Lecture 3.2: Public Key Cryptography II

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena

Course Administration • HW1 solution has been posted • Grades posted • We will distribute after lecture today • Any questions, or help needed? • We need to something to make-up the missed material • Waiting on UAB for guidelines

Outline of Today’s Lecture • The RSA Cryptosystem (Encryption)

“Textbook” RSA: KeyGen • Alice wants people to be able to send her encrypted messages. • She chooses two (large) prime numbers, p and q and computes n=pq and . [“large” = 1024 bits +] • She chooses a number e such that e is relatively prime to and computes d, the inverse of e in , i.e., ed =1 mod • She publicizes the pair (e,n) as her public key. (e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and • Plaintext and ciphertext messages are elements of Zn and e is the encryption key.

RSA: Encryption • Bob wants to send a message x (an element of Zn*) to Alice. • He looks up her encryption key, (e,n), in a directory. • The encrypted message is • Bob sends y to Alice.

RSA: Decryption • To decrypt the message she’s received from Bob, Alice computes Claim: D(y) = x

RSA: why does it all work • Need to show • D[E[x]] = x • E[x] and D[y] can be computed efficiently if keys are known • E-1[y]cannot be computed efficiently without knowledge of the (private) decryption key d. • Also, it should be possible to select keys reasonably efficiently • This does not have to be done too often, so efficiency requirements are less stringent.

E and D are Inverses Because From Euler’s Theorem

Tiny RSA example. • Let p = 7, q = 11. Then n = 77 and • Choose e = 13. Then d = 13-1 mod 60 = 37. • Let message = 2. • E(2) = 213 mod 77 = 30. • D(30) = 3037 mod 77=2

Slightly Larger RSA example. • Let p = 47, q = 71. Then n = 3337 and • Choose e = 79. Then d = 79-1 mod 3220 = 1019. • Let message = 688232… Break it into 3 digit blocks to encrypt. • E(688) = 68879 mod 3337 = 1570. E(232) = 23279 mod 3337 = 2756 • D(1570) = 15701019 mod 3337 = 688. D(2756) = 27561019 mod 3337 = 232.

Security of RSA: RSA assumption • Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. • Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) • If Oscar can compute d = e-1 mod then he can use to recover the plaintext x. • If Oscar can compute , he can compute d (the same way Alice did).

Security of RSA: factoring • Oscar knows that n is the product of two primes • If he can factor n, he can compute • But factoring large numbers is very difficult: • Grade school method takes divisions. • Prohibitive for large n, such as 160 bits • Better factorization algorithms exist, but they are still too slow for large n • Lower bound for factorization is an open problem

How big should n be? • Today we need n to be at least 1024-bits • This is equivalent to security provided by 80-bit long keys in private-key crypto • No other attack on RSA known • Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem!

Key selection • To select keys we need efficient algorithms to • Select large primes • Primes are dense so choose randomly. • Probabilistic primality testing methods known. Work in logarithmic time. • Compute multiplicative inverses • Extended Euclidean algorithm

RSA in Practice • Textbook RSA is insecure • Known-plaintext? • CPA? • CCA? • In practice, we use a “randomized” version of RSA, called RSA-OAEP • Use PKCS#1 standard for RSA encryption http://www.rsa.com/rsalabs/node.asp?id=2125 • Interested in details of OAEP: refer to (section 3.1 of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf

Some questions • c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). • What is RSA_Enc(m1m2)? • Homomorphic property • What is RSA_Enc(2m1)? • Malleability (not a good property!) • Is it possible to find inverses mod n (RSA modulus)?

Some Questions • RSA stands for Robust Security Algorithm, right? • If e is small (such as 3) • Encryption is faster than decryption or the other way round? • Private key crypto has key distribution problem and Public key crypto is slow • How about a hybrid approach? • Do you know how ssl/ssh works?

Some Questions • I encrypt m with Alice’s RSA PK, I get c • I encryt m again, I get --? • What does this mean? • What if I do the above with DES?

Further Reading • Section 8.2 of HAC • Section 9 of Stallings

Outline of Today’s Lecture • Discrete Logarithm System • El Gamal Encryption • Digital Signatures Lecture 3.4: Public Key Cryptography IV

Discrete Logarithm Assumption • Work with a cyclic group G with generator g • Let |G| = m • G = {g0, g1, g2,…,gm-1} • Given any y = gx in G (where x belongs to Zm), g and and m, it is not possible to compute x • This is known as the DL assumption • Of course, x should be fairly large – at least 160-bits in length • This suggests that one can possibly use x as the secret key, and y (and other parameters) as the public key

El Gamal Encryption -- KeyGen • p, q primes such that q|p-1 • g is an element of order q and generates a group Gq of order q • g = g’(p-1)/q (were g’ is the generator of Zp*) • x in Zq, y = gx mod p • DL assumption -- given (p, q, g, y), it is computationally hard to compute x • No polynomial time algorithm known • p should be 1024-bits and q be 160-bits • x becomes the private key and y becomes the public key

ElGamal Encryption/Decryption • Encryption (of m in Gq): • Choose random r in Zq • k = gr mod p • c = myr mod p • Output (k,c) • Decryption of (k,c) • M = ck-x mod p • Secure under (a variant of) the discrete logarithm assumption Lecture 3.4: Public Key Cryptography IV

ElGamal Example: dummy • Let’s construct an example • KeyGen: • p = 11, q = 2 or 5; let’s say q = 5 • g’ = 2 is a generator of Z11* • g = 22 = 4 • x = 2; y = 42 mod 11 = 5 • Enc(3): • r = 4  k = 44 mod 11 = 3 • c = 3*54 mod 11 = 5 • Dec(3,5): • m = 5*3-2 mod 11 = 3 Lecture 3.4: Public Key Cryptography IV

El Gamal Security • Secure against CPA attacks assuming that discrete logarithm is hard • Not secure against CCA attacks; why? • It is possible to massage the ciphertext in a meaningful way • Given a ciphertext (k, c), compute k’ = kgr’and c’ = cyr’ (r’ is picked by the adversary) • Query the decryption oracle on (k’,c’); it decrypts and returns the response -- m Lecture 3.4: Public Key Cryptography IV

CCA Security • Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption • Just prevent any massaging of the ciphertext • Integrity protection mechanism is needed • But, now a public-key based mechanism is needed • Digital signatures -- next Lecture 3.4: Public Key Cryptography IV

Digital Signatures • Message Integrity • Detect if message is tampered with while in the transit • Source/Sender Authentication • No forgery possible • Non-repudiation • If I sign something, I can not deny later • A trusted third party (court) can resolve dispute • Many applications – signed email, e-contracts, e-transactions…

Public Key Signatures • Signer has public key, private key pair • Signer signs using its private key • Verifier verifies using public key of the signer Lecture 3.4: Public Key Cryptography IV

Security Notion/Model for Signatures • Existential Forgery under (adaptively) chosen message attack (CMA) • Adversary (adaptively) chooses messages mi of its choice • Obtains the signature si on each mi • Outputs any message m (≠ mi) and a signature s on m Lecture 3.4: Public Key Cryptography IV

RSA Signatures • Key Generation: same as in encryption • Sign(m): s = md mod N • Verify(m,s): (se == m mod N) • The above text-book version is insecure; why? • In practice, we use a randomized version of RSA (implemented in PKCS#1) • Hash the message and then sign the hash Lecture 3.4: Public Key Cryptography IV

Digital Signature Standard (DSS) • Adopted as standard in 1994 • Security based on hardness of the discrete logarithm problem Lecture 3.4: Public Key Cryptography IV

DSS – KeyGen; Signing; Verification • KeyGen: the same way as El Gamal • p, q primes such that q|p-1 • g is an element of order q and generates a group Gq of order q • g = g’(p-1)/q (were g’ is the generator of Zp*) • x in Zq, y = gx mod p • Sign: • Pick random r from Z*q • k = (gr mod p) mod q; c = (m + xk)r-1 mod q • Output (k,c) and also the message m • Verify: kc == gm.yk mod p Lecture 3.4: Public Key Cryptography IV

DSS Example • Refer to 11.57 of HAC Lecture 3.4: Public Key Cryptography IV

Some Questions • I encrypt m with Alice’s ElGamal PK, I get c • I encrypt m again, I get --? • What does this mean? • Is RSA-OAEP CCA secure? • Is El Gamal CCA secure? Lecture 3.4: Public Key Cryptography IV

Further Reading • Stalling Chapter 10 • HAC Chapter 8 and Chapter 11 Lecture 3.4: Public Key Cryptography IV

Lecture 3.2: Public Key Cryptography II

Lecture 3.2: Public Key Cryptography II

Presentation Transcript

Cryptography And Secure Channels

Introduction to Cryptography

Lecture 2: The Third Wave

New Cryptography

Overview of the Role of Public Health in Disaster Preparedness and Response

Cryptography (One Day Cryptography Tutorial)

Cryptography

Applied Cryptography Week 3 Java Tools

Chapter 8: Cryptography

Security in Computing Chapter 2, Elementary Cryptography

Introduction to Cryptography

Cryptography for Cloud Storage Service

Practical Aspects of Modern Cryptography

Introduction to Cryptography

Lecture3 – Introduction to Cryptography 1

MATH 1020: Mathematics For Non-science Chapter 4.2: Cryptography

Cryptography

Conventional Cryptography

Chapter 3

Chapter 2

Lecture 2: The Third Wave

Materials for Lecture 08