1 / 73

Chapter 6 Public Key Algorithms

Chapter 6 Public Key Algorithms. Instructor: 孫宏民 hmsun@cs.nthu.edu.tw Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694. Exponentiation Ciphers. We will consider two kinds of exponentiation ciphers developed by the following people:

knoton
Télécharger la présentation

Chapter 6 Public Key Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6 Public Key Algorithms Instructor: 孫宏民 hmsun@cs.nthu.edu.twRoom: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694

  2. Exponentiation Ciphers • We will consider two kinds of exponentiation ciphers developed by the following people: • Both schemes encipher a message block M [0, n – 1] by computing the exponential C = M e mod n,

  3. where e and n are the key to the enciphering transformation. • M is restored by the same operation, but using a different exponent d for the key: M = C d mod n. • Enciphering and deciphering can be implemented using the fast exponentiation algorithm: C = fast_exp(M, e, n) M = fast_exp(C, d, n)

  4. Why the Algorithms Work • Thm: Given e, d, M such that ed mod (n) = 1,M [0, n -1] ,gcd(M, n) = 1, Then (M e mod n) d mod n = M. • Proof: (M e mod n) d mod n = M ed mod n ed mod (n) = 1  ed = t (n) + 1 M ed mod n = M t(n)+1 mod n = M M t(n) mod n = M (M t(n) mod n) mod n = M

  5. where = M t(n) mod n = (M (n) mod n) t mod n = 1t mod n = 1 .

  6. A Few Words About the Theorem • Note that by symmetry, enciphering and deciphering are commutative and mutual inverses; thus, (M d mod n) e mod n = M de mod n = M • Given (n), it is easy to generate a pair (e, d) such that ed mod (n) = 1. This is done by first choosing d relatively prime to (n), and then computing e as • e = inv(d, (n))

  7. Because e and d are symmetric, we could also pick e and compute d = inv(e, (n)). • Given e, it is easy to compute d (or vice versa) if (n) is known. But if e and n can be released without giving away (n) or d, then the deciphering transformation can be kept secret, while the enciphering transformation is made public.

  8. It is the ability to hide (n) that distinguishes the two schemes.

  9. Pohlig-Hellman Scheme • The modulus is chosen to be a large prime p. To encipher: C = M e mod p To decipher: M = C d mod p • Because p is prime, (p) = p – 1. • Thus the scheme can only be used for conventional encryption, where e and d are both kept secret.

  10. Ex. Let p = 11, (p) = 10. Choose d = 7 and compute e = inv(7, 10) = 3. Suppose M = 5. Then M is enciphered as: C = M e mod p = 53 mod 11 = 4. Similarly, C is deciphered as: C d mod p = 47 mod 11 = 5 = M .

  11. Security Concern • The security of the scheme rests on the complexity of computing discrete logarithms. • A cryptanalyst may deduce p by observing the sizes of plaintext and ciphertext blocks. • Under a known-plaintext attack, a cryptanalyst can compute e (and thereby d) given a pair (M, C): • e = log M C

  12. Pohlig and Hellman show that if (p – 1) has only small prime factors, it is possible to compute the logarithm in O(log2p) time, which is unsatisfactory even for large values of p. • They recommend picking p = 2p + 1, where p is also a large prime.

  13. Discrete Logarithm • The fastest known algorithm for computing the discrete logarithm takes about steps. • If p is a few hundred decimal digits long, it will take several billion years to compute.

  14. RSA Scheme • The modulus is the product of two large primes p and q, i.e., n = pq. Thus (n) = (p – 1) (q – 1) To encipher: C = M e mod n To decipher: M = C d mod n

  15. They recommend picking d relatively prime to (n) in the interval [max(p, q) + 1, n – 1] (any prime in this interval will do). • Once d is chosen, e can be computed using the inv function. If the computed e is less than log2n, then a new value of d should be picked.

  16. Example • Ex. Let p = 5 and q = 7, so n = 57 = 35 and (n) = 46 = 24. Choose d = 11 and compute e = 11. Suppose M = 2. Then C = M e mod n = 211 mod 35 = 18 and C d mod n = 1811 mod 35 = 2 = M.

  17. Ex. Let p = 53 and q = 61, so n = 53  61 = 3233 and (n) = 5260 = 3120. Choose d = 791 and compute e = 71. To encipher the message RENAISSANCE, we break it into blocks of 4 digits each, where A = 00, B = 01, ..., Z = 25, and blank = 26 (in practice, characters would be represented by their 8-bit ASCII codes). Thus we have

  18. The first block is enciphered as 170471 = 3106. The entire message is enciphered as

  19. Security Concern • Because (n) cannot be determined without knowing the prime factors p and q, it is possible to keep d secret even if e and n are made public. • Thus the RSA scheme can be used for public-key encryption, where the enciphering transformation is made public and the deciphering transformation is kept secret.

  20. The security of the system depends on the difficulty of factoring n into p and q. The fastest known factoring algorithm takes about the same number of steps required for solving the discrete logarithm problem.

  21. More About Euler's Theorem • Recall that for Pohlig-Hellman and RSA schemes to work, we must have M < n and gcd(M, n) = 1. • For Pohlig-Hallman scheme, this is for sure since n is prime. But how about RSA? Since n equals pq, it is possible that M is a multiple of p or a multiple of q (but not both, of course). • We want to show that even if M is a multiple of p or q, the RSA scheme still works.

  22. What Happens When gcd(M, n)  1 • Suppose M is a multiple of p, so that M = cp for some c and gcd(M, q) = 1. M(q) mod q = 1  (M(q)) (p) mod q = 1 M(n) mod q = 1 • Therefore, there is some k such that M(n) = kq + 1

  23. Multiply each side by M = cp, M(n)+1 = M + kqcp = M + ckn Thus M(n)+1 mod n = M . The case when M is a multiple of q is similar.

  24. Summarization (RSA Scheme) • Key Generation

  25. Encryption • Decryption • Plaintext : M • Ciphertext : C=Me mod n • Ciphertext : C • Plaintext : M=Cd mod n

  26. Summarization (RSA Scheme) • Each user A obtains a modulus nA and enciphering and deciphering exponents eA and dA. A registers eA and nA with a public directory, thus making A's enciphering transformation EA public. • A keeps dA and, therefore, the deciphering transformation DA secret.

  27. Public-Key Systems • In a public-key system, each user has both a public and private key, and two users can communicate knowing only each other's public keys. • User A has a public enciphering transformationEA, which may be registered with a public directory, and a private deciphering transformationDA, which is known only to user A.

  28. The private transformation DA is described by a private key, and the public transformation EA by a public key derived from the private key by a one-way transformation. • It must be computationally infeasible to determine DA from EA.

  29. Secrecy And Authenticity • In a public-key system, secrecy and authenticity are both provided. • Secrecy

  30. Authenticity

  31. Secrecy • Suppose user A wishes to send a message M to another user B. If A knows B's public transformation EB, A can transmit M to B in secrecy by sending the ciphertext C = EB(M). • On receipt, B deciphers C using B's private transformation DB, getting • DB(C) = DB(EB(M)) = M .

  32. The scheme does not provide authenticity because any user with access to B's public transformation could substitute another message M' for M by replacing C with C' = EB(M' ).

  33. Authenticity • For authenticity, M must be transformed by A's own private transformation DA. A sends C = DA(M) to B. • On receipt, B uses A's public transformation EA to compute • EA(C) = EA(DA(M)) = M .

  34. Authenticity is provided because only A can apply the transformation DA. • Secrecy is not provided because any user with access to A's public transformation can recover M.

  35. Both Secrecy And Authenticity • To use a public-key system for both secrecy and authenticity: • the ciphertext space must be equivalent to the plaintext space so that EA and DA can operate on both plaintext and ciphertext messages. • Both EA and DA must be mutual inverses so that EA(DA(M)) = DA(EA(M)) = M.

  36. Suppose A wishes to send a message M to B. A sends to B the ciphertext C = EB(DA(M)) . • On receipt, B deciphers C by EA(DB(C)) = EA(DB(EB(DA(M)))) = EA(DA(M)) = M .

  37. Both Secrecy And Authenticity • RSA scheme can be used for both secrecy and authenticity.

  38. Secrecy And Authenticity (RSA) • User B can send a secret message M to A using which A deciphers using Only A can decipher C to get M.

  39. Alternatively, A can send a signed message M to B using which B authenticates using • Because only A can apply DA, it cannot be forged, and a judge can settle any dispute arising between A and B.

  40. Both Secrecy And Authenticity • A slight difficulty arises when both security and authenticity are desired. For A to send a message to B: C = EB(DA(M)) If nA > nB , the blocks comprising DA(M) might not be in the range [0, nB – 1]. • Reducing them modulo nB does not solve the problem, because it would then be impossible to recover the original message.

  41. Possible Solutions • One solution is to reblock DA(M). • Reblocking can be avoided using a threshold value h (e.g., h = 1099). Each user has two sets of transformations: • ( EA1 , DA1) for signatures • ( EA2 , DA2) for secrecy • where nA1 < h < nA2.

  42. A sends a signed message to B: • C = EB2(DA1(M)) • B recovers M and checks A’s signature: • EA1(DB2(C)) • = EA1(DB2(EB2(DA1(M)) • = EA1(DA1(M)) • = M .

  43. Another Solution • If C = EB (DA (M)) is not computable because nA > nB, then C' = DA(EB(M )) is computable. • User B, knowing both nA and nB (both are public), can recover M by computing either of the following: Case 1: nA < nB EA(DB(C))= EA(DB(EB(DA(M)))) = EA(DA(M)) = M .

  44. Case 2: nA > nB DB(EA(C' ))= DB(EA(DA(EB(M)))) = DB(EB(M)) = M .

  45. Dispute Resolution • If a dispute arises between A and B on the authenticity of A's signature, a judge must be able to ascertain that M originated with M. • If nA < nB, B applies B's private transformation to C and presents the judge with X = DB(C) and M. The judge compute M' = EA(X) using A's public transformation, and verifies that M' = M.

  46. If nA > nB, another approach is needed because DB must be applied after EA, and B may not want to give DB to the judge. • The solution is for B to present the judge with C' and M. The judge computes X = EB(M) X' = EA(C' ) = EA(DA(EB(M))) and verifies that X = X'.

  47. Summarization

  48. Public-Key Cryptography Standard • The PKCS standards define the encoding for things such as an RSA public key, an RSA private key, RSA signature, a short RSA-encrypted message, a short RSA-signed message, and password-based encryption.

  49. The threats that PKCS has been designed to deal with are: • Encrypting guessable message • Signing smooth numbers • Multiple recipients of a message when e=3 • Encrypting messages that are less than a third the length of n when e=3. • Signing messages where the information is in the high-order part and e=3.

  50. Encryption • The recommended standard is • The top octet is 0. PKCS specifies that the high-octet of the modulus must non-zero. • The next octet is 2, which is the form type. The value 2 is used to be encrypted. The value 1 is used to be signed.

More Related