Public Key Cryptography Overview

cis 5371 cryptography n.w
1 / 45
Embed
Share

Learn about public key cryptography, the Diffie-Hellman protocol, and the computational Diffie-Hellman problem and assumption. Understand concepts like asymmetric encryption, key exchange, safe primes, and the risks of man-in-the-middle attacks in secure communication.

  • Cryptography
  • Encryption
  • Diffie-Hellman
  • Cybersecurity
  • Public Key
rayaanacharya
ryle_404 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. CIS 5371 Cryptography 8. Asymmetric encryption- 1

  2. Public Key Cryptography Alice Bob Alice and Bob want to exchange a private key in public.

  3. Public Key Cryptography The Diffie-Hellman protocol Let p is a large prime and ? ?? . The order of ? is a factor of ? 1. has a generator for any factor h of ? 1. ?? p is called a safe prime if h = 2q, with q a prime.

  4. Public Key Cryptography The Diffie-Hellman protocol Alice (?) ga mod p Bob (?) gb mod p The private key is: gab mod p where p is a prime and g is a generator of Zp*

  5. Example p = 43, g = 3, Alice and Bob share (p,g) = (43,3). Alice picks her (secret) exponent: a random a = 8 U [0:42]. Alice sends Bob: 38 25 (mod 43). Bob picks his (secret) exponent: a random b = 37 U [0:42]. Bob sends Alice: 337 20 (mod 43). The secret key agreed between the two is: 9 208 2537 (mod 43).

  6. Man-in-the-middle attack Alice picks a U Zp* and sends Malice ( Bob ): ga (mod p) Malice ( Alice ) picks m Zp* and sends Bob: gm (mod p) Bob picks b U Zp* and sends Malice ( Bob) Bob: gb (mod p) Malice ( Bob ) sends Alice: gm (mod p) Alice computes: k1 (gm)a (mod p) Bob computes: k2 (gm)b (mod p)

  7. The Computational Diffie-Hellman Problem, CDH INPUT The description of a finite cyclic group ?of prime order q A generator element ?of ? ??,?? ?, for some integers 0 < ?,? < ?. OUTPUT ???

  8. The Computational Diffie-Hellman Assumption A CDH solver is a PPT algorithm that solves the CDH problem. The CDH Assumption is that, for any CDH solver there exists a negligible function neglsuch that: for an arbitrary instance of the CDH problem, the CDH solver will succeed with probability negl for all sufficiently large inputs.

  9. The Decisional Diffie-Hellman Problem, DDH INPUT The description of a finite cyclic group G of prime order q A generator element g of G ga, gb,gc G, for some integers 0 < a,b,c < q. OUTPUT 1 Decision that gc = gab or 0 Decision that gc gab

  10. The Decisional Diffie-Hellman Assumption A DDH solver is a PPT algorithm that solves the DDH problem. The DDH Assumption is that, for any DDH solver, there exists a negligible function negl such that: for an arbitrary instance of the DDH problem, the DDH solver will succeed with probability 1 2 + negl for all sufficiently large inputs.

  11. The Discrete Logarithm Problem The Discrete Logarithm Problem - DL INPUT The description of a finite cyclic group G of order q (say Zq*) A generator element g of G h G. OUTPUT The unique integer a < q such that h = ga modq . We call the integer a the discrete logarithm of h in base g and write: a = logghmodq .

  12. The Discrete Logarithm Assumption A DL solver is a PPT algorithm that solves the DL problem. The DL Assumption is that, for any DL solver, there exists a negligible function neglsuch that: for an arbitrary instance of the DL problem, the DDH solver will succeed with probability neglfor all sufficiently large inputs.

  13. The RSA cryptosystem Alice performs the following steps Choose p, q large primes with |p| |q|. Compute N = pq. Compute (N) = (p-1)(q-1). Choose a random integer e < (N) such that gcd(e, (N)) = 1 and compute the integer d such that ed = 1 (mod (N)). Make (N,e) the public key, keep (N,d) as private key, and discard p,q and (N).

  14. The RSA cryptosystem Encryption Let m < N be the confidential message that Bob wants to send to Alice. Bob computes the ciphertext: c ??(??? ?). Bob sends Alice: c Decryption To decrypt the ciphertext c Alice computes: ? ??(??? ?).

  15. Check We have: ed = 1 (mod (N)) , so ed = 1 + t (N). Therefore, Dd (Ee (m)) = (me)d = m ed = mt (N)+1 = (m (n))t m = 1 m = m mod n

  16. Example Let p = 101, q = 113. Then N = 11413. (N) = 100 x 112 = 11200 = 26527 For encryption use e = 3533. Alice computes: d = 6531 such that ed =1 mod 11200 (using the Extended Euclidean Algorithm). Alice publishes: N = 11413, e = 3533. Suppose Bob wants to encrypt: 9726. Bob computes 97263533 mod 11413 = 5761 Bob sends Alice the ciphertext 5761. To decrypt it Alice computes the plaintext: 57616531 (mod 11413) = 9726

  17. Implementation Generate two large primes: p,q N pq and (N)= (p-1)(q-1) Choose random e: with 1 < e < (N) & gcd(e, (N))=1 d e -1 mod f (n) The public key is (N,e) and the private key is (N,d) 1. 2. 3. 4. 5.

  18. Cost In Zn: Cost of a modular multiplication (x y) mod n is O (k2), where k = |log2n| Cost of a modular exponentiation xz (mod n) is O (k2 log2z) = O (k2 log2 n)

  19. Cryptanalysis of Public-key cryptosystems Active attacks on cryptosystems Chosen-Plaintext Attack (CPA): The attacker chooses plaintexts and obtains the corresponding ciphertexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext. Chosen-Ciphertext Attack (CCA1): The attacker chooses a number of ciphertexts and obtains the corresponding plaintexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext. Adaptive Chosen-Ciphertext Attack (CCA2): This is a CCS1 attack in which the attacker can adaptively choose ciphertexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext.

  20. The RSA Problem INPUT N = pq with p,q prime nmbers. e an integer such that gcd(e,(p-1)(q-1)) =1 c ZN. OUTPUT The unique integer m ZN such that me c (mod N )

  21. The RSA Assumption An RSA solver is a PPT algorithm that solves the RSA problem. The RSA Assumption is that, for any RSA solver, there exists a negligible function negl such that: for an arbitrary instance of the RSA problem, the RSA solver will succeed with probability neglfor all sufficiently large inputs.

  22. The Integer Factorization Problem The IF Problem (IF) INPUT N an odd composite integer with at least two distinct prime factors. OUTPUT A prime p such that p | N.

  23. The IF Assumption An integer factorizer is a PPT algorithm that solves the IF problem. The IF Assumption is that, for any IF solver, there exists a negligible function negl such that: for an arbitrary instance of the IF problem, the IF solver will succeed with probability negl for all sufficiently large inputs.

  24. Security of RSA 1. Relation to IF problem Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible. 2. Relation to RSA problem Recovering the plaintext m from an RSA ciphertext c is easy if the RSA problem is easy. 3. Relation between IF and RSA problems If the IF problem is easy then the RSA problem is easy. The converse is likely not to be true.

  25. The Rabin cryptosystem Alice performs the following steps Choose ?,? large primes with |?| = |?|. Compute ? = ??. Pick a random integer ? ?? Make (?,?) public key, keep (?,?) as private key.

  26. The Rabin cryptosystem Encryption Let ? ?? wants to send to Alice. Bob computes the ciphertext: ? ?(? + ?) ??? ?. Bob sends Alice: ? Decryption To decrypt the ciphertext c Alice solves the quadratic equation: ?2 + ?? ? = 0 (??? ?), for ? < ?. be the confidential message that Bob

  27. The Rabin cryptosystem Decryption From elementary arithmetic: ? = ? where = ?2 4? (??? ?). Since m was chosen in ?? 2 , must be in QRN . Notice that if?,?are such that? ? 3 (??? 4), then it iseasier to compute square roots modulo N.

  28. Remarks Suppose p q 3 (mod 4), n = pq. Let y x2 (mod n). Then: ) ( y y / ) 1 + / ) 1 + / ) 1 ( 4 2 ( 2 ( 2 p p p (mod ) y y y p Because . yp / ) 1 ( 2 1 (mod ) p

  29. Remarks (continued) It follows that: yp+ + ( / ) 1 4 (mod ) p A similar argument applies for the other prime q. So we get the quadratic residues modulo p and modulo q. We then get the quadratic residue modulo n by using the Chinese Remainder Theorem. is a square root of y modulo p.

  30. Example Suppose n = 77. Then e(x) = x 2 mod 77 d(y) = mod 77 Suppose Bob wants to decrypt y = 23 y / ) 1 + 7 ( 4 2 23 2 4 mod 7 / ) 1 + 11 ( 4 3 23 1 1 mod 11

  31. Example, continued Using the Chinese Remainder Theorem we compute the 4 square roots of 23 modulo 77 to be: 10 mod 77 , 67 mod 77 45 mod 77 , 32 mod 77 and

  32. The Rabin Problem INPUT N = pq with p,q prime numbers. y = x 2 mod N, x ?? OUTPUT z ?? such that z = x2 mod N.

  33. Security of Rabin Relation to factoring. 1. Recovering the plaintext ? from a Rabin ciphertext ? is easy if the IF problem is easy. Relation between factoring and the Rabin problem Under eavesdropping attacks the Rabin system is secure iff the IF problem is hard. Under CCA attacks the Rabin problem is completely insecure. 3.

  34. Security of Rabin Under CCA attacks the Rabin system is completely insecure. Proof: We show this for the case when ? = 0. The adversary picks an ? and computes ? = ?2??? ? Then he gets its decryption ? . This is one of the 4 square roots of ?, and with probability , gcd ? ?,? = ? or q. Then the adversary can decrypt any ciphertext.

  35. The ELGamal cryptosystem Alice performs the following steps Choose a large random primes p. Compute a random multiplicative generator g ?? Pick x ?? 1 as private key Compute the public key y gxmod p. Make (p,g,y) public key, and keep (p,x) as private key.

  36. The ElGamal cryptosystem Encryption Let m < p be the confidential message that Bob wants to send to Alice. Bob picks k ?? 1 and computes the ciphertext (c1, c2) c1 = gkmod p c2 = ykm mod p Decryption To decrypt the ciphertext (c1, c2) Alice computes ? ?2 (?1)? (mod p).

  37. The ElGamal cryptosystem Check: ?2/(?1)? ???/(??)? ???/?? ? ??? ? .

  38. Example Use p = 43, g =3, m = 14, x = 7, y = 37. Alice s private key: x = 7 Alice s public key: (p,g,y) = (43,3,37). Encryption with k = 26: c1 = gkmod p = 326mod 43 = 15. c2 = ykm mod p = 3726 14 mod 43 = 31. Decryption: m c2/c1x(mod p) 31/157(mod 43) = 14 .

  39. Security of ElGamal Relation to the DL 1. Recovering the plaintext m from an ElGamal ciphertext c is easy if the DL problem is easy. ELGamal and the CDH problem 2. For messages that are uniformly distributed, the ElGamal encryption system is secure against CPAs iff the CDA problem is hard.

  40. Security of ElGamal For messages that are uniformly distributed, the ElGamal encryption system is secure against CPAs iff the CDH problem is hard.

  41. Security of ElGamal Proof: Suppose there exists a PPT algorithm that breaks ElGamal with non negligible probability > 0. Then since m = c2/c1x(mod p) can be computed, c2/m g (loggc1 loggy) (mod p) can also be computed. For an arbitrary CDH instance (p,g,g1,g2), take (p,g,g1) as the ElGamal public key and (c1=g2, c2) as ciphertext. Then the algorithm outputs c2/m= g(loggg2loggg1) (mod p) which is a solution for the CDH instance.

  42. RSA OAEP (with optimal asymmetric encryption padding) m||0k1 r ? {0,1}? ?:{0,1}?0 {0,1}?+?1 ?:{0,1}?+?1 {0,1}?0 G H ? ?||0?1 ?(?) ? ? ?(?) Set ? ?||? s t The OAEP transformation is a two round Feistel network with G,H as round functions. 42

  43. RSA OAEP Set ? ?||? Note that Then to encrypt compute ? ?? ???? To decrypt compute ? ?? ????, get ?||?, compute ? ?(?) ?, to get ? ? ? ?. Verify that the trailing ?1 bits are 0 and if so recover ?. |?| = ? + ?0+ ?1 ? ? . RSA-OAEP can be proven CCA-secure under the RSA assumption, if G and H are modeled as random oracles Widely used in practice 43

  44. RSA based KEM Gen: on input 1?run GenRSA to compute (?,?,?).The public key is (?,?) and the private key is (?,?). Encaps: on input public key ?,? and 1?chose uniform ? ?? Decaps: on input private key ?,? and ciphertext ? ?? compute ? ?????? and output key ? ? ? . . Output ciphertext ? ?????? and key ? ? ? . ,

  45. Hybrid encryption using KEM. m k Encaps Enc pk ? ? Encryption is (?,? ), where ? ????? ?,? ????(?), and ? = ? ? .

Related


No related presentations.

More Related Content