Public Key CryptographyPublic Key Cryptography

Alice and Bob agree on a key, without meeting!

Alice and Bob agree on a key, without meeting!

The Problem Remains: How to Get the Key from Alice

to Bob?

The Problem Remains: How to Get the Key from Alice

to Bob?

ATTACKER

(Identity thief)

keySENDER

Alice

(You)

Bob

(An on-line store)

Eve

(Alice’s Credit Card #) The Internet (Alice’s Credit Card #)

key

1324-5465-2255-9988AES ciphertext

RECEIVER

1324-5465-2255-9988Sf&*&3vv*+@@Q

Public-Key CryptographyPublic-Key Cryptography

Whit Diffie and Marty Hellman, New Directions in Cryptography, 1976

Whit Diffie and Marty Hellman, New Directions in Cryptography, 1976

Clifford Cocks and Malcolm Williamson, secret work in the British GCHQ, 1973-74, revealed only in 1997

A Way for Alice and Bob to agree on a secret key

A Way for Alice and Bob to agree on a secret key

through messages that are completely public

through messages that are completely public

The basic idea of Diffie-Hellman key agreementThe basic idea of Diffie-Hellman key agreement

Arrange things so that Alice has a secret number that only Alice knows Bob has a secret number that only Bob knows Alice and Bob then communicate something publicly They somehow compute the same number Only they know the shared number -- that’s the key! No one else can compute this number without

knowing Alice’s secret or Bob’s secret But Alice’s secret number is still hers alone, and

Bob’s is Bob’s alone Sounds impossible …

Arrange things so that Alice has a secret number that only Alice knows Bob has a secret number that only Bob knows Alice and Bob then communicate something publicly They somehow compute the same number Only they know the shared number -- that’s the key! No one else can compute this number without

knowing Alice’s secret or Bob’s secret But Alice’s secret number is still hers alone, and

Bob’s is Bob’s alone Sounds impossible …

One-Way ComputationOne-Way Computation

Easy to compute, hard to “uncompute”What is 28487532223✕72342452989?

Not hard -- easy on a computer -- about 100 digit-by-digit multiplications

What are the factors of

206085796112139733547?Seems to require vast numbers

of trial divisions

Easy to compute, hard to “uncompute”What is 28487532223✕72342452989?

Not hard -- easy on a computer -- about 100 digit-by-digit multiplications

What are the factors of

206085796112139733547?Seems to require vast numbers

of trial divisions

Modular arithmeticModular arithmetic

• Let’s do arithmetic modulo 100

•That is, drop everything but the last 2 digits

• 12 ✕ 12 = 144, which reduces to 44

• 28487532223 ✕ 72342452989 = 206085796112139733547, which reduces to 47

• But you can save yourself a lot of work and get the right answer anyway by doing the reduction ahead of time

• 23 89 = 2047, which reduces to 47✕

Repeated squaringRepeated squaring

• You can compute huge modular powers quickly by repeated squaring

• Suppose you wanted to compute 1765

• 172 = 89, 174 = 21

• 178 = 41, 1716 = 81

• 1732 = 61, 1764 = 21, and 1765 = 21*17 = 57

• 7 multiplications instead of 64

There’s no shortcut for computing logarithms

modulo p

There’s no shortcut for computing logarithms

modulo p Problem: Given x and z, find y such that

xy = z (where everything is modular arithmetic) As far as anyone knows, there are no shortcuts.

The only way to do this is essentially by brute-force search among all possibilities for y.

Example: If the modulus is not 100 but a 500-digit number, finding y so that

xy = zrequires about 10500 steps.

Problem: Given x and z, find y such that xy = z (where everything is modular arithmetic)

As far as anyone knows, there are no shortcuts. The only way to do this is essentially by brute-

force search among all possibilities for y. Example: If the modulus is not 100 but a 500-digit

number, finding y so thatxy = z

requires about 10500 steps.

“Discrete logarithm” problem

“Discrete logarithm” problem

It is easy to compute modular powers but seems to be hard to reverse that operation

For what value of n does 54321n=18789 (modulo 70707)?

Try n=1, 2, 3, 4, … Get 54321n= 54321, 26517, 57660, 40881 … n=43210 works, but no known quick way to

discover that

It is easy to compute modular powers but seems to be hard to reverse that operation

For what value of n does 54321n=18789 (modulo 70707)?

Try n=1, 2, 3, 4, … Get 54321n= 54321, 26517, 57660, 40881 … n=43210 works, but no known quick way to

discover that

Given an equation of the form xy = z

Then it is exponentially harder to compute y given x and z, than it is to compute z given x and y.

For 500-digit numbers, we’re talking about a computing effort of 1700 steps vs. 10500 steps.

Given an equation of the form xy = z

Then it is exponentially harder to compute y given x and z, than it is to compute z given x and y.

For 500-digit numbers, we’re talking about a computing effort of 1700 steps vs. 10500 steps.

The math behind Diffie-Hellman key agreementThe math behind Diffie-Hellman key agreement

Discrete logarithm seems to be a one-way functionDiscrete logarithm seems to be a one-way function

Fix numbers g and p (big numbers, g<p)

Let g * a = ga (mod p)Given a, computing g * a = A is

easyBut it is impossibly hard, given A,

to find an a such that g * a = A.

Fix numbers g and p (big numbers, g<p)

Let g * a = ga (mod p)Given a, computing g * a = A is

easyBut it is impossibly hard, given A,

to find an a such that g * a = A.

Another useful factAnother useful fact

Note that, for any three numbers x, y, z,

(x * y) * z = (x * z) * ysince

(xy)z = xyz = (xz)y

Note that, for any three numbers x, y, z,

(x * y) * z = (x * z) * ysince

(xy)z = xyz = (xz)y

Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement

Shout out A Shout out B

BobAlice

A

Pick a secret number a Pick a secret number b

Main point: Alice and Bob have computed the same number

B

Use this number as the encryption key!

Compute A = g * a Compute B = g * b

Compute B * a Compute A * b

Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement

Eve

Alice and Bob can now use this number as a shared key for encrypted communication

BobAlice

A

Eve the eavesdropper knows and

And (per Kerckhoffs) she also knows the value of p and how to compute *. But going from these back to a or b requires reversing a one-way computation.

B

Let K = a * B = b * A

A B

Secure Internet CommunicationSecure Internet Communication

https://www99.americanexpress.com/ https (with an “s”) indicates a secure, encrypted

communication is going on We are all cryptographers now So is Al Qaeda(?) Internet security depends on difficulty of factoring

numbers -- doing that quickly would require a deep advance in mathematics

https://www99.americanexpress.com/ https (with an “s”) indicates a secure, encrypted

communication is going on We are all cryptographers now So is Al Qaeda(?) Internet security depends on difficulty of factoring

numbers -- doing that quickly would require a deep advance in mathematics

Confidential email from anyone

Confidential email from anyone

Bob picks secret key b and computes his public key B

Bob publishes B in a public directory!Now Anyone can send Bob secret email:

Pick secret key a and compute public key ACompute encryption key K using a and BSend encrypted message and also include

public key A in the same email!Bob computes K using A and b and decrypts

the message!

Bob picks secret key b and computes his public key B

Bob publishes B in a public directory!Now Anyone can send Bob secret email:

Pick secret key a and compute public key ACompute encryption key K using a and BSend encrypted message and also include

public key A in the same email!Bob computes K using A and b and decrypts

the message!

But there’s a problem …But there’s a problem …How can Alice know that the listing

in the directory is really Bob’s?Maybe it is Eve pretending to be

Bob!Certificates and certifying

authorities provide solution to authentication problem

How can Alice know that the listing in the directory is really Bob’s?

Maybe it is Eve pretending to be Bob!

Certificates and certifying authorities provide solution to authentication problem

Eve

Two more problems solved by digital signatures

Two more problems solved by digital signatures

Integrity: When Bob receives a message, he can be sure that it was not modified en route after Alice sent it.

Non-repudiation: Alice cannot later deny that the message was sent. Bob cannot later deny that the message was received.

Digital signatures are a variant on public-key encryption technology

Integrity: When Bob receives a message, he can be sure that it was not modified en route after Alice sent it.

Non-repudiation: Alice cannot later deny that the message was sent. Bob cannot later deny that the message was received.

Digital signatures are a variant on public-key encryption technology

There is a very real and critical danger that unrestrained public discussion of cryptologic matters will seriously damage the ability of this government to conduct signals intelligence and the ability of this government to carry out its mission of protecting national security information from hostile exploitation.-- Admiral Bobby Ray Inman (Director of the NSA, 1979)

Cryptography and National Security

CALEA, October 1994CALEA, October 1994… a telecommunications carrier … shall ensure that its equipment, facilities, or services … are capable of … expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to intercept … all wire and electronic communications carried by the carrier within a service area to or from equipment, facilities, or services of a subscriber of such carrier concurrently with their transmission to or from the subscriber's equipment, facility, or service, or at such later time as may be acceptable to the government …

Government’s big hammer:Crypto export controls

Government’s big hammer:Crypto export controls

Pre-1995: Encryption technology classified by State Department as a munition Illegal to export hardware, software, technical

information, unless you register as an arms dealer and adhere to stringent regulations

Illegal to provide material or technical assistance to non-US citizens (even within the US)

1996: Jurisdiction for crypto exports transferred to Commerce Department, but restrictions remain.

Pre-1995: Encryption technology classified by State Department as a munition Illegal to export hardware, software, technical

information, unless you register as an arms dealer and adhere to stringent regulations

Illegal to provide material or technical assistance to non-US citizens (even within the US)

1996: Jurisdiction for crypto exports transferred to Commerce Department, but restrictions remain.

The basic proposal: escrowed encryptionThe basic proposal:

escrowed encryptionRequire encryption products to have a

back door controlled by a set of keys (“escrowed keys”) that are held by the government or by its licensed agentsMight require this for products that can be

exported, or maybe all encryption productsProposal first unveiled for telephones in

1994 (the “Clipper phone”)Modified in various ways throughout 1994-

1998

Require encryption products to have a back door controlled by a set of keys (“escrowed keys”) that are held by the government or by its licensed agentsMight require this for products that can be

exported, or maybe all encryption productsProposal first unveiled for telephones in

1994 (the “Clipper phone”)Modified in various ways throughout 1994-

1998

The crypto wars, 1994-1998The crypto wars, 1994-1998

Dramatis PersonaeIndustryLaw enforcementNational securityCivil libertarian groups

Dramatis PersonaeIndustryLaw enforcementNational securityCivil libertarian groups

Industry claims and issuesIndustry claims and issues

Customers want security for electronic commerce, for protecting remote access, for confidentiality of business information.

Export restrictions are a pain in the butt.

Providing encryption is cheap, but providing an escrow infrastructure is not, and there’s no commercial demand for it.

Customers want security for electronic commerce, for protecting remote access, for confidentiality of business information.

Export restrictions are a pain in the butt.

Providing encryption is cheap, but providing an escrow infrastructure is not, and there’s no commercial demand for it.

Law enforcement claims and issues

Law enforcement claims and issues

Wiretapping is a critical law-enforcement tool.

Wiretaps are conducted on specific, identified targets under lawful authority.

Many criminals are often sloppy and/or stupid: They won’t use encryption unless it becomes ubiquitous. Some criminals are far from sloppy or stupid: They will use encryption if it is available.

Wiretapping is a critical law-enforcement tool.

Wiretaps are conducted on specific, identified targets under lawful authority.

Many criminals are often sloppy and/or stupid: They won’t use encryption unless it becomes ubiquitous. Some criminals are far from sloppy or stupid: They will use encryption if it is available.

Civil libertarian claims and issues

Civil libertarian claims and issues

As computer communication technology becomes more pervasive, allowing government access to communications becomes much more than traditional wiretapping of phone conversations.

How do we guard against abuse of the system? If we make wiretapping easy, then what are the

checks on its increasing use? There are other tools (bugging, data mining,

DNA matching) that can assist law enforcement. People have less privacy than previously, even without wiretapping.

As computer communication technology becomes more pervasive, allowing government access to communications becomes much more than traditional wiretapping of phone conversations.

How do we guard against abuse of the system? If we make wiretapping easy, then what are the

checks on its increasing use? There are other tools (bugging, data mining,

DNA matching) that can assist law enforcement. People have less privacy than previously, even without wiretapping.

National security establishment claims and

issues

National security establishment claims and

issuesWe can’t tell you, but they are really

serious.We can’t tell you, but they are really

serious.

Legislation, 1997Legislation, 1997

Bills introduced in Congress all over the map, ranging from elimination of export controls to bills that would mandate key escrow, even for domestic use.

Bills introduced in Congress all over the map, ranging from elimination of export controls to bills that would mandate key escrow, even for domestic use.

More recently …More recently …

1998-2000: Crypto export regulations modified and relaxed, but still exist (e.g., can’t export to the C/I/NK/S/S countries)

Sept. 13, 2001: Sen. Judd Gregg (New Hampshire) calls for encryption regulations, saying encryption makers “have as much at risk as we have at risk as a nation, and they should understand that as a matter of citizenship, they have an obligation” to include decryption methods for government agents.

By October, Gregg had changed his mind about introducing legislation.

1998-2000: Crypto export regulations modified and relaxed, but still exist (e.g., can’t export to the C/I/NK/S/S countries)

Sept. 13, 2001: Sen. Judd Gregg (New Hampshire) calls for encryption regulations, saying encryption makers “have as much at risk as we have at risk as a nation, and they should understand that as a matter of citizenship, they have an obligation” to include decryption methods for government agents.

By October, Gregg had changed his mind about introducing legislation.

Why Aren’t Emails Encrypted?Why Aren’t Emails Encrypted?

Email is more like postcards than letters! Standard email software doesn’t make it easy But encrypted-email software is freely available (PGP) Regulations require some businesses to know what

their employees are doing

Email is more like postcards than letters! Standard email software doesn’t make it easy But encrypted-email software is freely available (PGP) Regulations require some businesses to know what

their employees are doing

December 1, 2006