipher text c with the multiplicative
inverse k-1, i.e. k⋅k-1= 1 mod n (e.g. 7-1= 3 mod 10, because 7 ⋅3 = 1 mod 10)
→Multiplicative inverse for n = 10 only exists for 1,3,7, and 9
Arithmetic Operations modulo n
0 0 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 0
0 2 4 6 8 0 2 4 6 8 0 3 6 9 2 5 8 1 4 7 6 5 4 3 2 1 0 4 8 2 6 0 4 8 2
0 0 5 0 5 0 5 0 5
8 2 0 6 2 8 4 0 6
6 9 2 0 7 4 1 8 5
4 6 8 0 0 8 6 4 2
2 3 4 5 6 0 9 8 7
0 1 2 3 4 5 6 7 8 9 0
1 2 3 4 5 6 7 8 9
*
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Arithmetic Operations modulo n
Modular exponential
• Given: c = xkmod n, with c, x, k∈Zn
→if xk< n : c = xk
→if xk≥n : c = j,
where xk= i ⋅n + j and j < n
• Note: difference to modular multiplication:
xkmod n ≠ xk+nmod n
• Encryption only works with special keys k
• Decryption needs an inverse k-1with xk⋅k-1= 1
• But: inverse k-1does not exist in each case
0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1
1 2 4 8 6 2 4 8 6 2 1 3 9 7 1 3 9 7 1 3 4 5 6 7 8 9 1 4 6 4 6 4 6 4 6
5 1 5 5 5 5 5 5 5
6 6 1 6 6 8 6 6 6
1 3 9 1 7 9 3 1 7
6 2 4 8 1 8 4 2 6
1 9 1 9 1 1 9 1 9
0 1 2 3 4 5 6 7 8 9 0
1 2 3 4 5 6 7 8 9 xy
Page 9 Chapter 2.2: Public Key Cryptography
Euclidean algorithm
→ Determines the greatest common divisor (gcd) of x and n
→ Given x and n, it finds an y with x ⋅y = 1 mod n (if one exists)
→ If x is relatively prime to n: gcd(x, n) = 1
→ Idea: Replace x and n with smaller numbers with the same gcd If one number becomes zero, the other one is the gcd
→ Faster algorithm: the smaller the numbers are, the faster the computation of gcd is. Replace the bigger number with its remainder divided by the smaller number
Finding Modular Inverses
Example:
gcd(6, 14)?
→gcd(6, 14-6)
→gcd(6,8)
→gcd(6,2)
→gcd(4,2)
→gcd(2,2)
→gcd(2,0)
→= 2
• Finding multiplicative inverses to x is a very time consuming process
• If x has 100 digits, no Brute Force attack is possible
• Useful: x relatively prime to n →a multiplicative inverse x-1 mod n exists
• Computing multiplicative inverse by the Euclidean Algorithm
Page 10 Chapter 2.2: Public Key Cryptography
The Euclidean Algorithm
The algorithm
• Note: gcd(0, y) = y
• In general:
if d denotes a divisor of x and y
⇒x = i ⋅d, y = j · d
⇒x - y = i ⋅d - j ⋅d = (i - j)⋅d
⇒If x > 0, replace gcd(x, y) with gcd(x-y, y)
• Efficiency: x and y should be as small as possible
• Assume, d is the maximum of all divisors (achieved by division x mod y)
⇒gcd(x, y) = gcd(x mod y, y)
• If y > x, exchange x and y
function int gcd(int x, int y) begin
int r2 = x;
int r1 = y;
int q;
int help;
while (r1 > 0) begin
q = r2 / r1;
help = r1;
r1 = r2 % r1 // (r2 mod r1) r2 = help;
end return r2;
end
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Multiplicative Inverse by Euclidean Algorithm
How to find a multiplicative inverse x-1to x mod n, such that x ⋅x-1= 1 mod n, with the euclidean algorithm?
Multiplicative inverse for x mod n: a u exists with u ⋅x = 1 mod n
⇒ u ⋅x differs from 1 by a multiple of n
⇒ There is a v with u ⋅x + v ⋅n = 1
Computing gcd(x, n) can compute such a v and a u, if gcd(x, n) = 1
⇒ If gcd(x, n) = 1, u is the multiplicative inverse to x Could there be more than one u mod n with u ⋅x = 1 mod n?
→ Suppose: m ⋅x = 1 mod n
⇒m ⋅x⋅u = u mod n But u ⋅x = 1 mod n
⇒m ⋅1 = u mod n
⇒m = u
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Computing the Multiplicative Inverse
Initialisation:
u-2= 1, v-2 = 0, u-1= 0, v-1 = 1, r-2 = x, r-1 = y, i=0 Repeat:
if rn-1= 0 ⇒gcd(x, y) = rn-2
else divide rn-2by rn-1to get quotient qnand remainder rn Keep track of:
ui= ui-2- qi⋅ui-1, vi= vi-2- qi⋅vi-1
-595 i qi ri ui vi -2
-1 0 1 2 3 4 5
0 1 2 6 15
2 407 595 407 188 31
2 1 0
1 0 1 -1
3 -19 288
0 1 0 1 -2 13 -197
407 Example:
r5= 0 ⇒gcd(407, 595) = r4= 1,
multiplicative inverse u4(= 407-1 mod 595) = 288
Page 13 Chapter 2.2: Public Key Cryptography
Finding Prime Numbers
Problem with Euclidean algorithm: how to find x mod n with gcd(x, n) = 1?
Naive method: divide x by all numbers ≤
⇒Takes too long of your lifetime
Practical solutions: there is no hundred percent that large number is prime
But: there are tests for determining that a number is probably prime
→ Use properties
1.) gcd(x, n) = 1, if x and n are relatively prime
(x and n are relatively prime, if there are integers u and v with u⋅x + v⋅n = 1) 2.) Φ(n), the totient function, denotes the number of integers relatively prime to n
n
Page 14 Chapter 2.2: Public Key Cryptography
The Euler Function Φ(n)
ComputingΦ(n)
• If n is prime ⇒all numbers 1, ..., n - 1 are relatively prime to n
⇒Φ(n) = n - 1
• If n is a product of primes p and q
⇒There are p·q candidates {(j·p + i·q)| i=1..q, j=1..p} for numbers relatively prime to n
⇒But from them, there are p multiples of q and q multiples of p
⇒(p + q - 1) numbers are not relatively prime to n
⇒Φ(n) = p·q - (p + q - 1) = (p - 1)·(q - 1)
• If n is a prime or a product of different primes
⇒x·y mod n = x·y mod Φ(n) mod n
• Example for n = 10 (= 5 ⋅2) Relatively prime to n: {1, 3, 7, 9}
⇒Φ(n) = (5 - 1) ⋅(2 - 1) = 4
⇒Column i + 4 is the same as column i
• Important special case: y = 1 mod Φ(n)
⇒for any x: x·y = x mod Φ(n) = x mod n
0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1
1 2 4 8 6 2 4 8 6 2 1 3 9 7 1 3 9 7 1 3 4 5 6 7 8 9 1 4 6 4 6 4 6 4 6
5 1 5 5 5 5 5 5 5
6 6 1 6 6 8 6 6 6
1 3 9 1 7 9 3 1 7
6 2 4 8 1 8 4 2 6
1 9 1 9 1 1 9 1 9
0 1 2 3 4 5 6 7 8 9 0
1 2 3 4 5 6 7 8 9 xy
i = 2 i + 4
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Euler's Theorem and Fermat's Theorem
→ Good rule for determining primes
→ But: what about n with an - 1= 1 mod n, where n is no prime?
→ Find primes by a simple prime test
• Choose an a with a < n and compute an - 1mod n.
• If the result is not 1, n is no prime
• If the result is 1, n may be a prime
(e.g., if n has 100 digits, the probability for n to be no prime is 10-13) Euler's Theorem
• For any a relatively prime to n holds: a·Φ(n) = 1 mod n If n is prime: Φ(n) = n - 1. In this case:
Fermat's Theorem
• If n is a prime and 0 < a < n⇒a·n - 1 = 1 mod n
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Prime Tests
• If the simple prime test fails:
A cryptosystem like RSA might fail, a message cannot be decrypted
An attacker might be able to compute keys easier
• "Solution": test n with other values for a
Problem: Carmichael numbers (very rare)
No primes, but for all a holds: an - 1= 1 mod n
• Enhanced prime test is needed:
Miller-Rabin prime test
• Improved method to find prime numbers
• Probabilistic prime test
• Basic foundation: for a prime n holds:
1.) n - 1 can always be expressed by 2b ⋅c, where c is an odd number 2.) Each square root (modulo n) of 1 can only be ±1
(e.g. 4 is a square root of 1 mod 15, because 4 ⋅4 = 16 = 1 mod 15, thus 15 can not be a prime)
Some Carmichael numbers:
561 = 3 ⋅11 ⋅17 1105 = 5 ⋅13 ⋅17 41041 = 7 ⋅11 ⋅13 ⋅41 825265 = 5 ⋅7 ⋅17 ⋅19 ⋅73
Page 17 Chapter 2.2: Public Key Cryptography
Miller-Rabin Algorithm
• Use Fermat's theorem: an - 1= 1 mod n
• Pick a random number n and test if it is prime
• Test n with the division by smaller primes to speed up the process
• If you think a prime has been found: pick an a by random Miller-Rabin algorithm:
compute r = acmod n
if r = 1 mod n // is the first mod n-square root 1?
⇒n is prime // else: an-1only can become 1 by squaring -1 in else for i = 0 to b - 1 do // one of the b square operations
if r = -1 mod n // now: test on allowed square root. Because the
⇒n is prime // result before was not 1, it only can become else // 1 by squaring -1. Search for a -1
r = r2mod n // prepare testing the next square root
⇒n is not prime // only non-allowed square roots found
Page 18 Chapter 2.2: Public Key Cryptography
Miller-Rabin Algorithm - Example
Choose n = 15 as a possible prime
→ n - 1 = 14 = 2 ⋅7
→ b = 1, c = 7
→ Pick randomly a = 5
→ Compute ac= 57= 78125 = 5 mod 15 (this is not 1 nor -1,
and: 52= 25 = 10 mod 15)
→ no prime found
Other variant: pick randomly a = 4
→ Compute 47= 16384 = 4 mod 15 (this is not 1 nor -1, and:
42= 16 = 1 mod 15)
→ This means, 4 is a square root of 1 mod 15
→ no prime found
Choose n = 13 as a possible prime
→ n - 1 = 12 = 22⋅3
→ b = 2, c = 3
→ Pick randomly a = 5
→ Compute 53= 125 = 8 mod 13
→ Compute 82= 64 = -1 mod 13
→ -1 is an allowed square root of 1, thus 13 is (possibly) prime Other try: pick randomly a = 3
→ compute 33= 27 = 1 mod 13
→ 13 is (possibly) prime
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Classical Public Key Cryptography
• RSA
• Public-key cryptography standard (PKCS)
• Rabin cryptosystem
• Diffie-Hellman cryptosystem
• ElGamal cryptosystem
• Merkle-Hellman cryptosystem
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme RSA
Developed by Rivest, Shamir, and Adleman Purpose: encryption and decryption of data
• Variable key length
→Long key used for high security needs
→Short key used for efficient encryption processes
→Common key length: 512 bit
• Variable plaintext length
→Must be shorter than the key
• Cipher text blocks
→Length of the key
Much slower than secret key algorithms like DES or IDEA
• Only used for short messages
• Important purpose: transmission of secret keys
Page 21 Chapter 2.2: Public Key Cryptography
RSA Key Generation
n is public, but factorisation into p and q is computationally infeasible Generate a public key and a corresponding private key
1.) Choose two large primes p and q of 256 bit each (p and q must be a secret!)
2.) Compute n = p ⋅q
3.) Compute Φ(n) = (p - 1)⋅(q - 1) 4.) Choose e relatively prime to Φ(n) 5.) Find d with d ⋅e = 1 mod Φ(n)
(d is the multiplicative inverse to e)
⇒<e, n> is public key
⇒<d, n> is private key Why do these keys work?
• We use modular arithmetic (mod n) with p ⋅q = n
• d and e were chosen to be d ⋅e = 1 mod Φ(n)
• Because n is product of distinct primes, for all x:
⇒xd⋅e= x1 mod Φ(n)= x mod n
Page 22 Chapter 2.2: Public Key Cryptography
Usage Scenarios for RSA
Encryption and decryption
• Encrypt message m using the public key of the receiver:
c = memod n
• Decrypt cipher text c with the private key of the receiver:
m = cdmod n Digital signatures
• Similar to encryption/decryption process
• Sender encrypts message m with his private key:
s = mdmod n
• Each receiver can read the signed message using the public key of the sender:
m = semod n
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Why is RSA (relatively) secure?
Breaking RSA means finding d from knowing e and n…
• Attacker only knows: d is the exponential inverse to e mod Φ(n)
• Simple approach: knowing p and q you can compute Φ(n) (this is a kind of trapdoor)
• However: an attacker does not know p and q
• Attacker needs to factorise n to obtain p and q
→Factorising large numbers is difficult
→The best algorithms are too slow
→And: Brute Force attack is less efficient than factorising But it is possible to misuse RSA!
• Assume that an attacker knows the context of a message from A
• The attacker could encrypt messages with the public key eA
• If a match is found, the attacker has found the message
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme How to determine p, q, e and d
1.) Finding big primes p and q
• For a 10-digit number, the chance of finding a prime is 1 in 23
• For a 100-digit number, the chance is only 1 in 230
→ Pick random numbers until you find a prime
→ Use Fermat's theorem and the Rabin-Miller algorithm to test if a random number is prime
2.) Finding d and e for p and q
• Choose e as relatively prime to (p - 1) · (q - 1)
a.) by choosing e at random and test if it is relatively prime to (p - 1) · (q - 1) b.) by choosing e first and then determine matching p and q
→ RSA is not less secure if always the same e is chosen
→ If e is small or its binary representation has few '1's, the operations for encryption and signature verification will become much more efficient
→ Use Euclidean algorithm to determine d with e ⋅d = 1 mod Φ(n)
Note: do not choose a small d; d is a secret, thus it should be hard to determine
Page 25 Chapter 2.2: Public Key Cryptography
Using small public keys
Let “e” be a small constant
→ Public key operations become faster, while leaving private key operations unchanged
→ Popular values for “e” are 3 and 65537 Case of “e = 3”
→ Maximizes performance
→ Apparently it does not weaken security of RSA
(when some practical constraints on its use are considered)
→ Problems with e = 3
• Small messages m with m3mod n = m3.
→Problem: it only takes the cubic root to decrypt
→Solution: padding message with a random number before encryption
• If a message is sent to 3 or more receivers, m can be derived from the three encrypted values and the public keys of the receivers
• Find p and q so that 3 is relatively prime to (p - 1) · (q – 1)
(practical problem: there are many numbers which 3 is not relatively prime to)
Page 26 Chapter 2.2: Public Key Cryptography
Using small public keys
Case of “e = 65537”
• Is equivalent to 216+ 1, and it is prime
• The binary representation contains only two 1s
→ Only 17 multiplications are necessary to to compute any me
→ Much faster than the 768 (on the average) multiplications necessary for a randomly chosen 512 bit value
• The problems mentioned for e = 3 are avoided
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Public Key Cryptography Standard (PKCS)
How could different implementations interwork?
→ Standards for encoding of information that will be encrypted or signed Public Key Cryptography Standard
→ Set of standards PKCS#1 - PKCS#9
→ Definition of encoding RSA public keys, RSA private keys, RSA signatures, short RSA-encrypted messages (typically secret keys), and short RSA-signed messages (typically a message digest)
→ Designed to deal with
• Encrypting guessable messages
• Signing smooth numbers
• Multiple recipients of a message for e = 3
• For e = 3, encrypting messages that are less than a third of the length of n
• For e = 3, signing messages where the information is in the high-order part
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Example: PKCS#1
PKCS#1 (encryption)
• Standard format for messages to be encrypted with RSA Consists of
• Preceding 0: the message remains smaller than the modulus
• 2: denotes a message which is to be encrypted
• Random bytes (padding):
– Each byte is chosen independently to make it harder to guess the message
– Independent padding for each recipient
– Make message long enough to avoid problems with m3< n for e = 3
• Next 0: marks the beginning data
0 2 ≥8 random non-zero bytes 0 data
Page 29 Chapter 2.2: Public Key Cryptography
Example: PKCS#1
PKCS#1 (signature)
• Standard format for messages to be signed with RSA
• Data are typically a Message Digest of 128 Bit
→Padding is required Consists of:
• Preceding 0: the message remains smaller than the modulus
• 1: denotes a message which is to be signed
• Random bytes (padding): make the data bigger than 128 byte
• Next 0: marks the begin of data
• Digest type standardises, how to tell another party which digest function was used
0 1 ≥8 bytes of ff16 0 digest type and message digest
Page 30 Chapter 2.2: Public Key Cryptography
Rabin Cryptosystem
Rabin cryptosystem
• “Secure” because of the difficulty to find square roots modulo a composite number
• Nearly as difficult as factorising large numbers Rabin algorithm
• Choose primes p and q, both congruent to 3 mod 4
→p and q form the private key
→n = p ⋅q is the public key
• Encryption of message m in the range {0, ..., n - 1}
c = m2mod n
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme
Decryption in the Rabin Cryptosystem
Decryption is more complex
• Receiver knows p and q
• Solve the two congruencies using the so-called Chinese remainder problem
• Compute: t1= c(p + 1) / 4mod p t2= p - c(p + 1) / 4mod p t3= c(q + 1) / 4mod q t4= q - c(q + 1) / 4mod q
• Choose integers a = q ⋅(q-1mod p) and b = p ⋅(p-1mod q)
• Possible solutions are
m1= (a ⋅t1+ b ⋅t3) mod n m2= (a ⋅t1+ b ⋅t4) mod n m3= (a ⋅t2+ b ⋅t3) mod n m4= (a ⋅t2+ b ⋅t4) mod n
• One of these results equals m…
• If m is normal text, it is no problem to find the right mi
• Otherwise, add a known header to m before encryption
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Diffie-Hellman Cryptosystem
Oldest public key cryptosystem
• Offers better performance than RSA
• Less general than RSA (does neither encryption nor signatures)
Purpose: two persons can agree upon a secret number (e.g. a shared key), which cannot be computed by intercepting the publicly exchanged messages
• After the exchange of two public messages both communication partners know a secret number
• Having agreed on a secret number, they can use e.g. DES for communication
→Diffie-Hellman actually used for key establishment
→Remaining problem: no authentication between the partners
Page 33 Chapter 2.2: Public Key Cryptography
Diffie-Hellman Algorithm
Algorithm for key establishment
• Choose a prime p with 512 bit
• Choose a number g < p with some restrictions
→p and g are public!
••A randomly chooses a 512 bit number SA aand computes Ta= gSamod p
••B randomly chooses a 512 bit number SB band computes Tb= gSbmod p
→Saand Sbare secret
•
•A and BA B exchange Taand Tb
••A computes kA AB= TbSamod p = gSa⋅Sbmod p
••B computes kB AB= TaSbmod p = gSa⋅Sbmod p
→
→A and BA B both compute the same secret key gSa⋅Sb
Note: It is impossible to compute gSa⋅Sbfast enough knowing only Taand Tbdue to the difficulty to compute discrete logarithms, i.e. to compute Sa from knowing gSa
Page 34 Chapter 2.2: Public Key Cryptography
Bucket-Brigade Attack on Diffie-Hellman
Problem in Diffie-Hellman: no authentication between AA and BB
→If AA obtains Tb, he cannot know for sure if B has sent it Bucket-Brigade attack
An attacker OO obtains Taand establishes a common secret with AA Attack method: p and q are known publicly
••A sends gA Soto O O (but believes it is sent to BB)
••O computes gO Sxand sends it to BB
•
•B computes gB Sband sends it to OO
•
•O sends gO Soback to AA
••O establishes kO AOand kBO
••A and BA B communicate via OO
→ Diffie-Hellman is only secure against passive attacks (i.e. just watching messages)
→ Protection against active attacks: use trustful and public location to publish gSifor all persons II in advance
AA gSa= 8389
8389 OO gSo= 5876
5876 5876
BB gSb= 9267
9267 shared key kAO
5876Sa= 8389So
shared key kBO 9267So= 5876Sb
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Diffie-Hellman for Encryption
Encryption algorithm using Diffie-Hellman
• Each participant chooses a private key Si
• Each participant computes a public key <p, g, Ti> with Ti= gSimod p
• Publish all public keys at a trusted public place
• Assume, B publishes <p, g, Tb>
• A computes kAB= TbSamod p
• A uses kABas secret key with B to compute a cipher text
• A transmits the cipher text and gSamod p to B
• B computes kABto decrypt the message
→The secret key is transmitted only together with the message For a better security, p and g should have these properties:
• p should be a strong prime number, i.e. (p-1)/2 is prime, too
• It is desirable to have gx≠1 mod p, x = 0 mod (p - 1) [if p is a strong prime number, this is true for all g≠-1 mod p with g(p - 1) / 2= -1 mod p)
• But: this is a costly way for choosing p and g!
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme ElGamal Cryptosystem
• Mainly used for digital signatures
• Secure because of the difficulty to calculate discrete logarithms in a finite field
• Uses same kind of key as Diffie-Hellman Additionally provides a scheme for signatures
• Each person has a long-time key – public key: <g, p, T>
– private key: S with gSmod p = T
• For each message m to be signed, a new key pair Sm, <g, p, Tm> has to be generated
• For the message m to be signed, compute a message digest dm= MD(m|Tm)
• Compute the signature X = Sm+ dm· S mod (p - 1)
• Transmit m together with X and Tm
• To verify signature, compute gX, dm, and Tm· Tdmmod p Check: gX= gSm + dm⋅S= gSm· gdm⋅S= Tm· Tdmmod p
Page 37 Chapter 2.2: Public Key Cryptography
Digital Signature Standard (DSS)
Digital Signatures with DSS
• DSS algorithm is called Digital Signature Algorithm (DSA)
• Algorithm to create digital signatures based on ElGamal
• Difference to ElGamal is the speed of operations (3 times faster):
Instead using a p of 512 bit, for some operations only use a prime q of 160 bit, for which holds: p = k ⋅p + 1
Note: using ElGamal means to generate a key pair <Sm, Tm> for each message m which has to be signed
• If a pair of keys is used only for two different messages, it would expose the signer's private key:
→ With only two uses, Smcan be deducted
→ By knowing Sm, the secret key S easily can be computed
Page 38 Chapter 2.2: Public Key Cryptography
Digital Signature Algorithm
Digital Signature Algorithm
• Generate and publish a 512-bit prime p and a 160-bit prime q with p = k · q + 1
• Generate and publish a g with gq= 1 mod p (use Fermat's theorem) Note: g must not be 1
• Generate a long-term public/private key pair <T, S> as in ElGamal
• For each message m generate a separate key pair <Tm, Sm> by choosing Smand compute Tm= ((gSmmod p) mod q)
• For m, compute the message digest dm
• Compute the signature X = Sm-1· (dm+ S · Tm) mod q
• Transmit m, Tm, and X Signature verification
• Calculate the mod q inverse of the signature, X-1
• Calculate the message digest dm
• Calculate x = dm· X-1mod q and y = Tm· X-1mod q
• Calculate z = (gx· Tymod p ) mod q
• If z = Tm, the signature is verified
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Merkle-Hellman Cryptosystem
Knapsack Problem
• Pack a knapsack optimally with n objects of different weights a1, ..., anand overall size g
• Search for an order (ki), ki∈{0, 1} for i = 1, ..., n with
• This is an NP hard problem
Merkle-Hellman cryptosystem
• Based on the knapsack problem
• Special type of knapsack problem:
The sizes of the objects form a fast growing sequence with
There is a solution in O(n):
Start with the biggest object and find a new smaller knapsack with one object less
n
i i
i 0
a k g
=
∑ ⋅ =
i
j 1 i
j 1
a+ a
=
>∑
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Merkle-Hellman in Cryptography
Principle:
Use a simple Knapsack problem as private key and transform it into a hard one which is used as public key. A message m = (m1, m2, ..., mn, ...) is seen as a solution for the problem, i.e.
if mi= 1, miis in the knapsack Example:
• A chooses a Knapsack problem a with a = (ai) = (2, 5, 9, 21, 45, 103, 215, 450, 946) as key
• A chooses a prime p = 2003 and a number k = 1289
• A generates a hard Knapsack problem e = (ei) with ei= k ⋅aimod p
→e = (575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570)
• B encrypts a message m = (1, 0, 1, 1, 0, 0, 1, 1, 1) to A by using e
→c = 1⋅575 + 0⋅436 + 1⋅1586 + 1⋅1030 + 0⋅1921
+ 0⋅569 + 1⋅721 + 1⋅1183 + 1⋅1570 = 6665 (this value is transmitted)
• A computes g = k-1 ⋅ c mod p = 317⋅6665 mod 2003 = 1643
• A solves 1643 for (ai) by choosing the biggest fitting number in (ai) till 1643 is reached:
(2, 5, 9, 21, 45, 103, 215, 450, 946)
→1 0 1 1 0 0 1 1 1
Page 41 Chapter 2.2: Public Key Cryptography
Modern Public Key Cryptosystems
Classic public key cryptosystems are well analysed
• The performance of classic public-key cryptosystems is acceptable
• Security: classic public key cryptosystems are not perfectly secure, but computationally secure
Modern public key cryptosystems improve the classic ones:
• Performance: modern public key cryptosystems have a better performance than the classic ones
• Security: modern public key cryptosystems also offer better security (with the same key length)
• Example: Elliptic Curve Cryptosystem
→Provide security equivalent to classical public key schemes
→Shorter key lengths, resulting in faster computing, less complex chips
Page 42 Chapter 2.2: Public Key Cryptography
Definition: Let p > 3 be prime. The elliptic curvey2= x3+ ax + b over Zpis the set of solutions (x,y) ∈Zp×Zpfor the congruence
y2≡x3+ ax + b (mod p), where a, b∈Zpare constants, so that
4a3+ 27 b2≡O (mod p),
together with a special point O called the point of infinity.
Elliptic Curves – Definition
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Addition Operation
Let E be an elliptic curve over Zp, P = (x1, y1), Q = (x2, y2).
If x2= x1and y2= -y1, then Q = -P, P + Q := O; otherwise P + Q := (x3, y3), with x3= λ2– x1– x2
y3= λ(x1– x3) – y1 and
Finally, P + O = O + P = P.
2 1
2 1
2 1
1
y - y
, if P Q x - x
λ 3 x a
, if P Q 2 y
⎧ ≠
= ⎨⎪⎪⎪ + =
⎪⎩
Lehrstuhl für Informatik 4
Kommunikation und verteilte Systeme Elliptic Curve - Example
2, 9 yes
4 10
no 7
9
3, 8 yes
9 8
2, 9 yes
4 7
no 8
6
2, 9 yes
4 5
no 8
4
5, 6 yes
3 3
no 8
1
4, 7 yes
5 2
[no solution]
y no
in QR(11)?
6 x3+x+6 mod 11 0
x
Points on the elliptic curve E: y2=x3+x+6 in Z11
Let α= (2,7). Then αis a primitive element:
(2,4)
= 12α (5,9)
= 11α
(8,8)
= 10α (10,9)
= 9α
(3,5)
= 8α (7,2)
= 7α
(7,9)
= 6α (3,6)
= 5α
(10,2)
= 4α (8,3)
= 3α
(5,2) = α+ α 2α =
(2,7) α =
→E = {O, (2,4), (2,7), (3,5), (3,6), (5,2), (5,9), (7,2), (7,9), (8,3), (8,8), (10,2), (10,9)}
i.e. (x,y) = (3,5) and (x,y) = (3,6) are points on the elliptic curve