Introduction to Computer Security Asymmetric Cryptography Pavel Laskov Wilhelm Schickard Institute for Computer Science
Key distribution problem any valid key shared key shared key Alice unitue unitue Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you
Key distribution problem any valid key shared key shared key Alice unitue unitue Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you How can Alice send a key to Bob over an insecure channel?
Key distribution problem any valid key shared key shared key Alice unitue unitue Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you How can Alice send a key to Bob over an insecure channel? Idea: Instead of sending a key from one party to another, both parties should work out a key in a series of secure transactions.
Key distribution problem any valid key shared key shared key Alice unitue unitue Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you How can Alice send a key to Bob over an insecure channel? Idea: Instead of sending a key from one party to another, both parties should work out a key in a series of secure transactions. Enter group theory...
Definition of a group A group is a set G equipped with a binary operation such that the following properties hold: 1. Closure: g, h G, g h G 2. Existence of identity: There exists an identity element e G such that g G, e g = g e = g. 3. Existence of inverse: There exists an inverse element h G such that g G, h g = g h = e. 4. Associativity: (g 1 g 2 ) g 3 = g 1 (g 2 g 3 ).
Finite and abelian groups A group is called finite if it has a finite number of elements. The number of elements in a group G is called the order of the group. A group is called abelian if, in addition to the four basic properties, the commutativity property holds: g h = h g.
Subgroups If G is a group, a set H is a subgroup of G if H itself forms a group under the same operation associated with G.
Examples of groups The set of integers Z is an abelian group under addition. The set of integers Z is not a group under multiplication. The sef of real numbers R is not a group under multiplication. The set of non-zero real numbers R is an abelian group under multiplication. For any N 2, the set Z N = {0, 1,..., N 1} is an abelian group of order N under addition modulo N.
Group exponentiation Group exponentiation is a repetitive application of the group operation: g m def = g... g m times
Group exponentiation Group exponentiation is a repetitive application of the group operation: g m def = g... g m times Some useful properties of exponentiation for finite groups G of order m: For any element g G, g m = 1. For any element g G and any integer i, g i = g [i mod m].
Group exponentiation Group exponentiation is a repetitive application of the group operation: g m def = g... g m times Some useful properties of exponentiation for finite groups G of order m: For any element g G, g m = 1. For any element g G and any integer i, g i = g [i mod m]. Example: How much is 152 11 mod 15? 152 11 = [152 mod 15] 11 = 2 11 = 11 + 11 = 22 = 7 mod 15
Element order We saw that, for a group of order m, applying the group operation m times always produces the identity element. But can this happen for some i < m?
Element order We saw that, for a group of order m, applying the group operation m times always produces the identity element. But can this happen for some i < m? Consider, for some element g G a sequence g = {g 0, g 1,...} Let k be the smallest i m such that g i = 1. Then k is called the order of an element g, g = {g 0, g 1,... g k 1 } is a finite subgroup of G.
Group generator and cyclic groups We saw that the element order k determines the wrap-around period of exponentiation. Does there exist an element g whose order is equal to m, the group order?
Group generator and cyclic groups We saw that the element order k determines the wrap-around period of exponentiation. Does there exist an element g whose order is equal to m, the group order? An element g of order m is called a generator for a group G of order m. A group which has a generator is called cyclic.
Examples of cyclic groups Z N is cyclic for any N > 1. Z 15 is cyclic but has multiple generators, e.g., 2 = {0, 2, 4,..., 14, 1, 3, 5,..., 13} Some other elements of Z 15 have orders less than 15, e.g., 10 = {0, 10, 5} Zp is cyclic for any prime p.
Discrete logarithm (DL) If G is a cyclic group of order m with a generator g, then g = {g 0, g 1,..., g m 1 } = G. Equivalently, for every h G there is a unique x Z m such that g x = h, called a discrete logarithm of h.
Discrete logarithm (DL) If G is a cyclic group of order m with a generator g, then g = {g 0, g 1,..., g m 1 } = G. Equivalently, for every h G there is a unique x Z m such that g x = h, called a discrete logarithm of h. Good news / bad news: While computing the exponentiation in most groups is easy (polylogarithmic in m, how?), there exist groups for which computing discrete logarithms is believed to be hard (no efficient solutions are known).
Brute force computation of DL Let G be the group of order m. For each x {0, 1,..., m 1, compute g x and compare it with h. Output x if equality is found.
Brute force computation of DL Let G be the group of order m. For each x {0, 1,..., m 1, compute g x and compare it with h. Output x if equality is found. Complexity analysis. Each exponentiation takes O(log 2 m), hence the overall complexity is O(m log m).
Brute force computation of DL Let G be the group of order m. For each x {0, 1,..., m 1, compute g x and compare it with h. Output x if equality is found. Complexity analysis. Each exponentiation takes O(log 2 m), hence the overall complexity is O(m log m). The catch. Usually, m is so large that such numbers cannot be considered constant but rather an exponential function of the number of bits: m = 2 k. Then O(m log m) becomes O(k 2 k ).
Diffie-Hellman key exchange How can Alice and Bob compute a key K using group theory?
Diffie-Hellman key exchange How can Alice and Bob compute a key K using group theory? 1. Agree on a cyclic group G with a generator g. 2. Choose random numbers x (Alice) and y (Bob) from G. 3. Compute X = g x (Alice) and Y = g y (Bob). 4. Transmit X and Y to each other. 5. Compute Y x = g yx (Alice) and X y = g xy (Bob). These are the same, hence they can use g xy as a key!
Diffie-Hellman key exchange How can Alice and Bob compute a key K using group theory? 1. Agree on a cyclic group G with a generator g. 2. Choose random numbers x (Alice) and y (Bob) from G. 3. Compute X = g x (Alice) and Y = g y (Bob). 4. Transmit X and Y to each other. 5. Compute Y x = g yx (Alice) and X y = g xy (Bob). These are the same, hence they can use g xy as a key! An attacker only sees g x and g y, but can compute neither x nor y, and hence also not g xy. For finite groups, g x g y = g xy.
Scalability of key exchange Alice Bob Cathy Dan Quadratic growth of the number of keys: for n parties, n(n 1) keys must be generated.
Scalability of key exchange Alice Bob Cathy Dan Quadratic growth of the number of keys: for n parties, n(n 1) keys must be generated. Can the problem be solved with linear number of keys?
Asymmetric cryptography specially generated keypair Bob s public key Bob s private key Alice unitue zxtr9y Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you
Prime numbers An integer p is a prime number if its only divisors are ±1 and ±p. A positive integer c is said to be the greatest common divisor of a and b if c is a divisor of a and of b; any divisor of a and of b is a divisor of c. Integers a and b are said to be relatively prime if gcd(a, b) = 1.
Euler s totient function A totient φ(n) of an integer n is the number of integers less than n that are relatively prime to n. Example: φ(9) = 6 : {1, 2, 4, 5, 7, 8} Two integers a and b are congruent modulo n, written as a b mod n, if (a mod n) = (b mod n) Euler s Theorem: If a and n are relatively prime, then a φ(n) 1 mod n.
RSA overview Alice sends her love message to Bob via RSA: Alice Bob Generate a keypair K u / K r Send K u to Alice Encrypt plaintext M with K u Send ciphertext C to Bob Decrypt C with K r
RSA key generation Step Condition Select p, q p, q prime, p = q Compute n = p q Compute φ(n) = (p 1)(q 1) Select 1 < e < φ(n) gcd(φ(n), e) = 1 Compute d (de) mod φ(n) = 1 ( ) Public key K u = {e, n} Private key K r = {d, n}
RSA encryption and decryption Encryption: Plaintext: M < n Ciphertext: C = M e mod n Decryption: Ciphertext: C Plaintext: M = C d mod n
Correctness of RSA encryption By the property ( ), (de) mod φ(n) = 1 k : (de) = 1 + kφ(n). Then, M? C d mod n (M e ) d mod n M (ed) mod n M 1+kφ(n) mod n? M mod n
Correctness of RSA encryption (ctd.) Recall that φ(n) = (p 1) (q 1).
Correctness of RSA encryption (ctd.) Recall that φ(n) = (p 1) (q 1). By Euler s Theorem, if p does not divide M, M (p 1) = 1 mod p.
Correctness of RSA encryption (ctd.) Recall that φ(n) = (p 1) (q 1). By Euler s Theorem, if p does not divide M, M (p 1) = 1 mod p. Since (p 1) divides φ(n) M 1+kφ(n) M mod p.
Correctness of RSA encryption (ctd.) Recall that φ(n) = (p 1) (q 1). By Euler s Theorem, if p does not divide M, M (p 1) = 1 mod p. Since (p 1) divides φ(n) M 1+kφ(n) M mod p. Similar argument holds for q and hence for n = pq.
What s secret in RSA? An attacker needs to know d to decrypt C. To find d, an attacker needs to solve ( ): (de) mod φ(n) = 1. For this, he needs to know φ(n). If p and q are known, then finding φ(n) is trivial: φ(n) = (p 1) (q 1) However p and q are discarded during key generation. Factoring n into a product of two prime numbers is an intractable problem! Finding φ(n) directly is likewise intractable.
Comparison of asymmetric methods Algorithm E/D D.S. KEX Hardness RSA Yes Yes Yes Factorization ElGamal Yes No No DLP DSS No Yes No DLP Diffie-Hellmann No No Yes DLP Elliptic curve Yes Yes Yes EC DLP
Summary Group theory provides a mathematical basis for key distribution schemes. Asymmetric cryptography is based two related keys; only one of them (private key) must be kept secret, the other one (public key) can be distributed over insecure media. Security of asymmetric cryptography is based on the (assumed) hardness of certain computational problems (discrete logarithms and integer factorization).