 Download Presentation Session 4

# Session 4

Download Presentation ## Session 4

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Session 4 Asymmetric ciphers

2. Contents • Definition of asymmetric (public key) ciphers • Applications of asymmetric ciphers • The public key encipherment procedure • The RSA public key cipher system

3. KEY KEY encipher Ciphertext decipher Plaintext Plaintext A B Cryptanalysis decrypt Asymmetric cipher definition • The general cryptographic procedure:

4. Asymmetric cipher definition • In a symmetric cipher system, the same key is delivered to both participants in advance, via a secure channel. • If there are n participants, the keys have to be distributed pairwise, i.e. • Each participant is given n -1 different keys • The total number of keys is n (n -1)/2. • Consequence: problems with distribution, storage and updating of keys.

5. Asymmetric cipher definition • An alternative key distribution system is needed, or a different cipher system. • There is not much flexibility left within a symmetric cipher system to distribute the keys in a better way. • Then we need a cipher system that would NOT use the secure channel to distribute the keys.

6. Asymmetric cipher definition • How can we define such a system? • Does such a system exist? • If such a system exists in theory, can we realize it in practice? • What is the security of such a system?

7. Asymmetric cipher definition • Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (1): • Let {K } be a finite key space and let {M } be a finite message space. • A public key cipher system is a pair of families of transformations and representing irreversible transformations:

8. Asymmetric cipher definition • Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (2): • In such a system, the following holds: • For every K{K }, EK is the inverse of DK • For every K{K } and M{M }, the algorithms EK and DK are easy to compute • For almost every K{K }, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK • For every K{K }, it is feasible to compute inverse pairs EK and DK from K.

9. Asymmetric cipher definition • From the property 3, EK can be made public, without compromising DK • From the property 4, there is a guarantee that there is a feasible way of computing corresponding pairs of inverse transformations EK and DK.

10. Asymmetric cipher definition • Given a system of this kind, the problem of key distribution is vastly simplified: • Each participant generates a pair of inverse transformations, E and D. • The deciphering transformation D must be kept secret but need not be transmitted by any channel – we do not need a secure channel. • The enciphering transformation E can be made public – placed in a public directory.

11. Asymmetric cipher definition • But we still do not know whether such a cipher system is (theoretically) possible. • One of the possibilities to theoretically well define such a system is through so called one-way functions.

12. Asymmetric cipher definition • A function y =f (x ) is a one-way function if • For any x, it is feasible to compute f (x ) • For almost all y in the range of f, it is computationally infeasible to solve the equation y =f -1(x ), for any x in the domain.

13. Asymmetric cipher definition • The function f is not invertible from the computational point of view. • A special class of one-way functions is of interest in the public key context – trap-door one-way functions.

14. Asymmetric cipher definition • A trap-door one-way function • A simply computed inverse exists • But given f, it is conditionally computationally infeasible to find a simply computed inverse • Only through knowledge of certain trap-door information can easily computed inverse be found.

15. Asymmetric cipher definition • The problem • Strictly mathematically speaking, the existence of (trap-door) one-way functions has not been proved yet. • There are functions that have properties similar to these functions – we believe that they are candidates for (trap-door) one-way functions.

16. Asymmetric cipher definition • Rivest-Shamir-Adleman’s (RSA’s) definition of an asymmetric (public key) cipher system (1977) (1): • Let E be an encipherment transformation and let D be the corresponding decipherment transformation.

17. Asymmetric cipher definition • RSA’s definition of an asymmetric (public key) cipher system (1977) (2): • The properties of E and D • D (E (M ))=M • Both E and D are feasible to compute • Publicly revealing E does not reveal a feasible way to compute D • E (D (M ))=M

18. Asymmetric cipher definition • A function E satisfying the properties 1-3 is a trap-door one-way function. • A function E satisfying the properties 1-4 is a trap-door one-way permutation (one-one and onto).

19. Applications of asymmetric ciphers • Confidentiality • Integrity – digital signatures • Authentication – hash functions • Key exchange

20. The public key encipherment procedure • The participants in the communication are usually given names, such as Alice and Bob. • Alice uses the transformation EA for encipherment and DA for decipherment • Bob uses the transformation EB for encipherment and DB for decipherment.

21. The public key encipherment procedure • Illustration-confidentiality: Alice sends an enciphered message to Bob

22. The public key encipherment procedure • Alice takes EB from a public directory • DB is kept secret by Bob. It is not transmitted by any means – no secure channel is needed.

23. The public key encipherment procedure • The confidentiality protocol

24. The RSA public key cipher system • The prerequisites: each participant does the following (1): • Generates two large distinct random primes p and q, approximately of the same size (if encoded in bits) • Computes n =pq and  (n )=(p -1)(q -1) • Selects a random integer e, 1<e < (n ), such that (e,  (n ))=1

25. The RSA public key cipher system • The prerequisites: each participant does the following (2): • Computes the unique integer d, 1<d < (n ) such that ed1 (mod  (n )). This can be done by means of the extended Euclidean algorithm. • The public key is (n,e) and the private key is d.

26. The RSA public key cipher system • Encipherment: Alice enciphers a message for Bob • Obtains Bob’s authentic public key (nB,eB) • Represents the message in a form of an integer m on the segment [0,nB-1] • Computes • Sends c to Bob.

27. The RSA public key cipher system • Decipherment: Bob deciphers the message enciphered by Alice • Bob uses his private key dB to compute • m is converted to a meaningful text.

28. The RSA public key cipher system • The security of the RSA cipher system lies in the hope that the encipherment function is a one-way function. • The trap-door is the knowledge of the factorization of n. This knowledge allows Bob to decipher.

29. The RSA public key cipher system • To realize RSA in practice we need (1) • Random primes • Generating random numbers • Primality testing • Euler’s function  (n )

30. The RSA public key cipher system • To realize RSA in practice we need (2) • Extended Euclidean algorithm • Multiplicative inverse • Modular exponentiation – to compute powers with large exponents

31. Random primes • Random primes generation • Generate a random integer m • If m is even, replace m by m +1 • Test if m is prime • If m is not prime, test if m +2 is prime, etc.

32. Random primes • Theorem (the prime number theorem) • If m is chosen at random, the probability that m is prime is approximately 1/lnm. • Consequence: we can expect to test lnm numbers for primality.

33. Random primes • Example: if m can be represented with 512 bits, (i.e. the maximum representable integer is 2256-1) then lnm 177, which means that we have to test approximately 177 integers before we find a prime of that size.

34. Random primes • Primality testing • In practice, probabilistic (Monte Carlo) algorithms for testing primality are used, e.g. • Solovay-Strassen • Miller-Rabin • These algorithms are fast, but they may give an integer that is not a prime at output, but the probability of this is small.

35. The Euler’s function  (n ) • Let n be a positive integer. • The Euler’s function  (n ) is defined to be the number of positive integers b less than or equal to n, which are relatively prime to n, i.e.

36. The Euler’s function  (n ) • Theorem - computing  (n ) • Given a positive integer n with the factorization • Then

37. The Euler’s function  (n ) • Example – RSA • n =pq, where p and q are primes • Then  (n ) = (p1-p 0)(q1-q 0)=(p -1)(q -1)

38. Extended Euclidean algorithm • Euclidean algorithm - computes (a,b), given integers a and b

39. Extended Euclidean algorithm • Example: find (1180,482) • 1180 = 2482 + 216 • 482 = 2216 + 50 • 216 = 450 + 16 • 50 = 316 + 2 • 16 = 82 + 0 • So, (1180,482)=2

40. Extended Euclidean algorithm • Theorem – extended Euclidean algorithm • Let d =(a,b), where a >b. • Then there exist integers u and v such that d =ua+vb.

41. Extended Euclidean algorithm • 2=50-316= • =50-3(216-450)= • =1350-3216= • =13(482-2216)-3216= • =13482-29216= • =13482-29(1180-2482)= • =71482-291180 • Example 1180=2482+216 482=2216+50 216=450+16 50=316+2 16=82+0 So, u =-29, v =71

42. Multiplicative inverse • Arithmetic modulo m • Zm is defined to be the set G = {0,...,m -1}, equipped with two operations, + and  , i.e. Zm is a structure (G,+,) • The results of addition and multiplication are reduced modulo m

43. Multiplicative inverse • The structure (G,+) satisfies the axioms of the group – additive group: • Closure: • Associativity: • Existence of the identity (neutral) element • Existence of the inverse elements

44. Multiplicative inverse • The structure (G,) satisfies closure, associativity and the existence of the neutral element, but does not satisfy the existence of inverse element for each element of G (in general). • Such a structure (G,+,) is called a ring.

45. Multiplicative inverse • Multiplicative inverse – inverse of an element of the structure (G,) of the ring Zm • Theorem • An element a of Zm has a multiplicative inverse if and only if (a,m)=1

46. Multiplicative inverse • Let a be an element of Zm and let (a,m)=1 (i.e. a and m are mutually prime). This can be shown by Euclidean algorithm. • Then by extended Euclidean algorithm we get 1=ua+vm

47. Multiplicative inverse • Taking modulo m of the both sides of the expression 1=ua+vm we get 1ua (mod m ) • This means that u is the multiplicative inverse of a modulo m.

48. Multiplicative inverse • Example • Find the multiplicative inverse of 2 in Z17. • The Euclidean algorithm gives • 17=82+1 • 2=21+0 • The extended Euclidean algorithm gives • 1=17-82 • Taking modulo 17 of both sides gives 1-82 (mod 17), or equivalently 192 (mod 17), i.e. 9=2-1

49. Modular exponentiation • Modular exponentiation is computing bn (mod m ) • Let (n0,n1,...,nk-1) be the binary representation of n, i.e. n =n0+2n1+22n2+...+2k-1nk-1 • The binary representation of n is obtained by means of the “arrow algorithm”

50. Modular exponentiation • The “arrow algorithm” – convert from base 10 to any base B • Get the last digit of the converted number by dividing n by B and taking the remainder • Replace n by the quotient • Repeat until the quotient is 0.