1 / 26

Factoring and Discrete Logarithm Based Cryptography

Factoring and Discrete Logarithm Based Cryptography. A Tale of Two Families Burt Kaliski and Moses Liskov RSA Laboratories. B.D.H. (Before Diffie-Hellman). Only symmetric cryptography existed Cryptography didn’t focus on hard problems Major research area: Key Distribution Problem

nansen
Download Presentation

Factoring and Discrete Logarithm Based Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Factoring and Discrete Logarithm Based Cryptography A Tale of Two Families Burt Kaliski and Moses Liskov RSA Laboratories

  2. B.D.H. (Before Diffie-Hellman) • Only symmetric cryptography existed • Cryptography didn’t focus on hard problems • Major research area: Key Distribution Problem • The Diffie-Hellman result cracked the field open

  3. The Breakthrough • The Diffie-Hellman key exchange system (1976) • Now Alice and Bob share a secret key! Alice generates x, Bob generates y. Alice sends ax mod p, Bob sends ay mod p. Alice and Bob compute axy mod p.

  4. Diffie-Hellman and RSA • RSA invented in 1977 • Public-key cryptosystem capable of encryption and signature as well as key exchange • Set the stage for the next 20 years

  5. The Two Families • Diffie-Hellman, and later ElGamal, DSA, and Elliptic Curve are all in the Discrete Logarithm (DL) family. • RSA and related systems make up the Factoring family.

  6. Beginnings • First, cryptosystems are invented: • Diffie-Hellman invented in 1976 • RSA (1977) • Merkle’s puzzles (1979) • Knapsack Cryptosystems (1978) • McEliece Cryptosystem (1978) • Elliptic Curve Cryptography (1985)

  7. Testing • After a cryptosystem is proposed, the Crypto community attempts to break it. • Most of the cryptosystems that have been proposed outside of the two families failed at this step. • For example, knapsack cryptosystems were found to be insecure.

  8. Testing • Diffie-Hellman, RSA, and Elliptic Curve all withstood analysis from the Crypto community. • Testing is an ongoing process.

  9. Basic Components • Discrete Logarithm and Factoring both provide the same fundamental tools, but in different ways: • Digital Signature • Encryption • Key Agreement

  10. Implementation Issues • Once a cryptosystem is realized to be promising, it must be implemented. • The Cryptosystem must be made efficient enough to be practical! • Some cryptosystems have not been made efficient enough to be widely accepted.

  11. Implementation Issues • Similar implementation results can be used by both families. • RSA and DL require efficient modular exponentiation and multiplication. • ECDL requires efficient EC multiplication and addition.

  12. Next Steps • Proofs of Security • Industrialization & Standardization • Advanced Techniques

  13. Proofs of Security • The inability of the Crypto community to break an algorithm is reassuring. • A proof that an algorithm is secure is far more desirable. • A provably secure variation is often attainable, under some assumptions.

  14. Proofs of Security • Examples: • OAEP and PSS provide provably secure methods for using RSA. • Pointcheval-Stern and Brickell provide provably secure variants of DSA and ECDSA. • Proofs of equivalence between hard problems

  15. Standardization • Once an algorithm is very well accepted, standards must be developed. • Standards are necessary for • Interoperability • Guaranteed level of security • Community confidence • Without standards, actual implementation and use is very difficult.

  16. Standardization • Both families have survived this process; they are the only ones to have made it this far. • Factoring (RSA): PKCS #1, ANSI X9.31, X9.44 • Discrete Log (DSA, DH): ANSI X9.30, X9.42 • Discrete Log (ECC): ANSI X9.62, ANSI X9.63 • Also, IEEE P1363 covers all of these.

  17. Advanced Techniques • Once a cryptosystem is fairly well established, it becomes a natural tool for more advanced techniques. • Advanced techniques solve limited, specific problems in new ways. • Examples: • Zero Knowledge Proofs of Private Key Knowledge

  18. Advanced Techniques • Examples (cont.): • Blind Signatures • Secret Sharing / Threshold Security • Group Signatures • Undeniable Signatures • Zero Knowledge Proofs of Key Security • Key Validation Procedures

  19. Discrete Logarithm Timeline DL Number Field Sieve [Gor93] Bit Security result for DL [BM82] ANSI X9.62 and X9.63 for EC drafted Schnorr ID/signature scheme [Sch90] ANSI X9.42 drafted Montgomery’s Method [M85] Index Calculus method [Adl79] 1st ECC workshop Elliptic Curve proposed by Miller and Koblitz [Mil86] [Kob87] Authenticated DH developed [DVW92] 1976 1980 1990 1998 DSA, DSA proposed Coppersmith DL attack on GF(2n) [Cop84] Chaum et al. ZK proof [CEGP87] DH proved equivalent to DL under certain assumptions [Mau94] Diffie-Hellman invented [DH76] Fast Modular Exponentiation [BGMW92] ElGamal cryptosystem invented [Elg85] EC reduced to DL for certain curves [MOV90] ANSI X9.42 balloted ANSI X9.30 drafted

  20. Factoring Timeline OAEP invented [BR94] Rabin’s variant of RSA [Rab79] PKCS #1 v1 published Montgomery’s Method [M85] ANSI X9.31 adopted Fiat-Shamir ID scheme [FS86] Chinese Remainder Theorem efficiency result [QC82] Fast Hardware implementation of RSA [SV93] Public Exponent 3 attack [Has88] PSS invented [BR96] 1976 1980 1990 1998 Related Message attack [CFPR96] RSA Cryptosystem invented [RSA78] RSA Factoring Challenge started Bit Security result for RSA [ACGS84] ISO/IEC 9796 published General Number Field Sieve [BLP94] [BLZ94] Multiple Polynomial Quadratic Sieve [Sil87] PKCS #1 v2 published

  21. Other Techniques Timeline Revised Chor-Rivest Knapsack System [CR88] Chor-Rivest attacked [SH95] Goppa code variant on McEliece cryptosystem proposed [GPT91] Ajtai-Dwork lattice based cryptosystem, some analysis [AD97] Merkle-Hellman Knapsack System [MH78] Merkle Proposes Multiple Iteration Knapsack System Merkle-Hellman Knapsack System Broken [Sha84] 1976 1980 1990 1998 McEliece Cryptosystem (Algebraic Coding) Chor-Rivest Knapsack System proposed [CR85] Advantages of LUC brought into question [BBL95] Multiple Iteration Merkle-Hellman Broken [Bri85] LUC cryptosystems proposed [SS95] McEliece analysis [CS98], [S98] Goppa code idea debunked [Gib93]

  22. Why Two Families? • DL and Factoring have held up through the full development process. • No other family has made it through the process. • DL and Factoring based on seemingly hard but not NP-complete problems.

  23. Which is Better? • Neither DL nor Factoring is entirely better in practice; each has its own advantages. • Developments in one family often propagate to the other. • For example • ZK key validation (DL to Factoring) • ZK identity schemes (Factoring to DL)

  24. Should We Look for More? • It is possible that the DL problem and the Factoring problem could both become solved. • Other types of cryptography would give us a fallback in case this happens.

  25. Should We Look for More? • Value has been gained from our failed attempts at other types of cryptosystems. • Example • Knapsack cryptosystems were proposed. • Lattice reduction was used to break them. • It was then found that lattice reduction bears some relation to factoring!

  26. Where is Cryptography Going? • DL and Factoring will doubtless continue to be tested, and new, valuable results developed. • Other ideas will be proposed, and perhaps they can follow in the footsteps of the two families. • Continuing basic research benefits us all.

More Related