Download
1 / 13
140 likes | 168 Views
Learn about public key cryptography, including key distribution, source authentication, Diffie-Hellman key exchange, efficiency, and security considerations. Delve into number theory concepts like Euclid's algorithm, extended Euclid's algorithm, and the Chinese Remainder Theorem. Understand the theoretical foundations and practical applications of asymmetric encryption.
E N D
Public Key Cryptography CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk Public Key Cryptography
Public Key Cryptography “New Directions in Cryptography”, Diffie&Hellman, 1976: Two fundamental problems in cryptography can be solved by an asymmetric “trapdoor one-way function”: • key distribution • source authentication An asymmetric encryption function: • Encryption & decryption keys are different. • Knowledge of the encryption key is not sufficient for deriving the decryption key efficiently. • Hence, the encryption key can be made “public”. Public Key Cryptography
Public Key Cryptography Key distribution solution: • Alice makes her encryption key K public • Everyone can send her an encrypted message: C = EK(P) • Only Alice can decrypt it with the private key K-1: P = DK-1(C) Source Authentication Solution: • Only Alice can “sign” a message, using K-1. • Anyone can verify the signature, using K. Only if such a function could be found... Public Key Cryptography
Alice Bob g mod p g mod p computes (g) mod p computes (g) mod p K = g mod p Diffie-Hellman Key Exchange Public parameters:p: A large primeg: A generator of Zp*. ie., {gi | 0 ≤ i ≤ p-2} = {1, 2,...,p-1}. , {0, 1, 2,...,p-2} are secret. Public Key Cryptography
Security of DH • Discrete Logarithm Problem: Given p, g, g mod p, what is ? (easy in Z, hard in Zp.) • DH Problem: Given p, g, g mod p, g mod p, what is g mod p? • Conjecture: DHP is as hard as DLP. (note: Neither is proven to be NP-complete.) • “Safe prime”: If (p-1)/2 is also a prime. • Best known method for DLP: “Number Field Sieve” with running time e(1.923 + O(1)) ((ln p)^(1/3)) ((ln ln p)^(2/3)). Public Key Cryptography
Efficiency of DH Generating a large prime • Generate a random number & test for primality. • Primality testing is efficient. • Density of primes: Prime Number Theorem: For π(n) denoting the number of primes ≤ n, we have π(n) ~ n / ln n. That is, lim n → (π(n) ln n) / n = 1. Public Key Cryptography
Efficiency of DH How to compute (g mod p) for large p, g,? xn = (xk)2 if n = 2k (xk)2x if n = 2k + 1 “Repeated squaring”: Start with the most significant bit of the exponent. E.g. Computing 325 mod 20. 25 = (11001)2 y0 = 3(1) mod 20 = 3 y1 = 3(11) mod 20 = 32 3 mod 20 = 7 y2 = 3(110) mod 20 = 72 mod 20 = 9 y3 = 3(1100) mod 20 = 92 mod 20 = 1 y4 = 3(11001) mod 20 = 12 3 mod 20 = 3 Further efficiency with preprocessing xi, i < 2k, for some k. Public Key Cryptography
Structure of Zp* For a prime p, let Zp* denote all non-zero elements of Zp. Fermat’s (Little) Theorem: For all x Zp*, we have xp-1 ≡ 1 (mod p). Let <g> denote the numbers generated by powers of g in Zp*; <g> = {g, g2,…, gp-1}. E.g. for Z5*: <1> = {1} <2> = {2,4,3,1} <3> = {3,4,2,1} <4> = {4,1} • “order” of 1 is one; of 4 is two; of 2 & 3 is four. • 2 & 3 are “generators” of Z5* (they have order p-1). • Fact: For every prime p, Zp* has a generator. Public Key Cryptography
Number Theory Review Euclid’s algorithm to compute gcd(m,n): Divide repeatedly until no divisor is left: m = q0n + r0 , 0 ≤ r0 < n n = q1r0 + r1 , 0 ≤ r1 < r0 r0 = q2r1 + r2 , 0 ≤ r2 < r1 rk-2 = qkrk-1 + rk , 0 ≤ rk < rk-2 rk-1 = qk+1rk . (why is convergence guaranteed?) Theorem: gcd(m,n) = rk. Proof: rk divides all ris, hence rk | m,n. Conversely, if d | m,n, then d | ri , including rk. .... Public Key Cryptography
Extended Euclid’s Algorithm • Compute u, v, such that gcd(m,n) = um + vn. • Maintain ui, vi, such that ri = uim + vin. (“loop invariant”)When the last r is reached, u & v are found. • Given ri-2 = ui-2m + vi-2n and ri-1 = ui-1m + vi-1n, we have ri = ri-2 – qiri-1 = (ui-2m + vi-2n) – qi (ui-1m + vi-1n) = (ui-2 – qiui-1)m + (vi-2 – qivi-1)nHence, ui = ui-2 – qiui-1 and vi = vi-2 – qivi-1. • Initial conditions: For r0 = m – q0n, we have r-1=n, r-2=m. u-1 = 0, v-1 = 1 u-2 = 1, v-2 = 0. Public Key Cryptography
Extended Euclid’s Algorithm E.g. Compute gcd(100, 18) with the u, v coefficients: i ri qi ui vi -2 100 – 1 0 -1 18 – 0 1 0 10 5 1 -5 1 8 1 -1 6 2 2 1 2 -11 (*) 3 0 4 – – gcd(100, 18) = 2, 2 = 2*100 – 11*18. Public Key Cryptography
Number Theory Review Def: m, n Z are relatively prime if gcd(m,n) = 1. Def: Zn*: the numbers in Zn relatively prime to n. e.g., Z6* = {1, 5}, Z7* = {1, 2, 3, 4, 5, 6}. Def:(n) = |Zn*|. e.g., (6) = 2, (7) = 6. Theorem: If n is prime, (n) = n – 1. Theorem (Euler): For all m Zn*, we have m(n) ≡ 1 (mod n). (This result generalizes Fermat’s theorem to composite values of n.) Public Key Cryptography
Number Theory Review Chinese Remainder Theorem: For n1, n2,..., nk pairwise relatively prime, the system x ≡ r1 (mod n1) x ≡ r2 (mod n2) x ≡ rk (mod nk) has a unique solution in Zn, where n = n1n2...nk. E.g., x ≡ 1 (mod 3), x ≡ 1 (mod 4) x ≡ 1 (mod 12). But x ≡ 1 (mod 2), x ≡ 1 (mod 4) is either 1 or 5 in Z8, whereas x ≡ 1 (mod 2), x ≡ 2 (mod 4) has no solutions. . . . Public Key Cryptography
