Applied Cryptography Public Key Algorithms

Transcription

1 Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1

2 Public Key Cryptography Independently invented by Whitfield Diffie & Martin Hellmann and Ralph Merkle in 1976 Only three algorithms appear to work well: RSA, ElGamal, Rabin Chosen plaintext attack trivial: the encryption key is public 2

3 Knapsack Algorithm No longer secure, but still interesting Given a set of weights (all different), find a subset with a given weight. Given a set of values M 1,..., M n, and a sum S, find b 1,..., b n, (b i {0, 1}) such that n S = b i M i Solving this is NP hard. i=1 3

4 Knapsack Algorithm The plaintext is the string of b i and specifies which weights to put in the knapsack. The key is the list of weights. The ciphertext is the resulting sum. The algorithm relies on there being two knapsacks, one solvable in linear time, the other not. The easy one is modifiable into the hard one. The public key is the hard one. The easy one is used to decrypt. 4

5 Superincreasing Knapsack If the list of weights increases so fast that each subsequent weight weighs more than all the previous ones together, we have a superincreasing knapsack. With such weights, the knapsack problem is easy to solve: Take the total weight, compare to the largest weight. If greater, then that weight must be included, substract from total and proceed with the next weight. If the total weight becomes zero in this process, the problem is solved. If not, there is no solution. 5

6 Normal Knapsacks If the weights are not superincreasing, the problem becomes hard, essentially only solvable by trial and error. For n weights, there are 2 n sets of weights to be tried. Add one weight and finding the solution takes twice as long. 6

7 Creating a Knapsack Pair We begin by creating a superincreasing knapsack W = {W 1,..., W k } and construct a normal one, by defining a modulus n > k 1 W i and a multiplier m that is co-prime with n (gcd(n, m) = 1). The new weights w = {w 1,..., w k } are calculated by w i = W i m mod n. The sequence W, together with n, and m is the private key, the sequence w is the public one. contain at least 250 items. Real knapsacks should 7

8 Encryption To encrypt a message, break it up into blocks of k bits and compute the total weight of the knapsack using weights w (a one bit indicates presence, a zero bit absence of the corresponding weight). 8

9 Decryption Multiply each of the total weights by m 1 mod n and solve the superincreasing knapsack problem to recover the weights (and the bits). See example on p. 464/465. 9

10 Security The Knapsack algorithm has been broken by Shamir and Zippel (± 1982). They found ways to reconstruct the superincreasing knapsack from the original one. Most variations on the knapsack algorithm have been broken by techniques very similar to those of Shamir and Zippel. 10

11 RSA Named after Rivest, Shamir and Adleman this one is nice and simple and quite secure to boot. This is how it works: Choose two big primes p and q and use its product n as the modulus of the algorithm. Also choose e and d so that e d 1(mod φ(n)). This is Euler s totient function again. Remember that φ(p q) = (p 1) (q 1), and note that d e 1 (mod φ(n)) The public key is (n, e), the private key is (n, d). Encryption: c = m e mod n Decryption: m = c d mod n, 11

12 Because c d mod n = (m e mod n) d mod n = (m e ) d mod n = m e d mod n = m φ(n)+1 mod n = m m φ(n) mod n = m mod n 12

13 Speed RSA is a thousand times slower than DES. Choosing a small e helps (e.g., 3, 17, or (just two one bits)). 13

14 Security Depends on the difficulty of factoring n. equivalent to this. Guessing φ(n) is The largest product of primes ever factored had 129 digits. Progress in factoring is constantly made, but at a rate of a few digits per year. Choosing n to have 300 digits or more (1000 bits or more) will keep the number theorists busy for quite some years. If p and q are probabilistic primes, and they happen not to be, encryption and decryption won t work properly. You may or may not notice. In any case, the probabilty of p and q not being prime can easily be made small enough that you won t have to worry about it. 14

15 There is much more about attacks in the book, but time is currently our enemy. Read up on it if you re interested. 15

16 Rabin Depends on the difficulty of finding modular square roots which is just as hard as factoring. Choose n = p q where p and q are large primes and p, q 3 mod 4. p and q are the private key, n is the public key. Encryption: c = m 2 mod n Decryption is more cumbersome... 16

17 Decryption Let a = q(q 1 mod p) and b = p(p 1 mod q) m 1 = c (p+1)/4 mod p m 2 = (p c (p+1)/4 ) mod p m 3 = c (q+1)/4 mod q m 4 = (q c (q+1)/4 ) mod q M 1 = (am 1 + bm 3 ) mod n M 3 = (am 2 + bm 3 ) mod n M 2 = (am 1 + bm 4 ) mod n M 4 = (am 2 + bm 4 ) mod n One of M 1,..., M 4 is the plaintext message. Redundancy will reveal which. Williams invented refinements that eliminate having to choose one of four possible solutions. 17

18 El Gamal ElGamal depends of the difficulty of finding logarithms in a finite field (finding x, such that x a y(mod n)). Choose p prime and g, x less than p. Calculate y = g x mod p. The public key is (y, g, p). The secret key is (x, g, p). 18

19 Signing with ElGamal 1. Choose random k 2. Compute a = g k mod p 3. Use the extended Euclidean algorithm to solve for b in M = (xa + kb) mod (p 1) 4. The signature is (a, b); k must be kept secret. To verify, confirm that y a a b g M mod p. Note that k can be used to recover x, so it must be kept just as secret as the secret key itself. It s best to discard k immediately after signing. 19

20 Encrypting with ElGamal 1. Choose random k co-prime with p 1 2. Compute a = g k mod p and b = y k M mod p 3. The ciphertext is (a, b) (it s twice the size of the plaintext) To decrypt: M = b a x mod p 20

21 Patents All these public-key systems are patented (in the US) with the exception of ElGamal. It has not yet been tested whether these patents stand up in court. 21