Cryptography

Lecture 7

Stefan Dziembowskiwww.dziembowski.net

stefan@dziembowski.net

Plan

1. Introduction to public-key cryptography

2. Diffie-Hellman key exchange

3. Trapdoor one-way permutations

How to distribute the cryptographic keys?

• If the users can meet in person beforehand – it’s simple.

• But what to do if they cannot meet?

(a typical example: on-line shopping)

A naive solution:

P5

P1

P3

P2

P4

K13K12

K14

K15

give to every user Pi a separate key Kij to communicate with every Pj

P5

P1

P3

P2

P4

In general:a quadratic number of keys is needed

Problems:

• Someone (a Key Distribution Center, KDC) needs to “give the keys”

– feasible if the users are e.g. working in one company

– infeasible on the internet– relies on the honesty of KDC– KDC needs to be permanently available– ...

• The users need to store large numbers of keys in a secure way

The solution:

Public-Key Cryptography

Whitfield Diffie and Martin Hellman (1976)Ralph Merkle (1974)

A little bit of history

• Diffie and Hellman were the first to publish a paper containing the idea of the public-key cryptography:

W.Diffie and M.E.Hellman, New directions in cryptographyIEEE Trans. Inform. Theory, IT-22, 6, 1976, pp.644-654.

• A similar idea was described by Ralph Merkle:– in 1974 he described it in a project proposal for a Computer

Security course at UC Berkeley (it was rejected)

– in 1975 he submitted it to the CACM journal (it was rejected)(see http://www.merkle.com/1974/ )

• It 1997 the GCHQ (the British equivalent of the NSA) revealed that they new it already in 1973.

The ideaInstead of using one key K, • use 2 keys (e,d), where

– e is used for encryption,– d is used for decryption,

or– d is used for computing a tag,– e is used for verifying correctness of the tag.

Moreover: e can be public, and only d has to be kept secret!

That’s why it’s called: public-key cryptography

this will be called “signatures”

Sign – the signing algorithm

Anyone can send encrypted messages to anyone else

P5

P1

P3P2

P4

e1

e2

e3

e4

e5

2. reads e3

1. P1 wants to send m to P3

3. sends E(e 3

,m)

public register:

d3

4. P3 computes D(d3,m)

Anyone can verify the signatures

P5

P1

P3P2

P4

e1

e2

e3

e4

e5

1. Sign(d 3

,m)

public register:Sign(d3,m)

Sig

n(d

3,m

)

2. reads e3

d3

3. computes Vrfy(e3,m)

Things that need to be discussed

• Who maintains “the register”?

• How to contact it securely?

• How to revoke the key (if it is lost)?

• ...

We will discuss this things later

(when we will be talking about the Public-Key

Infrastructure)

anyone can lock it

But is it possible?In “physical world”: yes!

Examples:

1. “normal” signatures

2. padlocks:

the key is needed to unlock

Diffie and Hellman (1976)

• Diffie and Hellman proposed the public key cryptography in 1976.

• They just proposed the concept, not the implementation.

• But they have shown a protocol for key-exchange.

listens

Key exchange

Alice Bob

initially they share no secret

key k key k

Eve should have no information about k

We will formalize it later.Let’s first show the protocol.

The Diffie-Hellman Key exchangeG – a group, where discrete log is hardq = |G|g – a generator of G

Alice Bob

x ← Zqh1 = gx

y ← Zq

h2 = gy

output:kA=(h2)x

output:kB=(h1)y

equal to:gyx

equal to:gxy

equal!

Security of the Diffie-Hellman exchange

Eve

h1 = gx h2 = gyG,g

knows

Eve should have no information about gyx

gyx ?

Is it secure?

If the discrete log in G is easy then the DH key exchange is not secure.

(because the adversary can compute x and y from

gx and gy)

If the discrete log in G is hard, then...

it may also not be completely secure

Example: G = Zp*

Alice Bob

x ← Zqh1 = gx

y ← Zq

h2 = gy

x is even iff h1 is a QR

y is even iff h2 is a QR

Therefore: gyx is a QR iff (h1 is a QR) or (h2 is a QR)

So, Eve can compute some information about gyx

(namely: if it is a QR, or not).

gyx ?

Is it a problem, or not?

We need to

1. formalize what we mean by secure key exchange,

2. identify the assumptions needed to prove the security.

Alice Bob

key k key k

“transcript” T: the sequence of exchanged messages:

interactiverandomized

Turing machine A

interactiverandomized

Turing machine B

A protocol is a pair (A,B) of randomized Turing machines.

Informal definition:(A,B) is secure if no “efficient adversary” can distinguish k from random, given T,with a “non-negligible advantage”.

key k

T

random string of the same length

?

How to formalize it?

A B

key k є {0,1}n

security parameter 1n

key k є {0,1}n

T

We say (A,B) is secure a secure key-exchange protocol if• the output of A and B is always the same, and

A

polynomial-time Mthat outputs 0 or 1

|Prob [M(1n,T,k) = 1] - Prob [M(1n,T,r) = 1] | is negligible in n

r is random and |r| = n

How does the protocol look now?

It needs to be defined for any parameter 1n.

Therefore we need an algorithm H that

• on input 1n

• outputs:– a description of G of order q, such that |q| = n,– a generator g of G.

How does the protocol look now?

Alice Bob

x ← Zq

y ← Zq

h2 = gy

security parameter 1n

(G,g),q, h1 = gx

(G,g) ← H(1n)

output:kA=(h2)x

output:kB=(h1)y

(Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.)

If such a key exchange protocol is secure, we say that:

the Decisional Diffie-Hellman (DDH) problem is hard with respect to H)

An example of H where DDH is believed to be hard

QR(p)H(1n):

1. generate a random strong prime p of length n+1.2. set q := (p-1)/2.

3. choose any x є Zp* such that x ≠ ±1 (mod p) .

4. set g := x2 mod p.5. output (p,g).

Other groups are also used (e.g. groups based on the elliptic curves).

Practical considerations

1. It is common to chose any Zp* (for prime p), instead of QR(p).

2. In some standards p is fixed, for example the RFC3526 document specifies the primes of following lengths: 1536, 2048, 3072, 4096, 6144, 8192.This is the 1536-bit prime:

FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF.

the generator is: 2.

A problem

The protocols that we discussed are secure only against a passive adversary (that only eavesdrop).

What if the adversary is active?

She can launch a man-in-the-middle attack.

Man in the middle attack

Alice Bob

key k key k’key k key k’

I am Bob I am Alice

A very realistic attack!

So, is this thing totally useless?No! (it is useful as a building block)

Two questions remain

• How to construct the public-key encryption?

• How to construct the signature schemes?

turns out: these questions are related

The observation of Diffie and Hellman:

plaintexts ciphertexts

(e,d) – the key pair

E(e,x)

D(d,y)

easy only if one knows d

tags(“signatures”) messages

Vrfy(e,x)

Tag(d,y)

easy only if one knows d

public-key encryption:

signature schemes:

Looks similar...

Trapdoor permutations

X X

easy

• easy: one can compute Ee-1

if one knows a trapdoor d• hard (otherwise)

Ee

this is denoted

Dd

A family of permutations indexed by pairs (e,d):

{E : X → X}(e,d) є keys

such that:

How to encrypt a message m

messages plaintexts

m := Dd(c)

c := Ee(m)

one can compute it only if one knows d

encryption

decryption:

Warning: in general it’s not that simple. We will explain it later.

How to sign a message m

signatures messages

Dd(m)

Ee(m)

one can compute it only if one knows d

signing:

verifying:

Warning: in general it’s not that simple. We will explain it later.

Do such functions exist?

Ron Rivest, Adi Shamir, and Leonard Adleman (1977)

yes!

RSA function is a trapdoor permutation!

The RSA functionN = pq, such that p and q are large primese is such that gcd(e,d) = 1d is such that ed = 1 (mod φ(N))

Ee: ZN* → ZN

* is defined as:E(m) = me mod N.

Dd: ZN* → ZN

* is defined as:D(c) = cd mod N.

Does it work?D(E(m)) = md mod N.

we get

Dd(Ee(m)) = (me)d = med = m1 mod φ(N)

φ(N)) = (p-1)(q-1).

public key:(N,e)

private key:(N,d)

Is it a trapdoor permutation?

• If one can factor large integers → no!

(because one can compute φ(N))

• Is there an implication in the opposite direction?

nobody knows...

What can be shown

1. Computing φ(N) is as hard as factoring(we have shown it a week ago).

2. Computing d from (e,N) is as hard as factoring.