Applied Cryptography Public Key Algorithms



Similar documents
The Mathematics of the RSA Public-Key Cryptosystem

Cryptography and Network Security Chapter 9

CSCE 465 Computer & Network Security

Public Key (asymmetric) Cryptography

Overview of Public-Key Cryptography

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

An Introduction to the RSA Encryption Method

Notes on Network Security Prof. Hemant K. Soni

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Shor s algorithm and secret sharing

Elements of Applied Cryptography Public key encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

A SOFTWARE COMPARISON OF RSA AND ECC

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

CRYPTOGRAPHY IN NETWORK SECURITY

CIS 5371 Cryptography. 8. Encryption --

Cryptography and Network Security

Secure File Transfer Using USB

Lecture 3: One-Way Encryption, RSA Example

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Lukasz Pater CMMS Administrator and Developer

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Primality Testing and Factorization Methods

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

CS 758: Cryptography / Network Security

The application of prime numbers to RSA encryption

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

7! Cryptographic Techniques! A Brief Introduction

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Public Key Cryptography: RSA and Lots of Number Theory

LUC: A New Public Key System

A Factoring and Discrete Logarithm based Cryptosystem

Software Tool for Implementing RSA Algorithm

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Public Key Cryptography and RSA. Review: Number Theory Basics

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Public Key Cryptography Overview

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

Advanced Cryptography

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

CS549: Cryptography and Network Security

SECURITY IN NETWORKS

Cryptography and Network Security Chapter 10

Lecture 6 - Cryptography

EXAM questions for the course TTM Information Security June Part 1

Computer Security: Principles and Practice

Lecture 13 - Basic Number Theory.

Cryptography: Authentication, Blind Signatures, and Digital Cash

Number Theory and the RSA Public Key Cryptosystem

Cryptography and Network Security

An Introduction to RSA Public-Key Cryptography

Public-Key Cryptanalysis

Number Theory and Cryptography using PARI/GP

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security. HIT Shimrit Tzur-David

Capture Resilient ElGamal Signature Protocols

Factoring integers, Producing primes and the RSA cryptosystem Harish-Chandra Research Institute

Symmetric Key cryptosystem

Timing Attacks on software implementation of RSA

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Digital Signature. Raj Jain. Washington University in St. Louis

Digital signatures are one of the most important inventions/applications of modern cryptography.

Chapter 7: Network security

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Network Security. Omer Rana

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014

An Introduction to Cryptography as Applied to the Smart Grid

Multi-Layered Cryptographic Processor for Network Security

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

3-6 Toward Realizing Privacy-Preserving IP-Traceback

VoteID 2011 Internet Voting System with Cast as Intended Verification

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Center for Internet Security. INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

EXAM questions for the course TTM Information Security May Part 1

Cryptography & Digital Signatures

How To Know If A Message Is From A Person Or A Machine

Modeling and verification of security protocols

CIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols

Introduction. Digital Signature

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Message Authentication Codes

Public-key cryptography RSA

Transcription:

Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1

Public Key Cryptography Independently invented by Whitfield Diffie & Martin Hellmann and Ralph Merkle in 1976 Only three algorithms appear to work well: RSA, ElGamal, Rabin Chosen plaintext attack trivial: the encryption key is public 2

Knapsack Algorithm No longer secure, but still interesting Given a set of weights (all different), find a subset with a given weight. Given a set of values M 1,..., M n, and a sum S, find b 1,..., b n, (b i {0, 1}) such that n S = b i M i Solving this is NP hard. i=1 3

Knapsack Algorithm The plaintext is the string of b i and specifies which weights to put in the knapsack. The key is the list of weights. The ciphertext is the resulting sum. The algorithm relies on there being two knapsacks, one solvable in linear time, the other not. The easy one is modifiable into the hard one. The public key is the hard one. The easy one is used to decrypt. 4

Superincreasing Knapsack If the list of weights increases so fast that each subsequent weight weighs more than all the previous ones together, we have a superincreasing knapsack. With such weights, the knapsack problem is easy to solve: Take the total weight, compare to the largest weight. If greater, then that weight must be included, substract from total and proceed with the next weight. If the total weight becomes zero in this process, the problem is solved. If not, there is no solution. 5

Normal Knapsacks If the weights are not superincreasing, the problem becomes hard, essentially only solvable by trial and error. For n weights, there are 2 n sets of weights to be tried. Add one weight and finding the solution takes twice as long. 6

Creating a Knapsack Pair We begin by creating a superincreasing knapsack W = {W 1,..., W k } and construct a normal one, by defining a modulus n > k 1 W i and a multiplier m that is co-prime with n (gcd(n, m) = 1). The new weights w = {w 1,..., w k } are calculated by w i = W i m mod n. The sequence W, together with n, and m is the private key, the sequence w is the public one. contain at least 250 items. Real knapsacks should 7

Encryption To encrypt a message, break it up into blocks of k bits and compute the total weight of the knapsack using weights w (a one bit indicates presence, a zero bit absence of the corresponding weight). 8

Decryption Multiply each of the total weights by m 1 mod n and solve the superincreasing knapsack problem to recover the weights (and the bits). See example on p. 464/465. 9

Security The Knapsack algorithm has been broken by Shamir and Zippel (± 1982). They found ways to reconstruct the superincreasing knapsack from the original one. Most variations on the knapsack algorithm have been broken by techniques very similar to those of Shamir and Zippel. 10

RSA Named after Rivest, Shamir and Adleman this one is nice and simple and quite secure to boot. This is how it works: Choose two big primes p and q and use its product n as the modulus of the algorithm. Also choose e and d so that e d 1(mod φ(n)). This is Euler s totient function again. Remember that φ(p q) = (p 1) (q 1), and note that d e 1 (mod φ(n)) The public key is (n, e), the private key is (n, d). Encryption: c = m e mod n Decryption: m = c d mod n, 11

Because c d mod n = (m e mod n) d mod n = (m e ) d mod n = m e d mod n = m φ(n)+1 mod n = m m φ(n) mod n = m mod n 12

Speed RSA is a thousand times slower than DES. Choosing a small e helps (e.g., 3, 17, or 2 16 + 1 (just two one bits)). 13

Security Depends on the difficulty of factoring n. equivalent to this. Guessing φ(n) is The largest product of primes ever factored had 129 digits. Progress in factoring is constantly made, but at a rate of a few digits per year. Choosing n to have 300 digits or more (1000 bits or more) will keep the number theorists busy for quite some years. If p and q are probabilistic primes, and they happen not to be, encryption and decryption won t work properly. You may or may not notice. In any case, the probabilty of p and q not being prime can easily be made small enough that you won t have to worry about it. 14

There is much more about attacks in the book, but time is currently our enemy. Read up on it if you re interested. 15

Rabin Depends on the difficulty of finding modular square roots which is just as hard as factoring. Choose n = p q where p and q are large primes and p, q 3 mod 4. p and q are the private key, n is the public key. Encryption: c = m 2 mod n Decryption is more cumbersome... 16

Decryption Let a = q(q 1 mod p) and b = p(p 1 mod q) m 1 = c (p+1)/4 mod p m 2 = (p c (p+1)/4 ) mod p m 3 = c (q+1)/4 mod q m 4 = (q c (q+1)/4 ) mod q M 1 = (am 1 + bm 3 ) mod n M 3 = (am 2 + bm 3 ) mod n M 2 = (am 1 + bm 4 ) mod n M 4 = (am 2 + bm 4 ) mod n One of M 1,..., M 4 is the plaintext message. Redundancy will reveal which. Williams invented refinements that eliminate having to choose one of four possible solutions. 17

El Gamal ElGamal depends of the difficulty of finding logarithms in a finite field (finding x, such that x a y(mod n)). Choose p prime and g, x less than p. Calculate y = g x mod p. The public key is (y, g, p). The secret key is (x, g, p). 18

Signing with ElGamal 1. Choose random k 2. Compute a = g k mod p 3. Use the extended Euclidean algorithm to solve for b in M = (xa + kb) mod (p 1) 4. The signature is (a, b); k must be kept secret. To verify, confirm that y a a b g M mod p. Note that k can be used to recover x, so it must be kept just as secret as the secret key itself. It s best to discard k immediately after signing. 19

Encrypting with ElGamal 1. Choose random k co-prime with p 1 2. Compute a = g k mod p and b = y k M mod p 3. The ciphertext is (a, b) (it s twice the size of the plaintext) To decrypt: M = b a x mod p 20

Patents All these public-key systems are patented (in the US) with the exception of ElGamal. It has not yet been tested whether these patents stand up in court. 21