Private Keys of Public Key Pairs

and Zero-Knowledge Protocols

Peter Landrock

Public Key Infrastructures requires

Generation of user public keys

Registration of users and keys (LRA)

Certification (CA) – certificates bind a person to his key

Directories (DIR)

Blacklists/revocation

Key administration

plus -

Format/syntax

ASN.1 based certificates (X.509)?

Special purpose certificates?

Integration into browsers?

Integration into applications (java?)

Security in transport layer (e.g. SSL)?

Format: S/MIME, PGP,….?

Use of smartcards?

PKI - Roles

LRA

Users

CA DA

User

CA

DIR

User

LRA

The world seen with the user’s eyes

Business

Transactions

Registration at Local Registration Authority

Communication with Directory under session

Revocation of key

Foundation

But the foundation is cryptographic algorithms, which is – mathematics!

So let’s focus on that for a while

Cryptographic Algorithms

Conventionel (symmetric) crypto systems– Quantum cryptography - unbreakable

Hash functions– perhaps the weakest point - art, not math.

Public key (asymmetric) systems– Today RSA, tomorrow elliptic curves?

Crypto systems

Symmetric systems– same key for encryption and decryption

Asymmetric systems– One key may be given to everybody

the public key, P– while the other is kept secret

the private key, S

Public Key encryption - RSA

Choose two large primes p,q and let n = pq

Choose a public exponent e– mutually prime to (n) = (p -1)(q -1)

Based on classical (Greek) math we find integersd, x < 0, with de + x(n) = 1

Fact (Euler, Fermat):

– For m < n we have m med mod n

Finding the private key means factoring n

Alternative: One way functions

– Choose a large prime number p– Choose a “generator”, g– Choose a random number v as private key– Calculate the public key

w = gv modp– Finding v from w is known as the discrete log

problem

The new technique: Elliptic Curves

The set of points P = (x,y) satisfying

y2 = x3 + ax + b

in Z/pZ.

can be added using a particular formula. It allows construction of a public key pair.

Example:a = 6890847943309044493598067961180259058846730261

b = 45938986288872696329065378640786839725897820174

will correspond to an RSA security level of 768 bits for some prime p of length 200 bits!

Why Elliptic Curves?

More security per bit– Smaller key size– Smaller signature size– Faster computations– Less resources required (smart cards)

Well developed mathematical theory (complex)

RSA/DSA/EC - comparingperformance (RSA: small public exp.)

0

10

20

30

40

50

60

70

80

sign, msec ver, msec

RSA

DSA

EC

RSA/DSA/EC - Comparing key sizes

0

100

200

300

400

500

600

700

800

public key, bits private key, bits signature, bits

RSA

DSA

EC

Elliptic Curves

An EC is the set of solutions (x,y) to equations of the form

y2 + a1xy + a3y = x3 + a2x2 + a4x +a6

over a (finite) field together with an

additional point (called the point at

infinity O)

Finite fields

(F, +, •): set of elements with addition, subtraction, multiplication and division.

GF(p): Integers modulo p (prime)

GF(2n)– polynomials with binary coefficients modulo

and irreducible polynomial of degree n– (a+b)2 = a2 + b2

Unique up to isomorphism

Implementation Issues

Choice of field– GF(2n) faster than GF(p) (at least in hardware)

Representation of elements for GF(2n)– Standard basis– Optimal normal basis– Polynomials over subfield

Elliptic Curves

Example: GF(23)

Curve defined by y2 = x3 + x + 1{(0,1), (0,-1), (1,7), (1,-7), (3, 10), (3,-10),

(4,0), (5,4), (5, -4), (6,4), (6,-4), (7,11),

(7,-11), (9,7), (9,-7), (11,3), (11, -3),

(12,4), (12,-4), (13,7), (13,-7), (17,3),

(17,-3), (18,3),(18,-3), (19,5), (19,-5)}

Elliptic Curves

Sum (xs,ys) of (x1,y1) = (9,7) and

(x2, y2) = (18,3)=(-5,3), x1≠y1

is defined as follows:

:=(y2-y1)/(x2-x1) = -4/9 = 20 mod 23

xs = 2-x1-x2 =9-9+5=5

ys= (x1-xs)-y1 = -3(9-5) - 7 = 4

Thus (9,7)+(18,3) = (5,4)

Elliptic Curves

Double of (5,4)

:=(3x12+1)/(2y1) = 76/8 = 7/8 = 21 = -2

xd = 2-2x1 =4-5-5=17

yd= (x1-xs)-y1 = -2(5+6) - 4 = -3

Thus (5,4)+(5,4) = (17,-3)

GF(2n)

GF(2):

p(u) irreducible polynomial of degree n

EC over GF(2n) defined by

y2+xy = x3 + ax2 + b

EC over GF(2n)

Sum :=(y1+y2)/(x1+x2)

xs = 2+ + x1+x2 + a

ys = (x1+xs)+ xs + y1

Double := x1 + y1/x1

xd = 2+ + a

yd = ( + 1)xD + x12

Key Generation

Choose field and equation

Determine the group order g– If large prime divisor q, choose curve randomly

Find a generator of subgroup of order q Let g = qr Choose random point P Calculate rP If rP O, set generator := rP

Try our lab on www.cryptomathic.com!

How to blackmail a bank using RSA with public exponent 3

1. step

The well-known bank AMO announces a nation-wide PKI scheme based on RSA (1024 bits, public exponent 3)

Message received week 1 at AMO:– I know your private key! I am going to publish

the 1st upper byte of the key, unless you send me 2 $!

Bank ignores

2. step

Message received week 2 by AMO:– Here is the 1st byte: 11011010– I am going to publish the 2nd upper byte of your

private key, unless you send me 4 $!

Bank is puzzled. The blackmailer is right about the first byte! Could he be guessing, or maybe the first byte is not so difficult?

3. step

Message received week 3 by AMO:– Here is the 2nd byte: 00011001– I am going to publish the 3rd upper byte of your

secret key, unless you send me 8 $!

The Bank hires a security specialist– the problem is that it will cost 100.000 $ to

switch to a different key

About 1 year later

Message received week 52 by AMO:– Here is the 51st byte: 01111101– I am going to publish the 52nd upper byte of

your secret key, unless you send me 252 $!– Conclusion of the specialist:

offer him 25.000 $ now

Conclusion

If they had hired an expert rather than a specialist, they could have saved the money(less his fee of course!)

Expert opinion:

1024 bits is 128 bytes. He can only do what he does up to the first 64 bytes.– Here is how he does it:

Solution

1. Subtract 1 from the modulus n

2. Divide by 3 and multiply by 2

3. The upper half of this number is the upper half of your private exponent

AMO: What about the lower half?

Only the banks knows! The system is secure

Proof

”Based on classical (Greek) math we find integersd, x < 0, with (*) de + x(n) = 1”– where d is chosen minimal of course

Now let e = 3. As d < (n), x is -1 or -2! But as 3 is mutually prime to (n) = (p -1)(q -1),

p and q are both 2 mod 3,

and (*) above shows x = -2 as (n) = 1 mod3

Proof

Hence d = (1 + 2(n))/3

But (n) = (p -1)(q -1) = n –(p + q) + 1,

Thus we know the upper half of (n): It is equal to the upper half of n.

This suggest to consider very carefully what to store as the private key, e.g. if storage is a problem

Card trick

End up with two piles: A private key and the corresponding public key

Demo: Key Generation - the most vulnerable part

-- using two suits in a deck of cards.Say spade (black) and hearts (red)

1 Chose a very large prime number (13)2 Calculate ”modulo” 13:

divide by 13 and take the remainder:29 = 213 + 3 = 3 mod 1353 = 125 = 10·13 - 5 = 8 mod 13

(= 9·13 + 8)3 Remove the king = 13 = 0 mod 13

My private key!!!

12, 11, 9, 5, 10, 7, 1, 2, 4, 8, 3, 6

Do you recognise a pattern?

We have illustrated Fermat’s little Theorem:

213 mod 13 = 2 (ap mod p = a)

2 is a generator:

2, 22, 23, 24, 25,…. up to 212 = 1 are all different mod 13!

Which power of 2 is e.g. 10 mod 13?

Mechanisms and (Interactive) Protocols

Mechanisms– To generate a digital signature is a mechanism

Comprising of cryptographic primitives, e.g.– Hash calculation (e.g. SHA-1)– Signature generation (e.g. RSA PKCS #1)

Interactive protocols– Can be used for

Key exchange (e.g. Diffie-Hellman) User Identification

User Identification

Let’s assume Alice has a public key pair (P,S).– Alice wants to get access to a database DB– DB knows her public key (e.g. through a valid

certificate)– We need to agree on an identification protocol?

How?

Many possibilities

How about?– Alice connects– BD sends a ransom challence r– Alice calculates S(r) and sends this to DB– DB verifies that P(S(r)) = r and lets her in

Is this safe?

Problem

DB can use Alice as an oracle– R might be the hash of a message which

commits Alice unknowingly– The problem is that Alice calculates what may

be a digital signature

How can this be prevented?– The problem is that we cannot be sure that Alice

applies her private key to something completely random

Solution

1. step– DB chooses any r, calculates s = P(r), and sends

s to Alice

2. step– Alice calculates S(s) = r and returns r to DB

What did DB learn, except that Alice was able to recover r – not known to her – from s?– Nothing at all

But ....

Solution

Alice has no means of verifying that DB follows the protocol– Something else is needed:

Let E be some symmetric encryption which Alice and DB agrees is strong– We can now define a socalled zero-knowledge

identification protocol:

Solution

1. step– DB chooses any r, calculates s = P(r), and sends

s to Alice

2. step– Alice calculates S(s) = r, chooses a random key

k and returns Ek(r) to DB

3. step– DB sends r to Alice

4. step– Alice sends k to DB who verifies Dk(Ek(r)) = r

Succes!

This protocol – is secure

Alice will not be succesful without knowing S

– is sound DB will know that only a person able to compute r

from randomly chosen P(r) can respond

– is zero-knowledge DB learns nothing from the protocol that he could not

calculate by himself: P(r) = s S(s) = r – except that Alice can calculate r from s

In fact -

Zero-knowledge protocol can be simulated

1. step– DB chooses any r, calculates s = P(r), and sends

s to DB

2. step– DB chooses a random key k and returns Ek(r) to

DB

3. step– DB sends r to DB

4. step– DB sends k to DB who verifies Dk(Ek(r)) = r

Zero-knowledge protocol can be simulated

A third party (an arbiter) cannot differentiate the traces of – a simulated zero-knowledge protocol

from that of

– a 2-party zero-knowledge protocol:– Only DB will know if he simulated it or he indeed

did identity Alice in the protocol!

Useful definitions (Fiat-Shamir)

Authentication– A can prove to B that she is A

Identification– A can prove to B that she is A, but B cannot

prove to C that he is A

Non-repudiation– A can prove to B that she is A, but B cannot

even prove to himself that he is A

Conclusion

Cryptography is applied mathematics

Mathematics was ”invented” to be helpful– and it is!

T.H. Hardy wrote in ”A mathemathian’s Apology ”:– I have never done anything useful!

Not true: We use the Hardy-Littlewood conjecture in our products

How to store private keys

When signing, the time of calculation is reduced by a factor 2-4 by using the Chinese Remainder Theorem

If this is not an issue, we either store– n and d– n and e and calculate d

So assume in the following we want to use the CRT

Storing private keys using CRT

The CRT states that if you know

x = z mod p

and

y = z mod q,

you can calculate z from x and y.

All you need is an a < n which is 1 mod p

and 0 mod q. Then

z = xa + y(1-a) mod n

Storing private keys using CRT

We need to calculate z md mod n

Obviously,

z mod p md mod(p-1) mod p

z mod q md mod(q-1) mod q

as m(p-1) mod p = 1 for a prime p

So we need p,q, d(p)=d mod(p-1) and d(q)=d mod(q-1)

What about a?

What about a?

How about

a = (qp-2 modp)q?

This is obviously 0 modq, and 1 modp (by Fermat’s Little Theorem)

So we are home and dry:

md = (md(p)

modp)a + (md(q) modq)(1-a) modn

This may be refined slightly to ensure that equality

holds

Appendix: Card trick

End up with two piles: A private key and the corresponding public key

Card trick

1 Arrange both suits in order, ace to queen, face down, ace on top

2 Deal the (entire) black suit (holding it face down) in two piles (left and right), face up:

left (ace), right (2), left (3), right (4), …

Card trick

3 Remove the top card of the right pile (queen = 12), place it face up in a new pile, and place the top red card (ace) face up where the black queen was.

4 Place the left pile (6 black cards) on top of the right pile (1 red on top of 5 blacks), and turn over to have a new stack of 12 cards face down

Card trick

5 Repeat step 2, 3 and 4 altogether 11 times

The two piles have now been interchanged - but in which order do the cards occur?

The black pile is my private key

The red pile is my public key

Identify me!

Card trick

– Now run an identification protocol between A and B: Keep both piles face down black is the private key of A, red the public the person (B) with the red pile names any black card,

say no. 9. B then turns over the red cards, one by one, and stops

with the 9th: This is no. 3 A turns over the black cards. The 3. black is no. 9!

Identification completed. The keys match!