Lecture 12: Non-secret Key Cryptosystems

Download Report

Transcript Lecture 12: Non-secret Key Cryptosystems 

Lecture 12:
Non-secret Key
Cryptosystems
(How Euclid, Fermat
and Euler Created
E-Commerce)
Real mathematics has no effects on war. No one
has yet discovered any warlike purpose to be
served by the theory of numbers.
G. H. Hardy, The Mathematician’s Apology, 1940.
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Applications of RSA
• Privacy:
– Bob encrypts message to Alice using EA
– Only Alice knows DA
• Signatures:
– Alice encrypts a message to Alice using DA
– Bob decrypts using EA
– Knows it was from Alice, since only Alice knows
DA
• Things you use every day: ssh, SSL, DNS, ...
CS588 Spring 2005
2
Public-Key Applications: Privacy
Bob
Alice
Plaintext
Encrypt
Ciphertext
Bob’s Public Key
Decrypt
Plaintext
Bob’s Private Key
• Alice encrypts message to Bob using
Bob’s Private Key
• Only Bob knows Bob’s Private Key 
only Bob can decrypt message
CS588 Spring 2005
3
Signatures
Alice
Plaintext
Encrypt
Signed
Message
Alice’s Private Key
Decrypt
Bob
Plaintext
Alice’s Public Key
• Bob knows it was from Alice, since only Alice
knows Alice’s Private Key
• Non-repudiation: Alice can’t deny signing
message (except by claiming her key was
stolen!)
• Integrity: Bob can’t change message (doesn’t
know Alice’s Private Key)
CS588 Spring 2005
4
Public-Key Cryptography
•
•
•
•
•
Private procedure: E
Public procedure: D
Identity: E (D (m)) = D (E (m)) = m
Secure: cannot determine E from D
But didn’t know how to find suitable E
and D
CS588 Spring 2005
5
Properties of E and D
Trap-door one way function:
1. D (E (M)) = M
2. E and D are easy to compute.
3. Revealing E doesn’t reveal an easy way
to compute D
Trap-door one way permutation: also
4. E (D (M)) = M
CS588 Spring 2005
6
RSA
E(M) = Me mod n
D(C) = Cd mod n
n = pq
p, q are prime
d is relatively prime to (p – 1)(q – 1)
ed  1 (mod (p – 1)(q – 1))
(red things are secret)
CS588 Spring 2005
7
Properties of E and D
Trap-door one way function:
1. D (E (M)) = M
2. E and D are easy to compute.
3. Revealing E doesn’t reveal an easy way
to compute D
Trap-door one way permutation: also
4. E (D (M)) = M
CS588 Spring 2005
8
Property 1: D (E (M)) = M
E(M) = Me mod n
D(E(M)) = (Me mod n)d mod n
= Med mod n (as in D-H proof)
Can we choose e, d and n with this
property:
M  Med mod n
equivalently:
1  Med-1 mod n
CS588 Spring 2005
9
Finding e, d and n
• We are looking for e, d and n such that:
Med-1  1 mod n
• Euler’s Theorem: for a and n relatively
prime: a (n)  1 mod n
• Next:
– What is  (n)
– Proof of Euler’s Theorem
– How it works for arbitrary M
– Given  (n) how do we find e and d
CS588 Spring 2005
10
Euler’s Totient Function
 (n) = number of positive integers
less than n that are relatively
prime to n
• If n is prime,  (n) = n – 1
–Proof by contradiction
• What if n = pq where p and q are
prime?
CS588 Spring 2005
11
Totient Products
For primes, p and q: n = pq
 (n) = numbers < n not relatively prime to pq
= pq – 1
; numbers less than pq
– (q – 1) ; size of p, 2p, …, (q – 1)p
– (p – 1) ; size of q, 2q, …, (p – 1)q
= pq – 1 – (q – 1) – (p – 1)
= pq – (p + q) + 1
= (p – 1) (q – 1) =  (p)  (q)
CS588 Spring 2005
12
Fermat’s Little Theorem
If n is prime and a is not divisible by n
an-1  1 mod n
CS588 Spring 2005
13
Fermat’s Little Theorem Proof
If n is prime and a is not divisible by n:
{a mod n, 2a mod n, … , (n-1)a mod n} =
{1, 2, …, (n – 1) }
Product of all elements in sets:
a  2a  …  (n – 1) a  (n – 1)! mod n
(n – 1)!an-1  (n – 1)! mod n
an-1  1 mod n QED.
CS588 Spring 2005
14
Euler’s Theorem
For a and n relatively prime:
a(n)  1 mod n
Partial Proof:
If n is prime,  (n) = n – 1 and an - 1  1 mod n
by Fermat’s Little Theorem
What if n is not prime?
CS588 Spring 2005
15
Euler’s Theorem, cont.
For a and n relatively prime:
a(n)  1 mod n
 (n) = number of numbers < n not
relatively prime to n
We can write those numbers as:
R = { x1, x2, … , x(n)}
CS588 Spring 2005
16
Proving Euler’s Theorem
R = { x1, x2, … , x(n)} multiply by a mod n:
S = { ax1 mod n, ax2 mod n, …, ax (n) mod n}
S is a permutation of R:
• a is relatively prime to n
• a is relatively prime to all xi
• axi is relatively prime to n
– Hence all elements of S are in R.
– There are no duplicates in S.
If axi mod n = axj mod n then i = j. since a is
relatively prime to n
CS588 Spring 2005
17
Proving Euler’s Theorem
x1  x2 …  x (n)
= ax1 mod n  ax2 mod n …  ax (n) mod n
 (ax1  ax2 …  ax(n)) mod n
 a (n)  x1  x2 …  x (n) mod n
1  a (n) mod n
QED.
CS588 Spring 2005
18
Recap
• We are looking for e, d and n such that:
n = pq
Med-1  1 mod n
ed – 1 =  (n) = (p-1)(q-1)
• Euler’s Theorem: 1  a (n) mod n
for a and n relatively prime What if M is not
relatively prime to n?
• If n is prime,  (n) = n – 1.
• For p and q prime,  (pq) =  (p) (q)
CS588 Spring 2005
19
M and n
• Suppose M and n not relatively prime:
gcd (M, n)  1
• Since n = pq and p and q are prime:
gcd (M, p)  1 OR gcd (M, q)  1
Case 1: M = cp
gcd (M, q) = 1 (otherwise M is multiple of
both p and q, but M < pq).
So, M(q)  1 mod q
(by Euler’s theorem, since M and q are
relatively prime)
CS588 Spring 2005
20
M and n, cont
Case 1: M = cp
gcd (M, q) = 1 (otherwise M is multiple of both p and q, but M < pq).
So, M  (q)  1 mod q
(by Euler’s theorem, since M and q are relatively prime)
M (q)  1 mod q
(M (q)) (p)  1 mod q
M (q) (p)  1 mod q
M (n)  1 mod q
CS588 Spring 2005
21
M and n
M (n)  1 mod q
M (n) = 1 + kq for some k
M = cp
recall gcd (M, p)  1
M  M (n) = (1 + kq)cp
M(n) + 1 = cp + kqcp = M + kcn
M(n) + 1  M mod n
CS588 Spring 2005
22
Where’s ED?
ed – 1 =  (n) = (p-1)(q-1)
• So, we need to choose e and d:
•
ed =  (n) + 1 = n – (p + q)
Pick random d, relatively prime to  (n)
gcd (d,  (n)) = 1
• Since d is relatively prime to  (n) it has a
multiplicative inverse e:
de 
1 mod  (n)
CS588 Spring 2005
23
Identity
de  1
mod  (n)
So, d * e = (k *  (n)) + 1 for
some k.
Hence,
Med-1 mod n = Mk *  (n) mod n
CS588 Spring 2005
24
D (E (M)) = M
Med-1 mod n = Mk *  (n) mod n
Euler says 1  M (n) mod n.
So
1  Mk *  (n) mod n
1  Med-1 mod n
M  Med mod n
QED.
CS588 Spring 2005
25
Properties of E and D
Trap-door one way function:
 1.
D (E (M)) = M
2. E and D are easy to compute.
3. Revealing E doesn’t reveal an easy way
to compute D
Trap-door one way permutation: also
4. E (D (M)) = M
CS588 Spring 2005
26
Movie Break
Adam Glaser and Portman Wills
CS588 Fall 2001 PS4
Questionable Statements in
RSA Paper: Finalists
1) "The reader is urged to find a way to
"break" the system. Once the method has
withstood all attacks for a sufficient length
of time it may be used with a reasonable
amount of confidence." The authors appear
to advocating the same method of
validation that they called "fruitless" earlier
in the paper (referring to the NBS
certification).
2) RSA seems to gloss over the whole PKI
issue. They suggest either a single authority
to hold all the keys or publishing a book to
all the users.
I'd also like to point out that RSA like to
"excessively" to quotation marks for no
apparent "purpose."
1. The problem is mentioned on page 4 and 6 of
the paper: The trusted distribution of the public
portion of the key. If one were to modify the
public keys in transport or to attack a central
repository, then it would be impossible to be sure
of the authenticity of the keys. (The suggestion
of having a telephone book is not even possibly
applicable due to the need to securely deliver it
to all users from trusted central source). This can
be seen as present problem with the loss of keys
by Microsoft (resulting in forced revocation) and
the limited trust one can put in Verisign due to
limited checks done.
2. The assumption in conclusion that a protocol
is secure due to lack of success in attacks for
some period of time. The recent attacks upon
SHA/MD5 show that even 10 years could be
insufficient time to prove security.
CS588 Spring 2005
28
Only Two Submissions
• This is pathetic!
• There will be a Short Quiz in class
Tuesday
– Closed book, closed notes
– Covers material in RSA paper and new paper
handed out today
– Andrew and Aleks are exempt
CS588 Spring 2005
29
Two “Questionable” Statements
in RSA Paper
1. “The need for a courier between every
pair of users has thus been replaced by
the requirement for a single secure
meeting between each user and the
public file manager when the user joins
the system.”
(p. 6)
CS588 Spring 2005
30
Two “Questionable”
Statements in RSA Paper
2. “(The NBS scheme (DES) is probably
somewhat faster if special-purposed
hardware encryption devices are used;
our scheme may be faster on a
general-purpose computer since
multiprecision arithmetic operations
are simpler to implement than
complicated bit manipulations.)”
(p. 4)
CS588 Spring 2005
31
Who really invented RSA?
• General Communications
Headquarters, Cheltenham (formed
from Bletchley Park after WWII)
• 1969 – James Ellis asked to work on
key distribution problem
• Secure telephone conversations by
adding “noise” to line
• Late 1969 – idea for PK, but function
CS588 Spring 2005
32
RSA & Diffie-Hellman
• Asks Clifford Cocks, Cambridge
mathematics graduate, for help
• He discovers RSA (four years early)
• Then (with Malcolm Williamson)
discovered Diffie-Hellman
• Kept secret until 1997!
• NSA claims they had it even earlier
CS588 Spring 2005
33
Charge
• Reread the parts of RSA paper you didn’t
understand the first time
• Work on your project!
• Short Quiz on RSA material and Encrypted
Searches paper in class Tuesday
– Closed-book, closed-notes, open-T-shirt
• Next time: RSA Properties 2, 3 and 4
CS588 Spring 2005
34