Introduction. Asymmetric ciphers. Online Trusted Third Party (TTP) Online Trusted Third Party (TTP)

Size: px

Start display at page:

Download "Introduction. Asymmetric ciphers. Online Trusted Third Party (TTP) Online Trusted Third Party (TTP)"

Coleen Nash
5 years ago
Views:

1 Intoduction Asymmetic ciphes Myto Aapinis School of Infomatics Univesity of Edinugh Januay 29, 2015 So fa: how two uses can potect data using a shaed secet key One shaed secet key pe pai of uses that want to communicate Ou goal now: how to estalish a shaed secet key to egin with? Tusted Thid Paty (TTP) Diffie-Hellman (DH) potocol RSA ElGamal (EG) 1 / 36 2 / 36 Online Tusted Thid Paty (TTP) Uses U 1, U 2, U 3,..., U n,... Each use U i has a shaed secet key K i with the TTP ex: using Paulson s vaiant of the Yahalom potocol Online Tusted Thid Paty (TTP) Uses U 1, U 2, U 3,..., U n,... Each use U i has a shaed secet key K i with the TTP ex: using Paulson s vaiant of the Yahalom potocol k AS k BS k AS, k BS k AS k BS k AS, k BS new N A A, N A 3 / 36 4 / 36

. Each use U i has a shaed secet key K i with the TTP ex: using Paulson s vaiant of the Yahalom potocol k AS k BS k AS, k BS k AS k BS k AS, k BS new N A A, N A new N A A, N A new N B new N B B, N

2 Online Tusted Thid Paty (TTP) Uses U 1, U 2, U 3,..., U n,... Each use U i has a shaed secet key K i with the TTP ex: using Paulson s vaiant of the Yahalom potocol Online Tusted Thid Paty (TTP) Uses U 1, U 2, U 3,..., U n,... Each use U i has a shaed secet key K i with the TTP ex: using Paulson s vaiant of the Yahalom potocol k AS k BS k AS, k BS k AS k BS k AS, k BS new N A A, N A new N A A, N A new N B new N B B, N B,{A, N A } k BS B, N B,{A, N A } k BS N B,{B, k AB, N A } k AS, {A,B, k AB, N B } k BS new k AB 5 / 36 6 / 36 Online Tusted Thid Paty (TTP) Uses U 1, U 2, U 3,..., U n,... Each use U i has a shaed secet key K i with the TTP ex: using Paulson s vaiant of the Yahalom potocol Pulic-key encyption in pictues k AS k BS k AS, k BS new N A A, N A new N B B, N B,{A, N A } k BS N B,{B, k AB, N A } k AS, {A,B, k AB, N B } k BS new k AB {A,B, k AB, N B } k BS, {NB} k AB Question: can we estalish a shaed secet key without a TTP? Answe: Yes! 7 / 36 8 / 36

3 Pulic-key encyption in pictues Pulic-key encyption in pictues Fom : I want to send you a secet Fom : I want to send you a secet 9 / 36 Pulic-key encyption in pictues 10 / 36 Pulic-key encyption in pictues Fom : I want to send you a secet Fom : I want to send you a secet 11 / / 36

4 Pulic-key encyption in pictues Fom : I want to send you a secet Pulic-key encyption key geneation algoithm: G : K K encyption algoithm E : K M C decyption algoithm D : K C M st. (sk, pk) G, and m M, D(sk, E(pk, m)) = m E D m c c m pk sk the decyption key sk is secet (only known to ). The encyption key pk is known to eveyone. And sk pk 13 / / 36 Pimes We need a it of nume theoy now Definition p N is a pime if its only divisos ae 1 and p Ex: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29 Theoem Evey n N has a unique factoization as a poduct of pime numes (which ae called its factos) Ex: = / / 36

5 Relative pimes Z n Let n N. We define Z n = {0,... n-1} Definition a and in Z ae elative pimes if they have no common factos a Z, Z n, a (mod n) k N. a = + k n Definition The Eule function φ(n) is the nume of elements that ae elative pimes with n: φ(n) = {m gcd(m, n) = 1} Fo p pime: φ(p) = {1,..., p-1} Fo p and q pimes: φ(p q) = (p-1)(q-1) Modula invesion: the invese of x Z n is y Z n s.t. x y 1 (mod n). We denote x -1 the invese of x mod n Ex: 7-1 in Z 12 : in Z 12 : 4 has no invese in Z 12 Theoem a Z, Z n, a (mod n) k N. a = + k n Let n N. Let x Z n. x has a invese in Z n iff gcd(x, n) = 1 17 / / 36 (Z N ) Let n N. We define (Z n ) = {x Z n gcd(x, n) = 1} Ex: Z 12 = {1, 5, 7, 11} Theoem (Eule) n N, x (Z n ), x φ(n) 1 (mod n) Theoem (Eule) p pime, (Z p ) is a cyclic goup, i.e. g (Z p ), {g, g 2, g 3,..., g p 2 } = (Z p ) Intactale polems Factoing: input: n N output: p 1,..., p m pimes st. n = p 1 p m RSAP input: n st. n = p q with 2 p, q pimes e st. gcd(e, φ(n)) = 1 m e output: m Discete Log: input: pime p, geneato g of (Z p ), g x output: x DHP: input: pime p, geneato g of (Z p ), g a (mod p), g (mod p) output: g a (mod p) 19 / / 36

6 The Diffie-Hellman (DH) potocol We can now go ack and see how to estalish a key without a TTP Assumption: the DHP is had in (Z p ) Fix a vey lage pime p, and g {1,..., p-1} a 21 / / 36 The Diffie-Hellman (DH) potocol The Diffie-Hellman (DH) potocol Assumption: the DHP is had in (Z p ) Fix a vey lage pime p, and g {1,..., p-1} Assumption: the DHP is had in (Z p ) Fix a vey lage pime p, and g {1,..., p-1} a, g (mod p) a, g (mod p), g a (mod p) 23 / / 36

7 The Diffie-Hellman (DH) potocol Assumption: the DHP is had in (Z p ) Fix a vey lage pime p, and g {1,..., p-1} a, g (mod p) a A*acke, g a (mod p) k AB = (g ) a [mod p] = g a (mod p) k AB = (g a ) [mod p] = g a (mod p) 25 / / 36 a A*acke, g (mod p) a A*acke, g (mod p), g (mod p) 27 / / 36

8 a, g (mod p) A+acke, g (mod p) a, g (mod p) A*acke, g (mod p) æ, g a (mod p), g a (mod p), g (mod p) 29 / / 36 a, g (mod p), g a (mod p) A*acke, g (mod p), g (mod p) k AB = g (mod p) k B = (g ) = g k AB = g a (mod p) k A = (g ) = g 31 / 36 RSA tapdoo pemutation G RSA () = (pk, sk) whee pk = (N, e) and sk = (N, d) and N = p q with p, q andom pimes and e, d Z st. e d 1 (mod φ(n)) M = C = (Z N ) RSA(pk, x) = x e (mod N) whee pk = (N, e) RSA -1 (sk, x) = x d (mod N) whee sk = (N, d) Consistency: (pk, sk) = G RSA (), x, RSA -1 (sk, RSA(pk, x)) = x Poof: Let pk = (N, e) and sk = (N, d) RSA -1 (sk, RSA(pk, x)) = (x e ) d (mod N) = x e d (mod N) = x 1+kφ(N) (mod N) = x x kφ(n) (mod N) = x (x φ(n) ) k (mod N) Eule = x (mod N) 32 / 36

9 How NOT to use RSA ISO standad Goal: uild a CPA secue asymmetic ciphe using (G RSA, RSA, RSA -1 ) (G RSA, RSA, RSA -1 ) is called aw RSA. Do not use aw RSAdiectly as an asymmetic ciphe! RSA is deteministic not secue against chosen plaintext attacks (Details on the oad) Let (E s, D s ) e a symmetic encyption scheme ove (M, C, K) Let H : (Z N ) K Build (G RSA, E RSA, D RSA ) as follows G RSA () as descied aove E RSA (pk, m): pick andom x (Z N ) y RSA(pk, x)(= x e ) k H(x) ERSA (pk, m) = y E s (k, m) D RSA (pk, y c) = D s (H(RSA -1 (sk, y)), c) 33 / / 36 PKCS1 v2.0: RSA-OAEP Goal: uild a CPA secue asymmetic ciphe using (G RSA, RSA, RSA -1 ) ElGamal (EG) Fix pime p, and geneato g (Z p ) M = {0,..., p-1} and C = M M m and G EG () = (pk, sk) whee pk = g d (mod p) and sk = d and d {1,..., p-2} + H E EG (pk, x) = (g (mod p), m (g d ) (mod p)) whee pk = g d (mod p) and Z G + D EG (sk, x) = e -d c (mod p) whee x = (e, c) Consistency: (pk, sk) = G EG (), x, D EG (sk, E EG (pk, x)) = x Poof: Let pk = g d (mod p) and sk = d Plaintext to encypt with RSA {0,1} N-1 D EG (sk, E EG (pk, x)) = (g ) -d m (g d ) (mod p) = m (mod p) 35 / / 36

L29&30 - RSA Cryptography

L29&30 - RSA Cryptography CSci/Math 2112 20&22 July 2015 1 / 13 Notation We write a mod n for the integer b such that 0 b < n and a b (mod n). 2 / 13 Calculating Large Powers Modulo n Example 1 What is