Windows Core Security 1 © 2006 Microsoft Corp

Cryptography:Helping Number Theorists Bring

Home the Bacon Since 1977Dan Shumow SDE

Windows Core Securitydshumow@microsoft.com

Windows Core Security 2 © 2006 Microsoft Corp

Outline

• Introduction• Symmetric Key Encryption• Key Distribution:

Diffie-Hellman Key Generation• Elliptic Curve Cryptography

Windows Core Security 3 © 2006 Microsoft Corp

Introduction

• Cryptography, what is it and why should we care?– Cryptography is the science of communicating

secretly.– Today so much communication is done over

the internet and radio waves, and these media are very prone to eavesdropping. Cryptography allows people to communicate securely across these media.

Windows Core Security 4 © 2006 Microsoft Corp

Cryptography

Allows Alice to communicate with Bob without being overheard by Eavesdropper Eve.

Alice BobEve

Windows Core Security 5 © 2006 Microsoft Corp

Symmetric KeyEncryption

• Alice and Bob share a key K.• They use an encryption function c=Ek(p).• p is the plaintext and c is the ciphertext.• It has to be reversible: p=Dk(c).• If Alice wants to send Bob a message m

she computes c = EK(m) and sends Bob c.

• Bob computes m = DK(c).

Windows Core Security 6 © 2006 Microsoft Corp

Symmetric KeyEncryption

• Want it to be hard to compute p given c. So if Eve doesn’t know K it is hard for her to compute m even if she intercepts c.

• Want Ek and Dk to be easy to compute. So

there is little overhead to communication• Want K to be hard to calculate given p and

c. Otherwise if Eve can guess parts of the message she can recover the key.

Windows Core Security 7 © 2006 Microsoft Corp

Symmetric KeyEncryption

Examples:– Substitution Ciphers: Substitute each letter in

the alphabet for another one.– One Time Pads: A key that is the same

length as the message, used only once.– Modern Ciphers

• Stream Ciphers: RC4• Block Ciphers: DES, AES

Windows Core Security 8 © 2006 Microsoft Corp

Symmetric KeyEncryption

Attacks on Encryption Algorithms:– Substitution Ciphers: Frequency Attacks– One Time Pads are provably secure.– Modern Attacks:

• Linear Cryptanalysis looks for a linear relationship between plaintext and ciphertext. (Known Plaintext Attack.)

• Differential Cryptanalysis looks at how differences in plaintext cause differences in ciphertext. (Chosen Plaintext Attack.)

Windows Core Security 9 © 2006 Microsoft Corp

Symmetric KeyEncryption

Modern Encryption Algorithm Design Techniques– Confusion and Diffusion

• Diffusion means many bits of the plaintext (possibly all) affect each bit of the ciphertext.

• Confusion means there is a low statistical bias of bits in the ciphertext.

– Non-Linearity: The encryption function is not linear (represented by a small matrix)

• Prevents Linear Cryptanalysis.

Windows Core Security 10 © 2006 Microsoft Corp

Symmetric KeyEncryption

Problem: Key Distribution– Can’t keep using same key, Eve will

eventually recover K.– Need to establish shared secret key:

• Could agree to physically meet and establish keys.• But what if you want to communicate with

someone on the other side of the world?

Key distribution is a big problem.

Windows Core Security 11 © 2006 Microsoft Corp

Diffie-HellmanKey Generation

Basic Idea:1. Alice and Bob agree on an integer g.2. (a) Alice secretly chooses integer x, computes

X = gx and sends it to Bob.(b) Bob secretly chooses integer y, computes Y = gy and sends it to Alice.

3. (a) Alice computes Yx=(gy)x=gxy.(b) Bob computes Xy=(gx)y=gxy.

4. Alice and Bob both share gxy which they can use to create a secret key.

Windows Core Security 12 © 2006 Microsoft Corp

Diffie-HellmanKey Generation

Wait!! It’s not secure. If Eve overhears what g, X, and Y are she can compute:

x = loggX and y = loggYAnd use this information to calculate gxy.To make this secure Alice and Bob pick a large prime number P and reduce everything mod P (take the remainder after division by P)

Windows Core Security 13 © 2006 Microsoft Corp

Diffie-HellmanKey Generation

New and Improved Idea:1. Alice and Bob agree on an integer g and prime P.2. (a) Alice secretly chooses integer x, computes

X = gx mod P and sends it to Bob.(b) Bob secretly chooses integer y, computes Y = gy mod P and sends it to Alice.

3. (a) Alice computes Yx mod P =(gy)x mod P =gxy mod P.(b) Bob computes Xy mod P =(gx)y mod P =gxy mod P .

4. Alice and Bob both share the value gxy mod P which they can use to create a secret key.

Windows Core Security 14 © 2006 Microsoft Corp

Diffie-HellmanKey Generation

By adding the prime P into the equation we now need to make sure that g is a “generator” of P. This means that for every integer x in {1,2,3,…,P-1} there exists an integer d such that:

x = gd mod P.d is called the “discrete log” of g mod P.

Windows Core Security 15 © 2006 Microsoft Corp

Diffie-HellmanKey Generation

Why Does This Work?1. Because the positive integers less than P

form a multiplicative, cyclic group with generator g.

2. It is hard to compute the discrete log of a generator mod P.

Given these two things:1. This algorithm works.2. It is hard for Eve to calculate gxy mod P.

Windows Core Security 16 © 2006 Microsoft Corp

Groups

• A group is a set G with a binary operation ·:G×G→G with the following properties:

1. Associativity: a(bc)=(ab)c2. Identity Element: there exists e in G, such

that for all a in G ea=ae=a.3. Inverses: for all a in G there exists an

element a-1 in G such that aa-1 = a-1a = e

Windows Core Security 17 © 2006 Microsoft Corp

Special Groups

• Abelian Groups are groups that have a fourth axiom

4. Commutative: for all a and b in G ab = ba• Cyclic Groups are groups that have a

generator g. Where g is an element of G such that for all a in G: a = gx where x is a positive integer.Note that all Cyclic groups are Abelian.Can you see why?

Windows Core Security 18 © 2006 Microsoft Corp

Special Groups

• Multiplicative Groups are groups where the operation is called multiplication. Example: the group of n×n invertible matrices.

• Additive Groups are groups where the operation is called addition. Additive Groups are abelian. Example: the integers.

Windows Core Security 19 © 2006 Microsoft Corp

Diffie-Hellman Key Generation

What does this all mean for Diffie-Hellman Key Generation?

Answer: It means that Diffie-Hellman will work as a key exchange algorithm in any cyclic group where computing discrete logarithms is hard.

Windows Core Security 20 © 2006 Microsoft Corp

Elliptic CurveCryptography

• Elliptic Curves are a way of modifying existing crypto systems like DH to make them “stronger.”

• “Stronger” means the expected time of an attack is longer with equal key sizes.

• This allows us to use smaller key sizes and therefore speed up the whole process.

• This makes ECC very useful for small devices like phones or other embedded systems.

Windows Core Security 21 © 2006 Microsoft Corp

Elliptic Curves

• An Elliptic Curve is such an alternate cyclic group. The group consists of all points of the form: y2 = x3 + ax + b. Where x, y, a, and b are all elements of a field F.

Windows Core Security 22 © 2006 Microsoft Corp

Fields

• A field is a set that has mathematical operations multiplication and addition that behave in nice ways.

• Basically a field is any set that you can do everything from your high school algebra class in.

Windows Core Security 23 © 2006 Microsoft Corp

FieldsA field F is a set S along with two binary

operations (+,·) that have the following properties:

1. S contains two distinct elements 0 and 12. (S-{0},·) is a multiplicative group, with identity

1.3. (S,+) is an additive group, with identity 0.4. Multiplication is distributive on the left and the

right:a·(b+c) = a·b+a·c(a+b)·c = a·c+b·c

Windows Core Security 24 © 2006 Microsoft Corp

Elliptic CurvesGroup operation: Let P = (xP,yP) and Q = (xQ,yQ) be points on

the an Elliptic Curve E. Then:R = P + Q = (xR,yR)

is defined by:xR= s2-xP-xQ

yR=-yP+s(xP-xR)where:

s = (yP-yQ)/(xP-xQ) if xP≠xQors = (3xP

2+a)/(2yP2) if xP=xQ

Identity: A “point at infinity” is added to the set of points on the curve. This point is infinitely far along the y access.

Windows Core Security 25 © 2006 Microsoft Corp

Elliptic CurvesIntuition: If you have 2 points on this curve, they define a

line that intersects the curve at 1 other point. Addition is derived from this. Inverses are reflections about the x access.

Windows Core Security 26 © 2006 Microsoft Corp

Elliptic CurveCryptography

Newer and more Improved Idea:1. Alice and Bob agree on an Elliptic Curve E (specified

by the field F and parameters a, b) and a base point g on E.

2. (a) Alice secretly chooses integer x, computesX = xg and sends it to Bob.(b) Bob secretly chooses integer y, computes Y = yg and sends it to Alice.

3. (a) Alice computes: xY = x(yg) =xyg.(b) Bob computes: yX = y(xg) =yxg=xyg.

4. Alice and Bob both share the point xyg which they can use to create a secret key.

Windows Core Security 27 © 2006 Microsoft Corp

Elliptic CurveCryptography

• In the preceding example all math is done in the group defined by E. Exponentiation is taken to be iterative addition.

• Because Elliptic Curves are groups we are guaranteed that we can perform all these operations.

• Computing logarithms in elliptic curves is difficult, so Eve can not recover the secret values and determine the shared value xyg.

Windows Core Security 28 © 2006 Microsoft Corp

References• Eric W. Weisstein. "Elliptic Curve." From MathWorld--A

Wolfram Web Resource. http://mathworld.wolfram.com/EllipticCurve.html

• Eric W. Weisstein et al. "Group." From MathWorld--A Wolfram Web Resource. http://mathworld.wolfram.com/Group.html

• Eric W. Weisstein. "Field." From MathWorld--A Wolfram Web Resource. http://mathworld.wolfram.com/Field.html

• http://en.wikipedia.org/wiki/Group_%28mathematics%29• http://en.wikipedia.org/wiki/Field_(mathematics)• http://en.wikipedia.org/wiki/Elliptic_curves