1 / 63

Applied Cryptography

Applied Cryptography. Spring 2014. Asymmetric ciphers. Types of ciphers. Symmetric  Asymmetric (public key Block ciphers  Stream ciphers. Symmetric vs. asymmetric cryptography. Symmetric ciphers – sender and recipient use the same key D key ( E key ( m )) = m

jenaya
Download Presentation

Applied Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Cryptography Spring 2014 Asymmetric ciphers

  2. Types of ciphers Symmetric  Asymmetric (public key Block ciphers  Stream ciphers

  3. Symmetric vs. asymmetric cryptography • Symmetric ciphers – sender and recipient use the same key • Dkey(Ekey(m)) = m • Substitution cipher is an example of a symmetric cipher • Impractical for big systems – number of keys is quadratic in the number of users • The solution – asymmtric algorithms. Think of a locked mailbox! Different keys for encryption and decryption • Dprivate key(Epublic key(m)) = m

  4. Asymmetric ciphers [From Information Security Group, ICU]

  5. Mathematical foundations for publickey cryptography Traditionally used one-way functions: Factoring Given primes p and q, it is easy to compute n=pq, but it is hard to factor n Discrete logarithm problem Given prime p and g,x<p, it is easy to compute y = gx mod p, but it is hard to compute logg y in Z*p. Square root problem Given primes p,q, n=pq and x<n, it is easy to compute y = x2 mod n, but it is hard to compute sqrt(y) in Z*n. Knapsack?

  6. PKC schemes [From Information Security Group, ICU]

  7. What we will use from number theory Fermat's little Theorem If p is prime and gcd(a,p) = 1 then ap1 = 1 mod p.

  8. Complexity of modular operations Addition, subtraction Almost the same as without modulos, time complexity ( ) Multiplication: for given a and b find x such that ab mod n = x multiplication + division, i.e. time complexity ( 2)

  9. What we will use from number theory Extended Euclid's algorithm d = gcd(a,b) - the greatest common divisor of integers a and b There exist integers x and y such that d = ax + by ExtendedEuclid(a, b) if b = 0 then return (a,1,0) (d’,x’,y’) ExtendedEuclid(b, a mod b) (d,x,y)  (d’,y’,x’ –a/b y’) return (d,x,y)

  10. Complexity of modular operations Division: for given a and b find x such that bx mod n = a Not always such x exists - we should have gcd(b,n) | a Extended Euclid's algorithm: finds x and y such that gcd(s,t) = su + tv Take b = s and t = n and set x = ua/gcd(b,n) Time complexity ( 3)

  11. Complexity of modular operations Exponentiation: for given a and b find x such that ab mod n = x Time complexity?

  12. Modular Exponentiation ModularExponentiation(basea, degreeb, modulusn) let <bk,bk–1,...,b0> be the binary representation of b c 0 d 1 for i  k downto 0 do c  2  c d  (d  d) mod n if bi = 1 then c  c + 1 d  (d  a) mod n return d Time complexity T() = ( 3)

  13. Modular Exponentiation - example ModularExponentiation(a,b, n) c 0; d 1 for i  k downto 0 do c  2  c d  (d  d) mod n if bi = 1 then c  c + 1 d  (d  a) mod n return d [Adapted from T.Cormen, C.Leiserson, R. Rivest]

  14. What we will use from number theory Chinese reminder theorem Suppose n1, n2, …, nk are integers which are pairwise coprime. Then, for any given integers a1,a2, …, ak, there exists an integer x solving the system of simultaneous congruences: Furthermore, all solutions x to this system are congruent modulo the product N = n1n2…nk.

  15. Merkle's puzzles (around 1974) Bob: 220 messages: "this is puzzle number x. This is the secret key y" Alice: decirpts random message, sends Bob pair: (Ey(P),x)

  16. Knapsack algorithms First generalized public key encryption algorithm [Merkle, Hellman, 1979]

  17. Knapsack problem

  18. Knapsack problem [From B.Schneier]

  19. Knapsack algorithms Encryption - ok, Decryption ? [From B.Schneier]

  20. Knapsack algorithms [From B.Schneier]

  21. Knapsack algorithms [From B.Schneier]

  22. Knapsack algorithms [From B.Schneier]

  23. Knapsack algorithms [From B.Schneier]

  24. Knapsack algorithms [From B.Schneier]

  25. Knapsack algorithms What sizes of keys to use? Numbers in (superincreasing sequence) 200 to 400 bits modulus m 100 to 200 bits Unfortunately Merkle-Hellman (and quite a number of other) knapsack schemas are already broken... Few knapsack variations (Chor-Rivest) still are not broken, but probably can not be particularly recommended...

  26. Diffie-Hellman (key-exchange algorithm) First public-key algorithm ever invented (1976) n - prime, g - number such that gcd(g,n) =1 Alice: chooses random large x, sends X = gx mod n Bob: chooses random large y, sends Y = gy mod n Alice, Bob: compute k = Yx mod n and k' = Xy mod n

  27. RSA • Asymmetric cryptographic algorithm published in 1978 • The most popular asymmetric algorithm used today • Now free to use – patent expired in 2000 • Relies on the hardness of factoring a number consisting of two primes • Actually invented by Cocks (from UK) in 1973, unfortunately the work was classified...

  28. RSA

  29. RSA

  30. RSA - The authors [From Information Security Group, ICU]

  31. The RSA public-key cryptosystem p,q - two large primes (100 digits or more) n = pq e - small odd integer that is relatively prime to (p– 1)(q– 1) d - integer such that de  1 (mod(p– 1)(q– 1)) (it can be shown that it always exists) P = (e,n) - public key S = (d,n) - secret key Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n) It works!

  32. RSA - Correctness n = pq e - odd and relatively prime to (p – 1)(q – 1) d - such that de  1(mod(p– 1)(q– 1)) P(M) = Me(mod n), S(C) = Cd(mod n) P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k(p– 1)(q– 1) M 0 (mod p)  MedM(Mp–1)k(q–1) (mod p)  M(1)k(q–1) (mod p)  M(mod p) M 0 (mod p)  Med M(mod p)

  33. RSA - Correctness Med M(mod p) Med M(mod q) Thus Med M(mod n)

  34. RSA - Complexity Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n)

  35. RSA - Speed [From B.Schneier]

  36. RSA - Speed [From B.Schneier]

  37. RSA - Speed [From B.Schneier]

  38. Attacks on RSA

  39. RSA Challange [From Information Security Group, ICU]

  40. RSA Challange [From wikipedia.org]

  41. Security assumptions for “textbook algorithms”

  42. Attacks on RSA – “small” messages • Finding m is trivial, if c = me mod n = me. • If m is known to have a small finite set of values (e.g. 4 digit PIN), • The value of m can be found by trying all possible values 

  43. Attacks on RSA – “small” messages l E.g., what happens if we will directly encrypt 56 bit DES key ? [From W.Mao]

  44. Attacks on RSA

  45. Common modulus attack

  46. Don’t sign with encryption key 

  47. Attacks on RSA

  48. RSA - Choice of p and q r - a prime factor of p [From Information Security Group, ICU]

  49. 00 02 random non-zero octets 00 data 1 byteeach ≥ 8 bytes 1 byte RSA and PKCS standard Encryption: (PKCS #1 v1.5, RFC 2313) • first 0: to guarantee x < n • 2: indicates encryption • second 0: indicates end of padding Protects against: • guessable message attacks (e.g., a yes/no message) • cube root problem, for e = 3 • broadcast problem, for e = 3

  50. RSA and PKCS standard PKCS #1 v2.2 RSA EME-OAEP mode

More Related