LIGHTWEIGHT CRYPTOGRAPHY - in (Mobiles,.. RFID), Supply …

Download Report

Transcript LIGHTWEIGHT CRYPTOGRAPHY - in (Mobiles,.. RFID), Supply … 

OVERVIEW CRYPTOGRAPHY:
LIGHTWEIGHT
- Raja Ghosal (Researcher, Delhi)
-Prof Peter H. Cole (Emer Director, Auto ID Labs,
U/Adelaide)
- Mr Alfio R. Grasso, AutoID Labs, U/Adelaide.
- Prof Brian J. Garner (Emer., Deakin Univ., Australia).
CRYPTOGRAPHY
C = F(M).
F = CRYPTOGRAPHY FUNCTION.
ONE WAY FUNCTION (OWF)
FORWARD STEP, EASY (P),
INVERSE DIFFICULT (NP)
DECRYPTION: M = F -1 (C) DIFFICULT.
MATH: RSA, DIFFIE-HELLMAN,
ELLIPTIC CURVES (ECC),
LIGHTWEIGHT. (PASSIVE EASIER vs)
PHYSICS- QUANTUM*, QUASAR..
RFID Tags
Some RFID tags, transponders (ack:
Manfred Jantscher, thesis AutoID
Labs, U/Adelaide, 2006):
Typical RFID setup
(ack: M. Jantscher)
LIGHTWEIGHT vs HEAVYWEIGHT
- LIGHTWEIGHT = COMPUTATIONAL
OPERATIONS ARE LIGHT (CPU cycles)
-- eg: XOR, BIT SHIFT (DONE USUALLY
HARDWARE, eg: GSM MOBILE A5
ALGORITHM FOR DATA ENCRYPTION)
-HEAVYWEIGHT = ARITHMETIC
OPERATIONS AS EXPONENTIAL,
MODULO. (+ sin(), cos(),..)
-EXPONENTIAL –HIGHEST/COMPLEX
ARITHMETIC OPERATOR
--MODULO – HIDING EFFECT
EXPONENTIAL, MODULO OPERATORS IN
HEAVYWT CRYPT eg: RSA, DISCRETE LOG
C = ME mod (N) , (RSA)
C = gM mod (p), (Discrete Log, D-H)
-EXPONENTIAL –HIGHEST/COMPLEX
ARITHMETIC OPERATOR
- [if we “discovered” higher operator
above Exp, then “RSA” eqn would
change.]
--MODULO – HIDING EFFECT
-Eg: A+B mod (N), A*B mod (N) HAVE
SIMILAR OUTPUT GRAPH (0,.., N-1)
LIGHTWEIGHT EXAMPLE
LIGHTWEIGHT EXAMPLE:
- IF MSG = ‘A’ = 41 Hex
- BIT FORM:
- M = 0100 0001
-IF PSEUDO RANDOM, BITS
- K = 1010 1010
-CIPHERTEXT, C= M XOR K
- C= 1110 1011
- RECOVER/INVERSE: M = C XOR K.
-
What constitutes an identity?
• Your public key
PK
• Your biometric
• Email ID
[email protected]
z
• How about where you are?
x
y
Geographical Position as an Identity
sk
sk
Encsk(m)
US Military Base
in USA
US Military Base
in Iraq
sk
Reveal sk
or else…..
Previous Techniques for Secure
Positioning
Random nonce r
Verifier
Prover
r
Time of response
Prover cannot be farther away from
verifier than he claims to be
Triangulation [CH05]
V1
3 Verifiers measure
Time of response and
verify position claim
r1
r1
P
r2
V2
r3
r2
r3
V3
Information-theoretic Key Exchange in
3-Dimensional Space
Again assume Verifiers can store X’s
V1
K1,X4
Position P
V4
X3
Prover computes
Ki+1 = PRG(Xi, Ki)
1≤i≤5
K6 is final key
X1, X5
V2
X2
V3
CRYPTOGRAPHY – TIME/SPACE
BC (GREECE/EGYPT): PYTHAGOREAN NUMBERS
-EUCLID
-DIAOPHANTINE EQUATIONS (integer solns)
-1st cent AD: LAO TZU:
-CHINESE REMAINDER THEOREM
-BASIS: RESIDUAL NUMBER SYSTEMS (RNS) h/w
-6th Cent AD: ARYABHATTA:
-MODULAR INVERSE: d = e-1 mod (f(N))
-1637: FERMAT: ELLIPTIC CURVE (n=4, FLT)
-1955 A** TANIYAMA-SHIMURA CONJECTURE,
ELLIPTIC CURVE, Japan, (+ G. FREY 1986)
-LINKED 1637 FERMAT’s LAST THM, to ELLIPTIC C.
PUBLIC KEY CRYPTOGRAPHY- ORIGIN
PROF ELLIS (AUSTRALIA/UK), WWII,
GHCQ, UK MILITARY- 1950s/60s:
-ANALOG – PHYSICAL LAYER:
-soldiers cannot have UNIQUE frequency:
-RECEIVER WIRELESS OF EACH SOLDIER
NOT PASSIVE
-EACH RECEIVER SENDS UNIQUE NOISE
PATTERN (NB) (basis: PRIVATE KEY)
-SENDER A: S + NB = SA -> B:
-RECEIVER B: SA – NB = S (original).
PUBLIC KEY CRYPTOGRAPHY-ELLIS
PROF ELLIS (AUSTRALIA/UK), WWII,
GHCQ, UK MILITARY- 1950s/60s:
-1969 EXTEND TO DIGITAL SYSTEMS, ..
GROUP DISCOVERED RSA, DISCRETE LOG,
BEFORE DIFFIE-HELMAN)
-HIRED PROFs (Sir) WILFRED COCKS,
- MALCOLM MORRISON, CAMBRIDGE
UNIV, UK – (DISCOVERIES SECRET*)
-PROF W COCKS (RSA* eqvlt) 1973
-PROF M MORRISON (DISCRETELOGARITHM* eqvlt), 1974
PUBLIC KEY: ELLIS-DIFFIE; ORIGINS LIGHT
- 1976 WHITFIELD DIFFIE VISTED UK, MET ELLIS:
-ELLIS ADV NOT TO PLACE HIS NAME AS
FOOTNOTE, OF BREAKTHROUGH PAPER
D-H 1976, INSPITE- ELLIS 1969 IDEA
-ELLIS: CRYPTO..: ONE IS NOT LOOKING FOR
RECOGNITIONS; (RESULTS IN SECRECY):
- DIFFIE-HELLMAN (1976) – PUBLIC KEY, RSA
(1978) – IDEAS PATENTED
- NEWER DEV 1980s AVOIDED RSA, D-H; PATENT
FEES JNLS; BASIS NOW -> LIGHTWEIGHT
-eg: LEUVEN POLYNOMIALS; GSM A5.
CRYPTOGRAPHY – 4 HARD MATH..
*INTEGER FACTORIZATION, (RSA)
*DISCRETE LOGARITHM, (D-H)
*SOLUTION OF SYSTEM OF NON-LINEAR
EQNS in INTEGERS; (Harder, and easy logic
h/w realization, AND, OR) when over {0,1}
(DES)
*MERKLE-HELLMAN KNAPSACK PROBLEM
CRYPT..– 4 HARD MATH../Why
Integers? (Why Not Real?)
*INTEGER FACTORIZATION, (RSA)
- N= p*q . Over Real, very easy to
Factor. Select p <> 0, q = N/p.
- Over Integers– Search, Brute Force.
*DISCRETE LOGARITHM, (D-H)
- C = g M mod (p).
Over Real, easy: M = log g (C).
- Difficult Over Integers. Search.
*SOLUTION OF SYSTEM OF NON-LINEAR
EQNS in INTEGERS;
SOLUTION OF EQNS OVER {0,1} – L:
LINEAR (L):
X1 + X2 + X3 = 0
X1 +
X3 = 1
X2 + X3 = 1
Where + = “XOR” GATE
SOLUTION V. EASY,
USED in A5 CIPHER, MOBILE
Or ANY LFSR BASED. LINEARITY-WEAKNESS
(CURSE OF CRYPTOGRAPHERS)
SOLUTION OF EQNS OVER {0,1} –NL:
NON-LINEAR (NL):
X1 + X2*X1 + X3 = 0
X1 +
X2*X3 = 1
X2 + X1*X3 = 1
+ = “XOR” GATE, * = “AND” GATE
SOLUTION HARD vs OVER REAL Nos.
USED in LUCIFER (IBM) -> DES.
- {0,1} EASY REALIZED in H/W
PHYSICS in CRYPTOGRAPHY -future
-
RSA, Diffie-Hellman, ECC
(Elliptic Curve)= MATH based
-
-
(New) PHYSICS based:
Channel Based Cryptography
- Channel is the Encryption
-
Quantum Cryptography
- Quasar Cryptography
QUASAR CRYPTOGRAPHY –future,
RANDOM BIT PATTERNS – LIGHT WT
-Quasar Cryptography:
- (TRUE) RANDOM NOISE OF
GALAXY USED:
- C = (MESSAGE) XOR (NOISE)
LIGHTWEIGHT CRYPTOGRAPHY:
- PSEUDO RANDOM BIT
PATTERN (PRBP) FROM eg:
LFSR USED:
- C = (MESSAGE) XOR (PRBP)
- - eg: A5 Algrthm MOBILES
PHYSICS in CRYPTOGRAPHY -future
- PHYSICS BASED:
- UNCONDITIONAL SECURITY
(Sources- Nature)
---------------- MATH BASED:
COMPUTATIONAL SECURITY:
- SECRET KEY (SYMMETRIC)
- ALGORITHM MAYBE WEAK
-
ASYMMETRIC (PUBLIC) KEY
- ALGORITHM- DIFFICULT.
Shannon’s Theory
Unconditional Security:
If unbroken with infinite computational resources.
p(m|c) = p(m)
A Posteriori Probability of message m, given
ciphertext c is observed, is same as a priori probability
of msg m.
One-Time Codes (Shannon, 1949) only proven.
Computational Security:
Best algorithm requires N steps, where N is a very
large number.
Provably Secure - not an absolute proof, but
proven relative to a known difficult problem eg:
integer factorisation (RSA), discrete logarithm.
Quantum Cryptography
• Polarization, Based on
HEISENBERG’s UNCERTAINTY
PRINCIPLE
• PAIRS of components eg:
(momentum, position), both
cannot be accurately measured.
• Measurement of one causes
uncertainty of other.
• PASSIVE INTRUDER CAN
MEASURE PHOTON DETAILS, BUT
PRESENCE WILL BE KNOWN
Factoring a product of two large
primes
• The best known conventional algorithm requires
the solution time proportional to:
T (n)  exp[c(ln n) (ln ln n) ]
1/ 3
2/ 3
For p & q 65 digits long T(n) is approximately
one month using cluster of workstations.
For p&q 200 digits long T(n) is astronomical.
Quantum Computing algorithm for
factoring.
• In 1994 Peter Shor from the AT&T Bell Laboratory
showed that in principle a quantum computer could
factor a very long
product of primes in seconds.
• Shor’s algorithm time computational complexity is
T (n)  O[(lnn) ]
3
Once a quantum computer is built
the RSA method
would not be safe.
Photon polarization
Photon Polarization
Tilted filter at
the angle

Vertical filter
The probability of a photon appearing after the second
filter depends on the angle
 = 90 degrees.

and becomes 0 at
The first filter randomizes the measurements of the
second filter.
Security of quantum key distribution
• Quantum cryptography obtains its
fundamental security from the fact that each
qubit is carried by a single photon, and each
photon will be altered as soon as it is read.
• This makes impossible to intercept message
without being detected.
Example of key distribution
The Main contribution of Quantum
Cryptography.
• It solved the key distribution problem.
• Unconditionally secure key distribution method
proposed by:
• Charles Bennett and Gilles Brassard in 1984.
• The method is called BB84.
• Once key is securely received it can be used to
encrypt messages transmitted
by conventional channels.
Elliptic Curves
Solution of (ECC) (y):
y2 = x3 + ax + b,
Where a,b,c, x, y e Integers (I)
Why is it called Elliptic?
Arc Length of an ellipse =

a
a
(
)
a  1 b / a x
dx
2
2
a x
2
2
2
2
Let k2 = 1 – b2/a2 and change variables x  ax.
Then the arc length of an ellipse is
1
a
1
1 k 2 x 2
(1  x )(1  k x )
2
1 k 2 x2
Arc Length a 
dx
1
y
1
with y2 = (1 – x2) (1 – k2x2) = quartic in x
2
2
dx
Graph of y2 = x3-5x+8
  0
Elliptic curves can have separate
components
E : Y2 = X3 – 9X
  0
Addition of two Points
P+Q
R
Q
P
P+Q
Doubling of Point P
Tangent Line to E at P
R
P
2*P
Addition Formula
Suppose that we want to add the points
P1 = (x1,y1) and P2 = (x2,y2)
on the elliptic curve
E : y2 = x3 + Ax + B.
If
x1  x2
If
y2  y1
m
x2  x1
x3  m  x1  x2
2
x1  x2
3x1  A
m
2 y1
2
Note that when P1, P2 have rational
coordinates and A and B are rational, then
P1+P2 and 2P also have rational coordinates
y3  m( x1  x3 )  y1
Important Result
Theorem (Poincaré, 1900): Suppose that an elliptic
curve E is given by an equation of the form
y2 = x3 + A x + B
with
A,B rational numbers.
Let E(Q) be the set of points of E with rational
coordinates,
E(Q) = { (x,y)  E : x,y are rational numbers }  { O }.
Then sums of points in E(Q) remain in E(Q).
Elliptic Curves – Genus (or Torus)
7. Elliptic Curves Have Genus,
g=1
Curves, eg: SQUARE, RECTANGLE,
CIRCLE, TRIANGLE
do NOT have TORSION (Twist),
Hence Genus, g = 0.
g = 1 , implies 1 torsion,
Eg: Moebius Strip.
Hyper-Elliptic Curves – Genus (or Torus)
8. Hyper-Elliptic Curves (HECC)
Have Genus,
g>1
HECC use much shorter keys than
ECC for same security
Eg: if g=2, keysize of HECC is ½
that of ECC
ECC key of 156 bits  1024 RSA
ECC – Current Optimal Security
ECC- provides same security as
RSA
-
But with much shorter keys
-
ECC 156  1024 bits RSA
ECC 192 bits  2048 RSA
-
Useful in Memory Limited
Devices eg: Mobile Phones,
Palmtops (H-P uses ECC), RFID
AES- 192, 256 bits v secure, preferred
Govt
AES – symmetric (enhanced DES),
Rijndael
-offers v high security with 192
bit keys, and
-256 bits (India Govt, e-security
centre, Qutab, Underground,
terrorism-resilient; USA Govt)
AES vs ECC - future
-
I am not familiar with both
-
My guess??
-
AES being Symmetric, hence less?
computation, is chosen by Govt
Agencies.
-
The several rounds, is not feasible
in Mobile, Palmtops, RFID,
- Hence latter 2 going ECC.
- Mobile A5 -1/2/3 (Kasumi)
LONG KNOWN in CRYPTOGRAPHY
-
Integer Factorization, Discrete
Logarithm were long known
- incl: 1800’s eg: Prof Jenkins
UK/Sydney
- 1973: Sir Wilfred Cocks, UK
Military GHQC, discovered exactly
same as RSA (Int. Factorization)
- 1974 Malcolm Morrison
discovered exactly same as DiffieHellman (Discrete Logarithm)
LONG KNOWN in CRYPTOGRAPHY
-
UK Military did not permit publishing
results, till 1999
-
Sir Wilfred Cocks, founder IBE (Identity
Based Encryption)
-
1973 when Integer Factorization
Discovered, UK Military felt PUBLIC
KEY Cryptography, INFEASIBLE due to
high computing power.
-
Then LUCIFER (IBM) -> DES.
Why Lightweight?
Heavyweight Methods:
high computational operations:
modular discrete exponentiations,
discrete logarithms
RSA, Diffie-Hellman, Elgamal, Elliptic
Curve Cryptography (ECC)
use of sin(x), cos(x) (avoided prudently
by late Prof Chris Wallace (founder HOD
CS, Monash Univ; early 1960s LANs); in
PRNG’s in favour of orthogonal
matrices with values, +1, -1)
not suitable for lightweight devices like
RFID, GSM mobile phones.
RFID Tags
Some RFID tags, transponders (ack:
Manfred Jantscher, thesis AutoID
Labs):
Typical RFID setup
(ack: M. Jantscher)
Encryption Model
Alice and Bob are communicating, using
symmetric key, K. How to prevent Eve, a
passive eavesdropper/attacker?.
Eve
c
Alice
c = E(K, m)
Bob
c
Channel
m = D(K, c)
Linear Feedback Shift Register (LFSR)
LFSR operation: (ack: Clark, Stepney,
U York, UK, [in Seberry, J])
1
1
1
0
0
1
1
0
1
1
11
1
1
10
0
1
0
1
0
1
1
0
1
Lij
1
Pseudo-Randomness Criteria:
“An Ensemble {Xn} (n e N) is
pseudorandom
if and only if it is unpredictable in
Polynomial Time (P)”
UNPREDICTABILITY:
Yao’s Next Bit Test
Probability of next bit being 0 or 1 no more than 0.5
(source: Thm 3.3.7, pg 120, Goldreich, Oded
“Foundations of Cryptography”, Oxford University Press,
2001)
One-Time Codes (Vernam)- random
Vernam Cipher generates a random bit stream.
This is then XORd, on a bit by bit basis with the
plaintext (ack: Clark, Stepney, U York, UK, off
www.uow.edu.au/~jennie (Prof Jennifer Seberry). (Ref: also Cole
protocol, Manfred Jantscher thesis)
Key K
Key K
Random
Random
Stream Bi
Stream Bi
Pi
Bi
Ci
Bi
Pi
Randomness Criteria
UNPREDICTABILITY
Probablity of next bit being 0 or 1 is ½ (0.5) irrespective of
the past
BALANCE
Number of 0’s and 1’s should be equal
Examples:
000000000000 111111111
00000 11111 00000 11111
01010101010101010101010
010011000111000011110000011111
001101000100111011 0001100001011
Shannon Confusion and Diffusion
Confusion: cryptosystems’ prime focus:
Changing of blocks, characters, or bit patterns
Caeser Script, RSA, Diffie-Hellman, Elliptic
Curve(ECC)
bits x’ored, (LFSR based shift registers)
Diffusion: additional/redundant information
diffusion on its own is not secure unlike
confusion
eg: noisy tags – noise or data, for an intruder to
guess
Kerchkoffs’ Principle
Auguste Kerchkoffs (1885):
Algorithms, and all major entities,
“architecture” of a security system,
should be public.
Non-data dependent entities should be
public
Only the keys should be secret.
The Shrinking Generator (SG)
[Ack: Damith Ranasinghe (Lightweight
Cryptography), in Springer-Verlag (Cole,
Ranasinghe (eds), 2007)]
LFSR R1
Clock
D
Q
Buffer
CLK CE
LFSR R2
Output (K)
Algebraic Attacks on LFSR’s
•
A system of equations
– x1 + x2 + x3
=1
– x1 +x2
+ x4 = 0
–
+ x2 +x3 + x4 = 1
– x1 + x3
=1
–
[
[
[
[
can be written in matrix form
1 1 1 0 ] [x1] = [1]
1 1 0 1 ] [x2] = [0]
0 1 1 1 ] [x3] = [1]
1 0 1 0 ] [x4] = [1]
x1, x2, x3, x4 maybe solved. These are the initial seeds (values IV).
The 4 x 4 matrix with 1’s and 0’s corresponds to the tap sequence (or polynomials) of
the LFSR
•
A single LFSR’s output would be in above linear form
• Solution of order O(N3), hence the A3 term in SG’s Data (A) register
• THANK YOU VERY MUCH