1 CIS 5371 Cryptography 7. Asymmetric encryption-.
-
Upload
milton-carpenter -
Category
Documents
-
view
251 -
download
1
Transcript of 1 CIS 5371 Cryptography 7. Asymmetric encryption-.
![Page 1: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/1.jpg)
1
CIS 5371 Cryptography
7. Asymmetric encryption-
![Page 2: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/2.jpg)
Public Key Cryptography
Alice Bob
Alice and Bob want to exchange a private key in public.
![Page 3: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/3.jpg)
Public Key CryptographyThe Diffie-Hellman protocol
Let p is a large prime and . The order of is a factor of . has a generator for any factor h of . p is called a safe prime if h = 2q, with q a prime.
![Page 4: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/4.jpg)
Public Key CryptographyThe Diffie-Hellman protocol
Alice ga mod p Bob gb mod p
The private key is: gab mod p where p is a prime and g is a generator of Zp
*
![Page 5: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/5.jpg)
Example
p = 43, g = 3,
Alice and Bob share (p,g) = (43,3).
Alice picks her (secret) exponent: a random a = 8 U [0:42].
Alice sends Bob: 38 25 (mod 43).
Bob picks his (secret) exponent: a random b = 37U [0:42].
Bob sends Alice: 337 20 (mod 43).
The secret key agreed between the two is:
9 208 2537 (mod 43).
![Page 6: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/6.jpg)
Man-in-the-middle attack
• Alice picks a U Zp* and sends Malice (“Bob”): ga (mod p)
• Malice (“Alice”) picks m Zp* and sends Bob: gm (mod p)
• Bob picks b U Zp* and sends Malice (“Bob) Bob: gb (mod p)
• Malice (“Bob”) sends Alice: gm (mod p)
• Alice computes: k1 (gm)a (mod p)
• Bob computes: k2 (gm)b (mod p)
![Page 7: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/7.jpg)
The Computational Diffie-Hellman Problem, CDH
• INPUT
– The description of a finite cyclic group of prime order q
– A generator element of
– , for some integers .
• OUTPUT
–
![Page 8: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/8.jpg)
The Computational Diffie-Hellman Assumption
• A CDH solver is a PPT algorithm that solves the CDH problem.
• The CDH Assumption is that, for any CDH solver there exists a negligible function negl such that:
― for an arbitrary instance of the CDH problem, the CDH solver will succeed with probability negl for all sufficiently large inputs.
![Page 9: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/9.jpg)
The Decisional Diffie-Hellman Problem, DDH
• INPUT
– The description of a finite cyclic group G of prime order q
– A generator element g of G
– ga, gb, gc G, for some integers 0 < a,b,c< q.
• OUTPUT
– 1 ---Decision that gc = gab or
– 0 ---Decision that gc gab
![Page 10: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/10.jpg)
The Decisional Diffie-Hellman Assumption
• A DDH solver is a PPT algorithm that solves the DDH problem.
• The DDH Assumption is that, for any DDH solver, there exists a negligible function negl such that:
― for an arbitrary instance of the DDH problem, the DDH solver will succeed with probability negl for all sufficiently large inputs.
![Page 11: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/11.jpg)
The Discrete Logarithm ProblemThe Discrete Logarithm Problem -- DL• INPUT
– The description of a finite cyclic group of order (say )– A generator element of – h G.
• OUTPUT
– The unique integer such that
We call the integer the discrete logarithm of in
base and write:
![Page 12: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/12.jpg)
The Discrete Logarithm Assumption
• A DL solver is a PPT algorithm that solves the DL problem.
• The DL Assumption is that, for any DL solver, there exists a negligible function negl such that:
― for an arbitrary instance of the DL problem, the DDH solver will succeed with probability negl for all sufficiently large inputs.
![Page 13: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/13.jpg)
The RSA cryptosystem
Alice performs the following steps
Choose p, q large primes with |p| |q|.
Compute N = pq.
Compute (N) = (p-1)(q-1).
Choose a random integer e < (N) such that gcd(e, (N)) = 1 and compute the integer d such that ed = 1 (mod (N)).
Make (N,e) the public key, keep (N,d) as private key, and discard p,q and (N).
![Page 14: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/14.jpg)
The RSA cryptosystem
Encryption
Let m < N be the confidential message that Bob wants to send to Alice.
• Bob creates the ciphertext: c .• Bob sends Alice: c
DecryptionTo decrypt the ciphertext c Alice computes:
.
![Page 15: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/15.jpg)
Check
We have: ed 1 (mod (N)) , so ed 1 + t (N).
Therefore, Dd (Ee (m)) (me)d m ed m t(N)+1
(m(n))t m 1m m mod n
![Page 16: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/16.jpg)
Example
• Let p = 101, q = 113. Then N = 11413.
• (N) = 100 x 112 = 11200 = 26527
• For encryption use e = 3533.
• Alice publishes: N = 11413, e = 3533.
• Suppose Bob wants to encrypt: 9726.
• Bob computes 97263533 mod 11413 = 5761
• Bob sends Alice the ciphertext 5761.
• To decrypt it Alice computes the plaintext:
57616597 (mod 11413) = 9726
![Page 17: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/17.jpg)
Implementation
1. Generate two large primes: p,q
2. N pq and = (p-1)(q-1)
3. Choose random e: with 1 < e < (N) & gcd(e, (N))=1
4.
5. The public key is (N,e) and the private key is (N,d)
![Page 18: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/18.jpg)
Cost
In :
Cost of a modular multiplication (xy) mod n is
O (k2), where k = log2n Cost of a modular exponentiation xz (mod n) is
O (k2 log2z) = O (k2 log2 n)
![Page 19: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/19.jpg)
Cryptanalysis of Public-key cryptosystems
Active attacks on cryptosystems• Chosen-Plaintext Attack (CPA):
– The attacker chooses plaintexts and obtains the corresponding ciphertexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext.
• Chosen-Ciphertext Attack (CCA1):
– The attacker chooses a number of ciphertexts and obtains the corresponding plaintexts: the task of the attacker is successful if he can decrypt a (new) target ciphertext.
• Adaptive Chosen-Ciphertext Attack (CCA2):
– This is a CCS1 attack in which the attacker can adaptively choose ciphertexts: the task of the attacker is successful if
he can decrypt a (new) target ciphertext.
![Page 20: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/20.jpg)
The RSA Problem
• INPUT
– N = pq with p,q prime nmbers.– e an integer such that gcd(e,(p-1)(q-1)) =1– c ZN
.
• OUTPUT– The unique integer m ZN
such that me c (mod N )
![Page 21: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/21.jpg)
The RSA Assumption
• An RSA solver is a PPT algorithm that solves the RSA problem.
• The RSA Assumption is that, for any RSA solver, there exists a negligible function negl such that:
― for an arbitrary instance of the RSA problem, the RSA solver will succeed with probability negl for all sufficiently large inputs.
![Page 22: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/22.jpg)
The Integer Factorization Problem
The IF Problem (IF)• INPUT
– N an odd composite integer with at least two distinct prime factors.
• OUTPUT– A prime p such that p | N.
![Page 23: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/23.jpg)
The IF Assumption
• An integer factorizer is a PPT algorithm that solves the IF problem.
• The IF Assumption is that, for any IF solver, there exists a negligible function negl such that:
― for an arbitrary instance of the IF problem, the IF solver will succeed with probability negl for all sufficiently large inputs.
![Page 24: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/24.jpg)
Security of RSA
1. Relation to factoring.• If Factoring is easy then the RSA problem is easy:
recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible
• The converse is likely not to be true.
3. Relation between factoring and the RSA problem
• If Factoring is easy then the RSA problem is easy.• The converse is likely not to be true.
![Page 25: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/25.jpg)
The Rabin cryptosystem
Alice performs the following steps Choose p, q large primes with |p| = |q|. Compute n = pq.
Pick a random integer b U Zn*
Make (n,b) public key, keep (p,q) as private key.
![Page 26: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/26.jpg)
The Rabin cryptosystem
EncryptionLet m Zn
* be the confidential message that Bob wants to send to Alice.
• Bob creates the ciphertext: c m(m+b) (mod n).• Bob sends Alice: c
DecryptionTo decrypt the ciphertext c Alice solves the quadratic equation: m2 + bm –c 0 (mod n),for m < n.
![Page 27: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/27.jpg)
The Rabin cryptosystem
DecryptionFrom elementary mathematics:
where = b2 +4c (mod n).
Since m was chosen in Zn*, must be in QRn .
Notice that if p,q are such that p q 3 (mod 4), then it is easier to compute square roots modulo N, as we shall see below.
![Page 28: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/28.jpg)
Remarks
• Suppose p q 3 (mod 4), n = pq.• Let y (mod p). • Then:
because,
)(mod)( 2/)1(2/)1(24/)1( pyyyyy ppp
![Page 29: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/29.jpg)
Remarks (continued)
• It follows that:
is a square root of y modulo p.• A similar argument applies for the other prime q.• So we get the quadratic residues modulo p and
modulo q.• We then get the quadratic residue modulo n by
using the Chinese Remainder Theorem.
)(mod4/)1( py p
![Page 30: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/30.jpg)
Example
Suppose n = 77.
Then e (x) = x 2 (mod 77)
d (y) = (mod 77)
Suppose Bob wants to decrypt y = 23
y
7mod4223 24/)17(
11mod1123 34/)111(
![Page 31: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/31.jpg)
Example, continued
Using the Chinese Remainder Theorem we compute
the 4 square roots of 23 modulo 77 to be:
)77(mod32),77(mod10
![Page 32: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/32.jpg)
The Rabin Problem
• INPUT
– N = pq with p,q prime numbers.– y x 2 (mod N), x ZN
*
• OUTPUT
– z ZN* such that z x
2 (mod N).
![Page 33: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/33.jpg)
Security of Rabin
1. Relation to factoring. Recovering the plaintext m from a Rabin ciphertext c is easy if the IF problem is easy.
3. Relation between factoring and the Rabin problem• Under CPA attacks the Rabin system is secure iff the IF problem is hard.• Under CCA attacks the Rabin problem is completely insecure.
![Page 34: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/34.jpg)
Security of Rabin
Under CCA attacks the Rabin system is completely
insecure.
Proof: We show this for the case when
The adversary picks an and computes
Then he gets its decryption .
This is one of the 4 square roots of , and with probability ½,
or q.
Then the adversary can decrypt any ciphertext.
![Page 35: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/35.jpg)
The ELGamal cryptosystem
Alice performs the following steps Choose a large random primes p.
Compute a random multiplicative generator g Zp*
Pick x U Zp-1 as private key
Compute the public key y gx (mod p). Make (p,g,y) public key, and keep (p,x) as private key.
![Page 36: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/36.jpg)
The ElGamal cryptosystem
EncryptionLet m < p be the confidential message that Bob wants to send to Alice.
Bob picks k U Zp-1 and computes the ciphertext (c1, c2)
• c1 gk (mod p). • c2 yk m (mod p).
DecryptionTo decrypt the ciphertext (c1, c2) Alice computes
m c2/c1x (mod p).
![Page 37: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/37.jpg)
The ElGamal cryptosystem
Check:
![Page 38: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/38.jpg)
Example
Use p = 43, g =3, m = 14, x = 7, y = 37.
Alice’s private key: x = 7
Alice’s public key: (p,g,y) = (43,3,37).
Encryption with k = 26:• c1 = gk (mod p) = 326 (mod 43) =15. • c2 = yk m (mod p) = 3726 ×14 (mod 43) =31 .
Decryption:
m = c2/c1x (mod p) = 31/157 (mod 43) = 14 .
![Page 39: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/39.jpg)
Security of ElGamal
1. Relation to the DL.
Recovering the plaintext m from an ElGamal
ciphertext c is easy if the DL problem is easy.
2. ELGamal and the CDH problem
For messages that are uniformly distributed, the
ElGamal encryption system is secure against CPAs
iff the CDH problem is hard.
![Page 40: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/40.jpg)
Security of ElGamal
For messages that are uniformly distributed, the ElGamal encryption system is secure against CPAs iff the CDH problem is hard.
![Page 41: 1 CIS 5371 Cryptography 7. Asymmetric encryption-.](https://reader036.fdocuments.us/reader036/viewer/2022062300/56649d0d5503460f949e2974/html5/thumbnails/41.jpg)
Security of ElGamalProof: Suppose there exists an oracle that breaks ElGamal with non negligible probability > 0.
Then since can be computed,
= can also be computed.
For an arbitrary CDH instance
,
take as the ElGamal public key and as ciphertext.
Then the oracle outputs
=
which is a solution for the CDH instance.