Other Public Key Systems

Other Public Key Systems CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Other PKC Systems

Merkle-Hellman Knapsack System • Merkle & Hellman, 1978 • SubsetSum Instance: Integers S = {s1, s2, ..., sn}, N. Question: Does S’  S exist such that n  S’ n = N? • Fact: SubsetSum is NP-complete • Superincreasing Set: si > j = 1 to i-1 sj for all i = 2, 3,..., n. • Fact: Superincreasing SubsetSum is easy. Other PKC Systems

MH Knapsack Encryption Parameters: • S = {s1, s2, ..., sn}, a superincreasing list of integers • p, a prime, > i si • 1 ≤ a ≤ p – 1, the masking factor • T = { ti: ti = asi mod p} • T public; S, p, a secret Encryption: For x = (x1, x2,..., xn)  {0,1}n, y = E(x) = i xiti Decryption: • z = a-1y mod p (de-masking) • solve z = i xisi Other PKC Systems

Limitations of the Knapsack Systems • MH was broken by Shamir, 1982. • Many variations proposed; almost all are broken (inc. Shamir’s signature scheme). • Chor-Rivest: Not broken, but suspect. Inefficient. • Limitations of the NP-completeness approach: • Problem of the cryptanalyst can’t be NP-hard, unless NP = co-NP. (Brassard, 1979) • NP-c deals with the worst-case complexity. More meaningful is the average-case (or, almost-all-case) complexity. Other PKC Systems

Naccache-Stern Knapsack Encryption Parameters: • {p0, p1, ..., pn}, a set of distinct primes (p0=2,…) • p, a large prime • private key: d  Zp-1. gcd(d, p-1) = 1 • set vi = dpi • public: p, v1,…, vn Encryption: For x = (x1, x2,..., xn)  {0,1}n, y = E(x) = i vi xi mod p Decryption: • z = yd mod p • check if pi  z Other PKC Systems

ElGamal – Encryption Parameters: • p, a large prime • g, a generator of Zp* • α  Zp-1, β = gα mod p • p, g, β public; α private Encryption: • generate random, secret k  Zp-1. • E(x, k) = (r, s), where r = gk mod p s = xβk mod p • D(r, s) = s(rα)-1 mod p = xgαkg-αk mod p = x. Other PKC Systems

ElGamal – Encryption • Plaintext x is masked by a random factor, gαk mod p. • DH problem: Given gα, gk mod p, what is gαk mod p? • p, g can be common. Then gk mod p can be computed in advance. • Same k should not be used repeatedly. • Performance: • encryption: two exponentiations • decryption: one exponentiation, one inversion • Size: Ciphertext twice as large as plaintext. Other PKC Systems

ElGamal – Signature Parameters: The same as encryption. Signature: • generate random, secret k  Zp-1*. • S(m, k) = (r, s), where r = gk mod p s = (m – rα)k-1 mod (p – 1) (i.e., m = rα + sk ) Verification: • Is βrrs ≡ gm (mod p) ? • βrrs = gαrgk(m – rα)k^(-1) = gαr + (m – rα) = gm mod p. Other PKC Systems

ElGamal – Signature Security: • Only one who knows α can sign; can be verified by β. • Solving α from β, or s from r, m, β, is discrete log. • Other ways of forgery? Unknown. • Same k should not be used repeatedly. Variations: • Many variants, by changing the “signing equation”, m = rα + sk. • E.g., the DSA way: m = –rα + skwith verification: βrgm ≡ rs (mod p)? (≡ gm + rα) Other PKC Systems

Schnorr Signature • Let q | (p-1) be prime, and g  Zp* be of order q. • Schnorr group: The subgroup in Zp* generated by g, of prime order q. <g> = {1, g, g2, …, gq-1 } • Fact: q can be much shorter than p (e.g. 160 vs. 1024 bits), and the hardness of DLP in <g> remains the same. Other PKC Systems

Schnorr Signature Parameters: prime p, prime q | (p-1), and g  Zp* of order q. Hash fnc. H: {0,1}*  Zq. Keys: α  Zq is private; β = (gα mod p) is public. Signature: (r,s) where • v = gk mod p • r = H(M‖v) • s = (k − r α) mod q Verification: • v’ = gsβr mod p • r = H(M‖v’) ? Advantage: Reduced size & complexity Other PKC Systems

Digital Signature Algorithm (DSA) • US government standard, by NSA. • Based on ElGamal & Schnorr: • patent-free (ElGamal) • can’t be used for encryption • Objections: • ElGamal was not analyzed as much as RSA • slower verification • industry had already invested in RSA • closed-door design Other PKC Systems

DSA (cont’d) Parameters: The same as Schnorr’s. Signature: (r,s) where • v = gk mod p • r = v mod q • s = (H(M)+ r α) k-1mod q Verification: • v’ = gH(M) s^(-1)βrs^(-1) mod p • r = v’ mod q ? (compared to Schnorr?) Other PKC Systems

Elliptic Curve Cryptosystems Generalized Discrete Log Problem: • For any group (G, •), for x  G, define xn = x • x • ... • x (n times) • DLP: For y = xn, given x, y, what is n? Elliptic curves over Zp: • Set of points (x, y)  Zp x Zp that satisfy y2 ≡ x3 + ax + b (mod p)and an additional point of infinity, 0. • Group operation: P•Q is the inverse of where the line thru P & Q intersects the curve. (inverse of P = (x, y) is defined as P-1 = (x, -y).) • Well-defined, provided that 4a3 -27b2 (mod p). Other PKC Systems

Elliptic Curve Cryptosystems (cont’d) EC example over R2: Other PKC Systems

Elliptic Curve Cryptosystems (cont’d) • Facts for an EC over a finite field: • Exponentiation is efficient. • DLP is hard. In fact, harder than in Zp. (no sub-exponential algorithm is known) • Hence, DH, ElGamal, etc. can be used with smaller key sizes over ECs. (160-bit EC ~ 1024-bit RSA) • Popular for constrained devices (e.g., smart cards) • Advantages over RSA: • smaller key size • compact in hardware • faster (for private key operations) • Licensed by NSA. Other PKC Systems

NTRU • Hoffstein, Pipher, Silverman, 1996. • Based on the “Lattice Reduction Problem”. • Extremely fast: 20–2000x RSA (the more limited the device, the larger the difference) • Extremely compact in hardware • Security: Ok (no known weaknesses) • Popular for constrained devices (smart cards, RFIDs, DSPs, etc.) • Supported by Sony, TI, etc. Other PKC Systems

Zero Knowledge Systems • Zero knowledge proofs: Alice knows a secret and wants to prove her knowledge without revealing the secret. • Example: ZKP for Graph Isomorphism Definition: GA=(VA, EA) and GB=(VB,EB) are isomorphic if a 1-1 & onto mapping π: VA → VB exists such that (u, v)  EA  (π(u), π(v))  EBFact: Graph isomorphism problem, i.e. to tell whether two given graphs are isomorphic, is hard. (Though it is not known to be NP-complete.) Other PKC Systems

ZK Proof for GI Alice proves to Bob she knows an isomorphism between GA and GB: • Alice produces an isomorphic G1 from GA. • Bob challenges her to show isomorphism either from GA or GB. • Alice does so. • This challenge-response is repeated until Bob is satisfied. (Probability of “proof by chance” is 2-k after k rounds. Why?) Alternatively, the protocol can be realized in a single run: • Alice issues graphs G1, G2,..., Gk isomorphic to GA. • Bob issues a “challenge sequence” c1c2...ck of bits. • For ci = 0, Alice produces Gi from GA; for ci = 1, from GB. Bob doesn’t learn anything about π: GA → GB. (Intuitively, he could have produced the graphs he got from Alice anyway.) Other PKC Systems

ZK Signatures • Any ZKP system can be turned into a signature scheme. • GI ZK signature scheme: • Alice produces large GA and GB = π(GA) for some random π. • Public: GA , GB. • Private: π Signing message x: • Alice generates G1, G2,..., Gk isomorphic to GA. • Challenge sequence: hash(x, G1, G2,..., Gk) = c1c2...ck. • Signature: y = (σ1, σ2,..., σk) where σi = σi(GA) if ci = 0σi(GB) if ci = 1 • Signed message: (x, G1, G2,..., Gk, y) (Why must G1, G2,..., Gk be included in the hash?) Other PKC Systems

Other Public Key Systems

Other Public Key Systems

Presentation Transcript

Other Classification Systems

Public-Key Parameters

PUBLIC KEY INFRASTRUTURE

Public Key Systems

Public Key Encryption Systems

Public Key Management

Chapter 10 – Key Management; Other Public Key Cryptosystems

Other Key Terms

Public Key Encryption

Chapter 10: Key Management (Again) and other Public Key Systems

Public Key Cryptography

Other Public Insurance

Public Key

COM 5336 Lecture 7 Other Public-Key Cryptosystems

OTHER Satellite Systems

Public Key

Chapter 10 Key Management; Other Public Key Cryptosystems

Other planetary systems

Public-Key Authentication and Public-Key Infrastructure

OTHER Satellite Systems

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems