1

Public Key InfrastructuresPublic Key Infrastructures

Chapter 3Public Key Cryptography

Cryptography and Computeralgebra

Johannes Buchmann

2

Encryption

plaintextplaintext plaintextplaintext

secret secret=

symmetric

decryptencrypt

3

Symmetric encryption schemes

170 msIDEA

80 msMARS

100 msTWOFISH

78 msRC6

Performance*Scheme

95 msSERPENT

65 msRIJNDEAL (AES)

250 msDES-ede

*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)

4

BUT: key exchange problem

n*(n-1)/2 keys

Internet: ∼ 1,093,529,692 users => 1,195,807,187,285,614,864 keys

5

One solution

Key-Server

The key-server knows all secret keys!

6

Example

The authentication center (AC) in mobile communications knows all the keys. It stores them in a database.

From “IT-Sicherheit”, page 785, 800

7

Encryption

plaintextplaintext plaintextplaintextdecryptencrypt

public private

≠asymmetric

8

Key exchange problem solved!

Public-Key-Server

The server does not know any private information!

9

Public-Key-Server

......

8422834964509823610263135768Karatsiolis

13121311235912753192375134123Buchmann

Public Directory

mapping: names ↔ public keys

10

Asymmetric encryption schemes

6,6 sRSA (1024 bits)

Performance*Scheme

11.8 sRSA (2048 bits)

Disadvantage: Complex operations with big numbers

⇒ schemes are slow

*) Encryption of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)

11

Solution

plaintextplaintextdecryptencryptplaintextplaintext

decryptencrypt

symmetric session key

public secrethybrid

encryption

12

…using 200 digits provides a margin of safety against future developments…

RSA

published in 1978

13

RSA-200 factored in 2005

After 27 years

14

Security

Impossibility to factor the RSA module

21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751

15

n = 2799783391122132787082946763872260162107044678695542853756000992932612840010760934567105295536085606 1822351910951365788637105954482006576775098580557613579098734950144178863178946295187237869221823983

was factored in May 2005:

p = 3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349

q = 7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467

Secret

16

Factors

Factors of 6?

Factors of 143?11, because 143 = 11*13

3, because 6 = 3*2

Factors of213356252916000273511427593551942091329147674256980668648182452858026975715875048271600387928671881442176600579559348458008149582686912600560376434697908716139886535206185442348052589494234130333756058732136514887603864430753429120129705489000167060673932463898375697515173477457720764205074793016726479167923733514925173209625562451205804065460601848036703111823705990748736287942617311911125552080600256090090478884806397717344262543251751228479981606096021328609292780435354785771695708986411107879876456259193087150880165171310668371684892895813617 54587749922998809128927098697538006934652117684098976045960758751

?

17

Fermat – Numbers (Pierre de Fermat, 1601-1665)

122 +=m

mF

F0 = 3

F1 = 5

F2 = 17

F3 = 257

F4 = 65537

F5 = 4294967297= 641*6700417

Difficult computational problem: factoring

18

Difficulty of factoring

Completely factored Fermat numbers

617

309

155

78

39

20

10

Cunningham, Brent, Morain198811

Selfridge, Brillhart, Brent199510

Western, Lenstra, Manasse, u.a.19909

Brent, Pollard19808

Morrison, Brillhart19707

Landry, Le Lasseur18806

Euler17325

Decimal digits

discovereryearm

19

L u v env n nu u

[ , ] (log ) (log log ) ( )

=−1

L vn [ , ]0

polynomial exponential

L vn[ , ]1

complexity

Number Field Sieve NFS 1990

1/3

Quadratic Sieve 1980

1/2

Computational complexity

20

open$200,000617RSA-2048

open$150,000463RSA-1536

open$100,000309RSA-1024

open$75,000270RSA-896

open$50,000232RSA-768

open$30,000212RSA-704

Nov. 4, 2005$20,000193RSA-640

Dec. 3, 2003$10,000174RSA-576

May 9, 2005200RSA-200

Apr. 1, 2003160RSA-160

Aug. 22, 1999155RSA-155

Apr. 16, 2004150RSA-150

Feb. 2, 1999140RSA-140

Apr. 10, 1996130RSA-130

Apr. 1994$100129RSA-129

Jun. 1993120RSA-120

Apr. 1992110RSA-110

Apr. 1991100RSA-100

factoredprizedigitsnumber

21

G group of points on an elliptic curve:

Exponential complexity

Small keys are possible

Discrete-Logarithm-Problem (DLP):

Solve gx = a

G Group

ax glog=

Difficult computational problem: DLP

22

ECC challenges

20029x10^7109ECCp-10919987198297ECCp-971998436089ECCp-89199714679ECCp-7920042.1x10^7109ECC2-10920001.3x10^6109ECC2K-108199918044897ECC2-971998863797ECC2K-9519981127889ECC2-89199735279ECC2-79DateDaysField SizeECC

From www.certicon.com

23

factoring easy

ECDLP easy

all popular cryptosystems insecure

make

Quantum computers

24

Alternative: Short lattice vectors

25

Alternative: Short lattice vectors

26

2 d

27.7 h

9 h

2 h

8 min

4*108450

1*108400

4*106300

2*105200

3*103100

Running Time LLL Length SV Dimension

Architekture: SunBlade 100 (C++)

Short vectors

27

Find difficult computational problems

Find correct security models

Find provable secure cryptosystems

Research challenges

28

Cryptographic hash functions

datadata hashfunction

hashvaluehashvalue

nh }1,0{}1,0{: * →

29

Easy

easy and fast to calculate

85 msSHA-256

Performance*Scheme

48 msRIPEMD-16050 msSHA-1

*) Hashing of 1 MByte on a Pentium 2.8 GHz, using the FlexiProvider (Java)

30

One way

datadatahashvaluehashvalue

31

Collision resistant

datadata

hashfunction

hashvaluehashvalue

datadata

32

Message Authentication Code

valid /invalid

plaintextplaintext

secret

MACfunction

secret

MACfunction

plaintextplaintext

MACvalueMACvalue

33

MAC schemes

HMAC

CBC-MAC (3-DES, IDEA, other)

Two-Track-Mac

34

MAC applications

For securing the transport of a private key in software based solutionse.g. PKCS12, to protect the private key from tampering. The key is derived from a password.

In many protocols:

SSL/TLS, mobile communications

35

Message Authentication Code

symmetric scheme

⇒ fast

⇒ key exchange problem

36

Digital signature

valid /invalid

plaintextplaintext

sign verify

plaintextplaintext

SignatureSignature

private public

37

Digital signature

asymmetric scheme

⇒ slow

⇒ key exchange problem solved

38

Asymmetric signature schemes

38 msecECDSA (160)

32 msecDSA (1024)

Performance*Scheme

35 msecRSA (1024)

*) Creation of a signature on a Pentium 2,8 GHz,using the FlexiProvider (Java)

39

Reaching the security goals

Confidentiality

Integrity

Authenticity of data

Entity Authentication

Non-repudiation

→ sym. and asym. encryption

→ hash, MAC, digital signature

→ digital signature, MAC

→ digital signature, MAC

→ digital signature

40

Problem Exposition

41

Why PKI?

1) Keep the private key secret

2) How to know that the public key is correct

=> PKI is needed

42

How do software vendors protect theirsignature key?

How does the PC know the correctverification key?

43

Digitally signed updates:

44

How to authenticate public keys?