Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport Layer Chapter : Security on the Application Layer Chapter : Security Concepts for Networks.: Public Key Cryptography Principles of public key cryptography Number theory and algebraic foundations Classical public key cryptography Newer public key cryptography Also called asymmetric cryptography Different from secret key cryptography, algorithms for encoding and decoding differ considerably Working with two keys A private key d (known only to the owner) A public key e (known by possibly everyone) Public key cryptography principle (e.g. RSA): plaintext cipher text encryption public key e private key d decryption cipher text plaintext More easily configurable than secret key cryptography, but slower Often combined with secret key: authentication and distribution of a secret key (e.g. Diffie-Hellman for establishment of a shared secret) Page Page Applications of Public Key Cryptography Digital signatures (e.g. RSA, ElGamal, DSS) Associate a value with a message, like a checksum This value can only be generated by using the private key d ( decryption) It is readable for everyone knowing the public key e ( encryption) Similar to hand-written signature (authenticity without the chance to forge it) plaintext signed message signing private key d public key e verification signed message plaintext Authentication (zero knowledge proof systems) A generates a random number and encrypts it with the public key of B B decrypts the message with its private key and sends back the random number to A If A gets back the original random number, B is authenticated Security in Public Key Algorithms Security in many public key algorithms is based on the difficulty to factorise and compute discrete logarithms Factorising Find the prime factors for a given number One of the oldest problems in number theory, very time consuming Most popular method: Quadratic Sieve Discrete logarithm Problem to find the inverse to modular exponentiation: Find an x with a x b mod n for given a and b Not all discrete logarithms have solutions Very time consuming process to find solutions for big numbers Frequently used method: Index-Calculus method Page Page

Basics for Public Key Cryptography: Number Theory / Modular Arithmetic Number theory provides basic knowledge to understand how and why public key algorithms work Necessary concepts for understanding public key algorithms Most public key algorithms are based on modular arithmetic Modular arithmetic Operates on a ring (Z n, +, ), where Z n is a set of non-negative integers smaller than some positive integer n +: Z n Z n Z n is a function that is associative and commutative has a neutral element Z n has a inverse element x- to each x Z n, i.e. x + x- : Z n Z n Z n is an associative function (it is not necessarily commutative) + and have left and right exchangeability Needed for public key cryptography: addition, multiplication, exponentiation Computations of these functions are performed modulo n Arithmetic Operations modulo n Arithmetic computing modulo n Arithmetic operations are performed as usual, but the result is replaced by its remainder when divided by n (e.g. + 9 mod ) Modular addition Given: c x + k mod n, with c, x, k Zn if x + k < n : c a + b if x + k n : c j, where x + k i n + j and j < n Can be used to encrypt digits: each number x out of a range of numbers is unambiguously mapped onto another number c from this range Caesar Cipher: add a constant k to each number Decryption needs subtraction. This can be replaced by an addition of the inverse value + 7 9 7 9 7 9 7 9 7 9 7 9 7 9 7 9 7 9 7 9 9 7 9 7 Page Page Arithmetic Operations modulo n Modular multiplication * 7 9 Given: c x k mod n, with c, x, k Z n if x k < n : c x k 9 7 if x k n : c j, 7 9 where x k i n + j and j < n Encryption only works with special keys k 7 7 9 Example for n : only k {,, 7, 9} is usable as (simple) cipher key only for these values the mapping is unambiguous for other values of k, an information loss occurs Only use keys k relatively prime to n k and n share no other common factor than 9 9 7 Decryption works by multiplication of cipher text c with the multiplicative inverse k -, i.e. k k - mod n (e.g. 7 - mod, because 7 mod ) Multiplicative inverse for n only exists for,,7, and 9 Arithmetic Operations modulo n Modular exponential Given: c x k mod n, with c, x, k Z n if x k < n : c x k if x k n : c j, where x k i n + j and j < n Note: difference to modular multiplication: x k mod n x k+n mod n Encryption only works with special keys k Decryption needs an inverse k - with x k k- But: inverse k - does not exist in each case x y 7 9 7 9 9 7 9 7 7 9 7 9 7 9 9 9 9 9 Page 7 Page

Finding Modular Inverses The Euclidean Algorithm Finding multiplicative inverses to x is a very time consuming process If x has digits, no Brute Force attack is possible Useful: x relatively prime to n a multiplicative inverse x- mod n exists Computing multiplicative inverse by the Euclidean Algorithm Euclidean algorithm Determines the greatest common divisor (gcd) of x and n Given x and n, it finds an y with x y mod n (if one exists) If x is relatively prime to n: gcd(x, n) Idea: Replace x and n with smaller numbers with the same gcd If one number becomes zero, the other one is the gcd Faster algorithm: the smaller the numbers are, the faster the computation of gcd is. Replace the bigger number with its remainder divided by the smaller number Example: gcd(, )? gcd(, -) gcd(,) gcd(,) gcd(,) gcd(,) gcd(,) The algorithm Note: gcd(, y) y In general: if d denotes a divisor of x and y x i d, y j d x - y i d - j d (i - j) d If x >, replace gcd(x, y) with gcd(x-y, y) Efficiency: x and y should be as small as possible Assume, d is the maximum of all divisors (achieved by division x mod y) gcd(x, y) gcd(x mod y, y) If y > x, exchange x and y function int gcd(int x, int y) begin int r x; int r y; int q; int help; while (r > ) begin q r / r; help r; r r % r // (r mod r) r help; end return r; end Page 9 Page Multiplicative Inverse by Euclidean Algorithm Computing the Multiplicative Inverse How to find a multiplicative inverse x - to x mod n, such that x x - mod n, with the euclidean algorithm? Multiplicative inverse for x mod n: a u exists with u x mod n u x differs from by a multiple of n There is a v with u x + v n Computing gcd(x, n) can compute such a v and a u, if gcd(x, n) If gcd(x, n), u is the multiplicative inverse to x Could there be more than one u mod n with u x mod n? Suppose: m x mod n m x u u mod n But u x mod n m u mod n m u Initialisation: u -, v -, u -, v -, r - x, r - y, i Repeat: if r n- gcd(x, y) r n- else divide r n- by r n- to get quotient q n and remainder r n Keep track of: u i u i- - q i u i-, v i v i- - q i v i- Example: r gcd(7, 9) r, multiplicative inverse u ( 7- mod 9) i q i r i u i v i - - 7 9 7 - -9-9 - -97 7 Page Page

Finding Prime Numbers Problem with Euclidean algorithm: how to find x mod n with gcd(x, n)? Naive method: divide x by all numbers n Takes too long of your lifetime Practical solutions: there is no hundred percent that large number is prime But: there are tests for determining that a number is probably prime Use properties.) gcd(x, n), if x and n are relatively prime (x and n are relatively prime, if there are integers u and v with u x + v n ).) Φ(n), the totient function, denotes the number of integers relatively prime to n Page The Euler Function Φ(n) Computing Φ(n) If n is prime all numbers,..., n - are relatively prime to n Φ(n) n - If n is a product of primes p and q There are p q candidates {(j p + i q) i..q, j..p} for numbers relatively prime to n But from them, there are p multiples of q and q multiples of p (p + q - ) numbers are not relatively prime to n Φ(n) p q -(p + q -) (p -) (q -) i i + If n is a prime or a product of different primes x y mod n x y mod Φ(n) mod n Example for n ( ) Relatively prime to n: {,, 7, 9} Φ(n) ( - ) ( - ) Column i + is the same as column i Important special case: y mod Φ(n) for any x: x y x mod Φ(n) x mod n x y 7 9 7 9 9 7 9 7 7 9 7 9 7 9 9 9 9 9 Page Euler's Theorem and Fermat's Theorem Euler's Theorem For any a relatively prime to n holds: a Φ(n) mod n If n is prime: Φ(n) n -. In this case: Fermat's Theorem If n is a prime and < a < n a n - mod n Good rule for determining primes But: what about n with a n - mod n, where n is no prime? Find primes by a simple prime test Choose an a with a < n and compute a n - mod n. If the result is not, n is no prime If the result is, n may be a prime (e.g., if n has digits, the probability for n to be no prime is - ) Prime Tests If the simple prime test fails: A cryptosystem like RSA might fail, a message cannot be decrypted An attacker might be able to compute keys easier "Solution": test n with other values for a Problem: Carmichael numbers (very rare) No primes, but for all a holds: a n - mod n Enhanced prime test is needed: Miller-Rabin prime test Improved method to find prime numbers Probabilistic prime test Basic foundation: for a prime n holds: Some Carmichael numbers: 7 7 7 7 7 9 7.) n - can always be expressed by b c, where c is an odd number.) Each square root (modulo n) of can only be ± (e.g. is a square root of mod, because mod, thus can not be a prime) Page Page

Miller-Rabin Algorithm Miller-Rabin Algorithm - Example Use Fermat's theorem: a n - mod n Pick a random number n and test if it is prime Test n with the division by smaller primes to speed up the process If you think a prime has been found: pick an a by random Miller-Rabin algorithm: compute r a c mod n if r mod n // is the first mod n-square root? n is prime // else: a n- only can become by squaring - in else for i to b - do // one of the b square operations if r - mod n // now: test on allowed square root. Because the n is prime // result before was not, it only can become else // by squaring -. Search for a - r r mod n // prepare testing the next square root n is not prime // only non-allowed square roots found Choose n as a possible prime n - 7 b, c 7 Pick randomly a Compute a c 7 7 mod (this is not nor -, and: mod ) no prime found Other variant: pick randomly a Compute 7 mod (this is not nor -, and: mod ) This means, is a square root of mod no prime found Choose n as a possible prime n - b, c Pick randomly a Compute mod Compute - mod - is an allowed square root of, thus is (possibly) prime Other try: pick randomly a compute 7 mod is (possibly) prime Page 7 Page Classical Public Key Cryptography RSA Developed by Rivest, Shamir, and Adleman RSA Public-key cryptography standard (PKCS) Rabin cryptosystem Diffie-Hellman cryptosystem ElGamal cryptosystem Merkle-Hellman cryptosystem Purpose: encryption and decryption of data Variable key length Long key used for high security needs Short key used for efficient encryption processes Common key length: bit Variable plaintext length Must be shorter than the key Cipher text blocks Length of the key Much slower than secret key algorithms like DES or IDEA Only used for short messages Important purpose: transmission of secret keys Page 9 Page

RSA Key Generation Usage Scenarios for RSA Generate a public key and a corresponding private key.) Choose two large primes p and q of bit each (p and q must be a secret!).) Compute n p q.) Compute Φ(n) (p -) (q -).) Choose e relatively prime to Φ(n).) Find d with d e mod Φ(n) (d is the multiplicative inverse to e) <e, n> is public key <d, n> is private key Why do these keys work? We use modular arithmetic (mod n) with p q n d and e were chosen to be d e mod Φ(n) Because n is product of distinct primes, for all x: x d e x mod Φ(n) x mod n n is public, but factorisation into p and q is computationally infeasible Encryption and decryption Encrypt message m using the public key of the receiver: c m e mod n Decrypt cipher text c with the private key of the receiver: m c d mod n Digital signatures Similar to encryption/decryption process Sender encrypts message m with his private key: s m d mod n Each receiver can read the signed message using the public key of the sender: m s e mod n Page Page Why is RSA (relatively) secure? How to determine p, q, e and d Breaking RSA means finding d from knowing e and n Attacker only knows: d is the exponential inverse to e mod Φ(n) Simple approach: knowing p and q you can compute Φ(n) (this is a kind of trapdoor) However: an attacker does not know p and q Attacker needs to factorise n to obtain p and q Factorising large numbers is difficult The best algorithms are too slow And: Brute Force attack is less efficient than factorising But it is possible to misuse RSA! Assume that an attacker knows the context of a message from A The attacker could encrypt messages with the public key e A If a match is found, the attacker has found the message.) Finding big primes p and q For a -digit number, the chance of finding a prime is in For a -digit number, the chance is only in Pick random numbers until you find a prime Use Fermat's theorem and the Rabin-Miller algorithm to test if a random number is prime.) Finding d and e for p and q Choose e as relatively prime to (p - ) (q -) a.) by choosing e at random and test if it is relatively prime to (p - ) (q -) b.) by choosing e first and then determine matching p and q RSA is not less secure if always the same e is chosen If e is small or its binary representation has few ''s, the operations for encryption and signature verification will become much more efficient Use Euclidean algorithm to determine d with e d mod Φ(n) Note: do not choose a small d; d is a secret, thus it should be hard to determine Page Page

Using small public keys Let e be a small constant Public key operations become faster, while leaving private key operations unchanged Popular values for e are and 7 Case of e Maximizes performance Apparently it does not weaken security of RSA (when some practical constraints on its use are considered) Problems with e Small messages m with m mod n m. Problem: it only takes the cubic root to decrypt Solution: padding message with a random number before encryption If a message is sent to or more receivers, m can be derived from the three encrypted values and the public keys of the receivers Find p and q so that is relatively prime to (p -) (q ) (practical problem: there are many numbers which is not relatively prime to) Using small public keys Case of e 7 Is equivalent to +, and it is prime The binary representation contains only two s Only 7 multiplications are necessary to to compute any m e Much faster than the 7 (on the average) multiplications necessary for a randomly chosen bit value The problems mentioned for e are avoided Page Page Public Key Cryptography Standard (PKCS) Example: PKCS# How could different implementations interwork? Standards for encoding of information that will be encrypted or signed Public Key Cryptography Standard Set of standards PKCS# - PKCS#9 Definition of encoding RSA public keys, RSA private keys, RSA signatures, short RSA-encrypted messages (typically secret keys), and short RSA-signed messages (typically a message digest) Designed to deal with Encrypting guessable messages Signing smooth numbers Multiple recipients of a message for e For e, encrypting messages that are less than a third of the length of n For e, signing messages where the information is in the high-order part PKCS# (encryption) Standard format for messages to be encrypted with RSA Consists of Preceding : the message remains smaller than the modulus : denotes a message which is to be encrypted Random bytes (padding): Each byte is chosen independently to make it harder to guess the message Independent padding for each recipient Make message long enough to avoid problems with m < n for e Next : marks the beginning data random non-zero bytes data Page 7 Page

Example: PKCS# PKCS# (signature) Standard format for messages to be signed with RSA Data are typically a Message Digest of Bit Padding is required Consists of: Preceding : the message remains smaller than the modulus : denotes a message which is to be signed Random bytes (padding): make the data bigger than byte Next : marks the begin of data Digest type standardises, how to tell another party which digest function was used Rabin Cryptosystem Rabin cryptosystem Secure because of the difficulty to find square roots modulo a composite number Nearly as difficult as factorising large numbers Rabin algorithm Choose primes p and q, both congruent to mod p and q form the private key n p q is the public key Encryption of message m in the range {,..., n -} c m mod n bytes of ff digest type and message digest Page 9 Page Decryption in the Rabin Cryptosystem Diffie-Hellman Cryptosystem Decryption is more complex Receiver knows p and q Solve the two congruencies using the so-called Chinese remainder problem Compute:t c (p + ) / mod p t p - c (p + ) / mod p t c (q + ) / mod q t q - c (q + ) / mod q Choose integers a q (q - mod p) and b p (p - mod q) Possible solutions are m (a t + b t ) mod n m (a t + b t ) mod n m (a t + b t ) mod n m (a t + b t ) mod n One of these results equals m If m is normal text, it is no problem to find the right m i Otherwise, add a known header to m before encryption Page Oldest public key cryptosystem Offers better performance than RSA Less general than RSA (does neither encryption nor signatures) Purpose: two persons can agree upon a secret number (e.g. a shared key), which cannot be computed by intercepting the publicly exchanged messages After the exchange of two public messages both communication partners know a secret number Having agreed on a secret number, they can use e.g. DES for communication Diffie-Hellman actually used for key establishment Remaining problem: no authentication between the partners Page

Diffie-Hellman Algorithm Algorithm for key establishment Choose a prime p with bit Choose a number g < p with some restrictions p and g are public! A randomly chooses a bit number S a and computes T a g Sa mod p B randomly chooses a bit number S b and computes T b g Sb mod p S a and S b are secret Aand B exchange T a and T b A computes k AB T Sa b mod p g Sa Sb mod p B computes k AB T Sb a mod p g Sa Sb mod p A and B both compute the same secret key gsa Sb Note: It is impossible to compute g Sa Sb fast enough knowing only T a and T b due to the difficulty to compute discrete logarithms, i.e. to compute S a from knowing g Sa Bucket-Brigade Attack on Diffie-Hellman Problem in Diffie-Hellman: no authentication between Aand B If A obtains T b, he cannot know for sure if B has sent it Bucket-Brigade attack An attacker O obtains T a and establishes a common secret with A Attack method: p and q are known publicly A sends g So to O (but believes it is sent to B) Ocomputes g Sx and sends it to B B computes g Sb and sends it to O O sends g So back to A O establishes k AO and k BO Aand B communicate via O A g Sa 9 9 Diffie-Hellman is only secure against passive attacks (i.e. just watching messages) Protection against active attacks: use trustful and public location to publish g Si for all persons I in advance O g So 7 7 7 B g Sb 97 97 shared key k AO 7 Sa 9 So shared key k BO 97 So 7 Sb Page Page Diffie-Hellman for Encryption ElGamal Cryptosystem Encryption algorithm using Diffie-Hellman Each participant chooses a private key S i Each participant computes a public key <p, g, T i > with T i g Si mod p Publish all public keys at a trusted public place Assume, B publishes <p, g, T b > A computes k AB T Sa b mod p A uses k AB as secret key with B to compute a cipher text A transmits the cipher text and g Sa mod p to B B computes k AB to decrypt the message The secret key is transmitted only together with the message For a better security, p and g should have these properties: p should be a strong prime number, i.e. (p-)/ is prime, too It is desirable to have g x mod p, x mod (p - ) [if p is a strong prime number, this is true for all g - mod p with g (p - ) / - mod p) But: this is a costly way for choosing p and g! Mainly used for digital signatures Secure because of the difficulty to calculate discrete logarithms in a finite field Uses same kind of key as Diffie-Hellman Additionally provides a scheme for signatures Each person has a long-time key public key: <g, p, T> private key: S with g S mod p T For each message m to be signed, a new key pair S m, <g, p, T m > has to be generated For the message m to be signed, compute a message digest d m MD(m T m ) Compute the signature X S m + d m S mod (p - ) Transmit m together with X and T m To verify signature, compute g X, d m, and T m T dm mod p Check: g X g Sm + dm S g Sm g dm S T m T dm mod p Page Page

Digital Signature Standard (DSS) Digital Signatures with DSS DSS algorithm is called Digital Signature Algorithm (DSA) Algorithm to create digital signatures based on ElGamal Difference to ElGamal is the speed of operations ( times faster): Instead using a p of bit, for some operations only use a prime q of bit, for which holds: p k p + Note: using ElGamal means to generate a key pair <S m, T m > for each message m which has to be signed If a pair of keys is used only for two different messages, it would expose the signer's private key: With only two uses, S m can be deducted By knowing S m, the secret key S easily can be computed Page 7 Digital Signature Algorithm Digital Signature Algorithm Generate and publish a -bit prime p and a -bit prime q with p k q + Generate and publish a g with g q mod p (use Fermat's theorem) Note: g must not be Generate a long-term public/private key pair <T, S> as in ElGamal For each message m generate a separate key pair <T m, S m > by choosing S m and compute T m ((g Sm mod p) mod q) For m, compute the message digest d m Compute the signature X S - m (d m + S T m ) mod q Transmit m, T m, and X Signature verification Calculate the mod q inverse of the signature, X - Calculate the message digest d m Calculate x d m X - mod q and y T m X - mod q Calculate z (g x T y mod p ) mod q If z T m, the signature is verified Page Merkle-Hellman Cryptosystem Merkle-Hellman in Cryptography Knapsack Problem Pack a knapsack optimally with n objects of different weights a,..., a n and overall size g n Search for an order (k i ), k i {, } for i,..., n with ai ki g i This is an NP hard problem Merkle-Hellman cryptosystem Based on the knapsack problem Special type of knapsack problem: The sizes of the objects form a fast growing sequence with a There is a solution in O(n): Start with the biggest object and find a new smaller knapsack with one object less j+ i > ai j Page 9 Principle: Use a simple Knapsack problem as private key and transform it into a hard one which is used as public key. A message m (m, m,..., m n,...) is seen as a solution for the problem, i.e. if m i, m i is in the knapsack Example: A chooses a Knapsack problem a with a (a i ) (,, 9,,,,,, 9) as key A chooses a prime p and a number k 9 A generates a hard Knapsack problem e (e i ) with e i k a i mod p e (7,,,, 9, 9, 7,, 7) B encrypts a message m (,,,,,,,, ) to A by using e c 7 + + + + 9 + 9 + 7 + + 7 (this value is transmitted) A computes g k - c mod p 7 mod A solves for (a i ) by choosing the biggest fitting number in (a i ) till is reached: (,, 9,,,,,, 9) Chapter The.: original Public message Key Cryptography is given by the elements of a Page

Modern Public Key Cryptosystems Elliptic Curves Definition Classic public key cryptosystems are well analysed The performance of classic public-key cryptosystems is acceptable Security: classic public key cryptosystems are not perfectly secure, but computationally secure Modern public key cryptosystems improve the classic ones: Performance: modern public key cryptosystems have a better performance than the classic ones Security: modern public key cryptosystems also offer better security (with the same key length) Example: Elliptic Curve Cryptosystem Provide security equivalent to classical public key schemes Shorter key lengths, resulting in faster computing, less complex chips Definition: Let p > be prime. The elliptic curve y x + ax + b over Z p is the set of solutions (x,y) Z p Z p for the congruence y x + ax + b (mod p), where a, b Z p are constants, so that a + 7 b O (mod p), together with a special point O called the point of infinity. Page Page Addition Operation Elliptic Curve - Example Points on the elliptic curve E: y x +x+ in Z Let E be an elliptic curve over Z p, P (x, y ), Q (x, y ). If x x and y -y, then Q -P, P + Q : O; otherwise P + Q : (x, y ), with x λ x x y λ(x x ) y and y - y, if P Q x - x λ x + a, if P Q y Finally, P + O O + P P. x 7 9 x +x+ mod 9 7 in QR()? no no yes yes no yes no yes yes no y [no solution], 7,, 9, 9, E {O, (,), (,7), (,), (,), (,), (,9), (7,), (7,9), (,), (,), (,), (,9)} Let α (,7). Then α is a primitive element: α α α 7α 9α α (,7) (,) (,) (7,) (,9) (,9) α α α α α α (,) α + α (,) (7,9) (,) (,) (,) yes, 9 i.e. (x,y) (,) and (x,y) (,) are points on the elliptic curve Page Page

Example: ElGamal Encryption with Elliptic Curves Let α (,7) and a, so β α (,) (a is secret and for large numbers can t be obtained from α and β in reasonable time) The encryption operation is e k (x,r) (r α, x + r β) (y, y ), e k (x,r) (r (,7), x + r (,)), where x E and r and the decryption operation is d k (y,y ) y ay y y Alice wants to send x (7,9) to Bob; she chooses the random value r 7. She then computes y 7(,7) (7,) y (7,9) + 7(,) (7,9) + (,9) (,) Bob receives y ((7,),(,)) and obtains x (,) (7,) (,) (,9) (,) + (,) (7,9) Page