Chapter 4 Public Key Cryptography Knapsack RSA DiffieHellman

Chapter 4: Public Key Cryptography Knapsack RSA Diffie-Hellman key Elliptic Curve Cryptography Public key crypto application Part 1 Cryptography 1

Public Key Cryptography q Two keys o Sender uses recipient’s public key to encrypt o Recipient uses private key to decrypt q Based on “trap door one way function” o “One way” means easy to compute in one direction, but hard to compute in other direction o Example: Given p and q, product N = pq easy to compute, but given N, it’s hard to find p and q o “Trap door” used to create key pairs Part 1 Cryptography 2

Public Key Cryptography q Encryption o Suppose we encrypt M with Bob’s public key o Bob’s private key can decrypt to recover M q Digital Signature o Sign by “encrypting” with your private key o Anyone can verify signature by “decrypting” with public key o But only you could have signed o Like a handwritten signature, but way better… Part 1 Cryptography 3

What we learn here wrt PKC l Knapsack l l l RSA l l Standard PKC Diffie-Hellman Key Exchange l l First PKC proposal insecure key exchange algorithm ECC(Elliptic Curve Cryptography) Chapter 4 -- Public Key Cryptography 4

Knapsack Part 1 Cryptography 5

Knapsack Problem q Given a set of n weights W 0, W 1, . . . , Wn-1 and a sum S, is it possible to find ai {0, 1} so that S = a 0 W 0+a 1 W 1 +. . . + an-1 Wn-1 (technically, this is “subset sum” problem) q Example o Weights (62, 93, 26, 52, 166, 48, 91, 141) o Problem: Find subset that sums to S=302 o Answer: 62+26+166+48=302 q The (general) knapsack is NP-complete Part 1 Cryptography 6

Knapsack Problem q General knapsack (GK) is hard to solve q But superincreasing knapsack (SIK) is easy q q SIK: each weight greater than the sum of all previous weights Example o Weights (2, 3, 7, 14, 30, 57, 120, 251) o Problem: Find subset that sums to S=186 o Work from largest to smallest weight o Answer: 120+57+7+2=186 Part 1 Cryptography 7

Knapsack Cryptosystem 1. 2. 3. 4. q Generate superincreasing knapsack (SIK) Convert SIK into “general” knapsack (GK) Public Key: GK Private Key: SIK plus conversion factor Ideally… o o o Easy to encrypt with GK With private key, easy to decrypt (convert ciphertext to SIK problem) Without private key, must solve GK Part 1 Cryptography 8

Knapsack Keys q q q Start with (2, 3, 7, 14, 30, 57, 120, 251) as the SIK Choose m = 41 and n = 491 (m, n relatively prime, n exceeds sum of elements in SIK) Compute “general” knapsack(GK) 2 41 mod 491 = 82 3 41 mod 491 = 123 7 41 mod 491 = 287 14 41 mod 491 = 83 30 41 mod 491 = 248 57 41 mod 491 = 373 120 41 mod 491 = 10 251 41 mod 491 = 471 q GK: (82, 123, 287, 83, 248, 373, 10, 471) Part 1 Cryptography 9

Knapsack Cryptosystem q Private key: (2, 3, 7, 14, 30, 57, 120, 251) q Public m 1 mod n = 41 1 mod 491 = 12 key: (82, 123, 287, 83, 248, 373, 10, 471) q Example: Encrypt 150=10010110 82 + 83 + 373 + 10 = 548 q To decrypt, o 548 12 = 193 mod 491 o Solve (easy) SIK with S = 193 o Obtain plaintext 10010110=150 Part 1 Cryptography 10

Knapsack Weakness Trapdoor: Convert SIK into “general” knapsack using modular arithmetic q One-way: General knapsack easy to encrypt, hard to solve; SIK easy to solve q This knapsack cryptosystem is insecure q o Broken in 1983 with Apple II computer o The attack uses lattice reduction “General knapsack” is not general enough! q This special knapsack is easy to solve! q Part 1 Cryptography 11

RSA Part 1 Cryptography 12

RSA q What is the most difficult? addition multiplication Easy 123 + 654 -------777 Part 1 Cryptography factoring Difficult 123 x 654 ----492 615 738 -----80442 221 = ? x? 221/2 = 221/3 = 221/5 = 221/7 = 221/11 = 221/13 = 221 = 13 x 17 13

RSA q Invented by Clifford Cocks (GCHQ), and later independently, Rivest, Shamir, and Adleman (MIT) o RSA is the gold standard in public key crypto Let p and q be two large prime numbers q Let N = pq be the modulus q Choose e relatively prime to (p 1)(q 1) q Find d such that ed = 1 mod (p 1)(q 1) q Public key is (N, e) q Private key is d Part 1 Cryptography q 14

RSA Message M is treated as a number q To encrypt M we compute C = Me mod N q To decrypt ciphertext C compute M = Cd mod N q Recall that e and N are public q If Trudy can factor N=pq, she can use e to easily find d since ed = 1 mod (p 1)(q 1) q Factoring the modulus breaks RSA q o Is factoring the only way to break RSA? Part 1 Cryptography 15

Does RSA Really Work? q q Given C = Me mod N we must show M = Cd mod N = Med mod N We’ll use Euler’s Theorem: If x is relatively prime to n then x (n) = 1 mod n q Facts: 1) ed = 1 mod (p 1)(q 1) 2) By definition of “mod”, ed = k(p 1)(q 1) + 1 3) (N) = (p 1)(q 1) q q Then ed 1 = k(p 1)(q 1) = k (N) Finally, Med = M(ed 1) + 1 = M Med 1 = M Mk (N) = M (M (N))k mod N = M 1 k mod N = M mod N Part 1 Cryptography 16

Simple RSA Example(1) q Example of RSA o Select “large” primes p = 11, q = 3 o Then N = pq = 33 and (p − 1)(q − 1) = 20 o Choose e = 3 (relatively prime to 20) o Find d such that ed = 1 mod 20 § We find that d = 7 works q Public key: (N, e) = (33, 3) q Private key: d = 7 Part 1 Cryptography 17

Simple RSA Example(2) q Public key: (N, e) = (33, 3) q Private key: d = 7 q Suppose message M = 8 q Ciphertext C is computed as C = Me mod N = 83 = 512 = 17 mod 33 q Decrypt C to recover the message M by M = Cd mod N = 177 = 410, 338, 673 = 12, 434, 505 33 + 8 = 8 mod 33 Part 1 Cryptography 18

More Efficient RSA (1) q Modular exponentiation example o q A better way: repeated squaring o o o o q 520 = 95367431640625 = 25 mod 35 20 = 10100 base 2 (1, 101, 10100) = (1, 2, 5, 10, 20) Note that 2 = 1 2, 5 = 2 2 + 1, 10 = 2 5, 20 = 2 10 51= 5 mod 35 52= (51)2 = 52 = 25 mod 35 55= (52)2 51 = 252 5 = 3125 = 10 mod 35 510 = (55)2 = 100 = 30 mod 35 520 = (510)2 = 302 = 900 = 25 mod 35 No huge numbers and it’s efficient! Part 1 Cryptography 19

More Efficient RSA (2) q Use e = 3 for all users (but not same N or d) + Public key operations only require 2 multiplies o Private key operations remain expensive - If M < N 1/3 then C = Me = M 3 and cube root attack - For any M, if C 1, C 2, C 3 sent to 3 users, cube root attack works (uses Chinese Remainder Theorem) q q Can prevent cube root attack by padding message with random bits Note: e = 216 + 1 also used (“better” than e = 3) Part 1 Cryptography 20

Diffie-Hellman Part 1 Cryptography 21

Diffie-Hellman q Invented by Williamson (GCHQ) and, independently, by Diffie and Hellman(Stanford) q A “key exchange” algorithm o Used to establish a shared symmetric key q Not for encrypting or signing q Based on discrete log problem: o Given: g, p, and gk mod p o Find: exponent k Part 1 Cryptography 22

Diffie-Hellman q Let p be prime, let g be a generator o For any x {1, 2, …, p-1} there is n s. t. x = gn mod p q Alice selects her private value a q Bob selects his private value b q Alice sends ga mod p to Bob q Bob sends gb mod p to Alice q Both compute shared secret, gab mod p q Shared secret can be used as symmetric key Part 1 Cryptography 23

Discrete Logarithm Problem l l k gk known: large prime number p, generator g gk mod p = x Discrete logarithm problem: given x, g, p, find k Table g=2, p=11 1 2 3 4 5 6 7 8 9 10 2 4 8 5 10 9 7 3 6 1 nth element 1 st element Cyclic Group G Generator α α 1 α 2 α 3 … αx = β

Diffie-Hellman q q Suppose Bob and Alice use Diffie-Hellman to determine symmetric key K = gab mod p Trudy can see ga mod p and gb mod p o But… ga gb mod p = ga+b mod p gab mod p q q If Trudy can find a or b, she gets key K If Trudy can solve discrete log problem, she can find a or b Part 1 Cryptography 25

Diffie-Hellman Public: g and p q Private: Alice’s exponent a, Bob’s exponent b q ga mod p gb mod p Alice, a Bob, b Alice computes (gb)a = gba = gab mod p q Bob computes (ga)b = gab mod p q Use K = gab mod p as symmetric key q Part 1 Cryptography 26

Diffie-Hellman q Subject to man-in-the-middle (Mi. M) attack ga mod p gt mod p gb mod p Alice, a Trudy, t Bob, b Trudy shares secret gat mod p with Alice q Trudy shares secret gbt mod p with Bob q Alice and Bob don’t know Trudy exists! q Part 1 Cryptography 27

Diffie-Hellman q How to prevent Mi. M attack? o Encrypt DH exchange with symmetric key o Encrypt DH exchange with public key o Sign DH values with private key o Other? q At this point, DH may look pointless… o …but it’s not (more on this later) q In any case, you MUST be aware of Mi. M attack on Diffie-Hellman Part 1 Cryptography 28

Elliptic Curve Cryptography Part 1 Cryptography 29

Elliptic Curve Crypto (ECC) q “Elliptic curve” is not a cryptosystem q Elliptic curves are a different way to do the math in public key system q Elliptic curve versions DH, RSA, etc. q Elliptic curves may be more efficient o Fewer bits needed for same security o But the operations are more complex Part 1 Cryptography 30

What is an Elliptic Curve? q An elliptic curve E is the graph of an equation of the form y 2 = x 3 + ax + b q Also includes a “point at infinity” q What do elliptic curves look like? q See the next slide! Part 1 Cryptography 31

Elliptic Curve Picture y q Consider elliptic curve E: y 2 = x 3 - x + 1 P 1 If P 1 and P 2 are on E, we can define P 3 = P 1 + P 2 as shown in picture q Addition is all we need q P 2 x P 3 Part 1 Cryptography 32

Points on Elliptic Curve q Consider y 2 = x 3 + 2 x + 3 (mod 5) x x x q = = = 0 1 2 3 4 y 2 y 2 y 2 = = = 3 no solution (mod 5) 6 = 1 y = 1, 4 (mod 5) 15 = 0 y = 0 (mod 5) 36 = 1 y = 1, 4 (mod 5) 75 = 0 y = 0 (mod 5) Then points on the elliptic curve are (1, 1) (1, 4) (2, 0) (3, 1) (3, 4) (4, 0) and the point at infinity: Part 1 Cryptography 33

Elliptic Curve Math q Addition on: y 2 = x 3 + ax + b (mod p) P 1=(x 1, y 1), P 2=(x 2, y 2) P 1 + P 2 = P 3 = (x 3, y 3) where x 3 = m 2 - x 1 - x 2 (mod p) y 3 = m(x 1 - x 3) - y 1 (mod p) And m = (y 2 -y 1) (x 2 -x 1)-1 mod p, if P 1 P 2 m = (3 x 12+a) (2 y 1)-1 mod p, if P 1 = P 2 Special cases: If m is infinite, P 3 = , and + P = P for all P Part 1 Cryptography 34

Elliptic Curve Addition Consider y 2 = x 3 + 2 x + 3 (mod 5). Points on the curve are (1, 1) (1, 4) (2, 0) (3, 1) (3, 4) (4, 0) and q What is (1, 4) + (3, 1) = P 3 = (x 3, y 3)? m = (1 -4) (3 -1)-1 = -3 2 -1 = 2(3) = 6 = 1 (mod 5) x 3 = 1 - 3 = 2 (mod 5) y 3 = 1(1 -2) - 4 = 0 (mod 5) q On this curve, (1, 4) + (3, 1) = (2, 0) q Part 1 Cryptography 35

ECC Diffie-Hellman q q Public: Elliptic curve and point (x, y) on curve Private: Alice’s A and Bob’s B A(x, y) B(x, y) Alice, A q q q Bob, B Alice computes A(B(x, y)) Bob computes B(A(x, y)) These are the same since AB = BA Part 1 Cryptography 36

ECC Diffie-Hellman Public: Curve y 2 = x 3 + 7 x + b (mod 37) and point (2, 5) b = 3 q Alice’s private: A = 4 q Bob’s private: B = 7 q Alice sends Bob: 4(2, 5) = (7, 32) q Bob sends Alice: 7(2, 5) = (18, 35) q Alice computes: 4(18, 35) = (22, 1) q Bob computes: 7(7, 32) = (22, 1) q Part 1 Cryptography 37

Uses for Public Key Crypto Part 1 Cryptography 38

Uses for Public Key Crypto q Confidentiality o Transmitting data over insecure channel o Secure storage on insecure media q Authentication (later) q Digital signature provides integrity and non-repudiation o No non-repudiation with symmetric keys Part 1 Cryptography 39

PKC(1): message encryption l l Encrypt message M by Alice’s public. Message M can be decrypted only by Alice’s private key. . M Everyone can have Alice’s public key. But only Alice have her private key. M Chapter 4 -- Public Key Cryptography 40

PKC(2): Digital Signature l Alice signs her message by encrypting it using her private key. l l l Same as signing by handwriting. Bob verifies Alice’s signature by decrypting it using her public key. Nobody can write the signature because only Alice can have her private key. Chapter 4 -- Public Key Cryptography 41

Non-non-repudiation q Alice orders 100 shares of stock from Bob q Alice computes MAC using symmetric key q Stock drops, Alice claims she did not order q Can Bob prove that Alice placed the order? q q No! Since Bob also knows the symmetric key, he could have forged message Problem: Bob knows Alice placed the order, but he can’t prove it Part 1 Cryptography 42

Non-repudiation q Alice orders 100 shares of stock from Bob q Alice signs order with her private key q Stock drops, Alice claims she did not order q Can Bob prove that Alice placed the order? q q Yes! Only someone with Alice’s private key could have signed the order This assumes Alice’s private key is not stolen (revocation problem) Part 1 Cryptography 43

Public Key Notation q Sign message M with Alice’s private key: [M]Alice q Encrypt message M with Alice’s public key: {M}Alice q Then {[M]Alice}Alice = M [{M}Alice]Alice = M Part 1 Cryptography 44

Sign and Encrypt vs Encrypt and Sign Part 1 Cryptography 45

Confidentiality and Non-repudiation? q Suppose that we want confidentiality and integrity/non-repudiation q Can public key crypto achieve both? q Alice sends message to Bob o Sign and encrypt {[M]Alice}Bob o Encrypt and sign [{M}Bob]Alice q Can the order possibly matter? Part 1 Cryptography 46

Sign and Encrypt q M = “I love you” {[M]Alice}Bob {[M]Alice}Charlie Bob Alice Charlie Q: What’s the problem? q A: No problem public key is public q Part 1 Cryptography 47

Encrypt and Sign q M = “My theory, which is mine…. ” [{M}Bob]Alice [{M}Bob]Charlie Bob Note that Charlie cannot decrypt M q Q: What is the problem? q A: No problem public key is public q Part 1 Cryptography 48

Public Key Infrastructure Part 1 Cryptography 49

Question in Public key q How can Bob be sure Alice’s public key? q Bob receives Alice’s public key from any source or Alice herself. Then how can he trust it is really her public key? Chapter 4 -- Public Key Cryptography 50

Public Key Certificate q q Certificate contains name of user and user’s public key (and possibly other info) It is signed by the issuer, a Certificate Authority (CA), such as Veri. Sign M = (Alice, Alice’s public key), S = [M]CA Alice’s Certificate = (M, S) q Signature on certificate is verified using CA’s public key: Verify that M = {S}CA Part 1 Cryptography 51

Certificate Authority q q Certificate authority (CA) is a trusted 3 rd party (TTP) creates and signs certificates Verify signature to verify integrity & identity of owner of corresponding private key o Does not verify the identity of the sender of certificates are public keys! q q Big problem if CA makes a mistake (a CA once issued Microsoft certificate to someone else) A common format for certificates is X. 509 Part 1 Cryptography 52

X. 509 certificate example(1) q Next lide is a certificate to verify the public key of www. freesoft. org q CA is Thwate q Thwate signed at the bottom of the certificate to verify the certificate. (signature) q Recipient can verify this certificate to confirm the signature by using Thwate’s public key.

X. 509 certificate example(2) q Then, how can recipient know Thwate’s public key? q Thwate lets the recipient know its public key through another certificate which is signed by its private key. q Next slide is the certificate through which Thwate releases its public key.

X. 509 certificate example(3) q Then, how can recipients trust this certificate? In other words, how can they know that Thwate is a trusted CA?

PKI q Public Key Infrastructure (PKI): the stuff needed to securely use public key crypto o Key generation and management o Certificate authority (CA) or authorities o Certificate revocation lists (CRLs), etc. q No general standard for PKI q We mention 3 generic “trust models” Part 1 Cryptography 58

PKI Trust Models q Monopoly model o One universally trusted organization is the CA for the known universe o Big problems if CA is ever compromised o Who will act as CA? ? ? § System is useless if you don’t trust the CA! Part 1 Cryptography 59

PKI Trust Models q Oligarchy o Multiple trusted CAs o This is approach used in browsers today o Browser may have 80 or more certificates, just to verify certificates! o User can decide which CAs to trust Part 1 Cryptography 60

PKI Trust Models q Anarchy model o Everyone is a CA… o Users must decide who to trust o This approach used in PGP: “Web of trust” q Why is it anarchy? o Suppose a certificate is signed by Frank and you don’t know Frank, but you do trust Bob and Bob says Alice is trustworthy and Alice vouches for Frank. Should you accept the certificate? q Many other trust models and PKI issues Part 1 Cryptography 61

Confidentiality in the Real World Part 1 Cryptography 62

Symmetric Key vs Public Key q Symmetric key +’s o Speed o No public key infrastructure (PKI) needed o Disadvantage? q Public Key +’s o Signatures (non-repudiation) o No shared secret (but, private keys…) o Disadvantage? Part 1 Cryptography 63

Comparison: symmetric key public key Sym key crypto q Need shared key q Need 80 bit key for high security (yr 2010) q q ~1, 000 ops/s on 1 GHz processor >100 x speedup in HW Public key crypto q Need trusted(authentic) public key q Need 2048 bit key (RSA) for high security (yr 2010) q ~100 signatures/s ~1000 verify/s (RSA) on 1 GHz processor q ~10 x speedup in HW

Encryption of large file by RSA q Time to encrypt 1024 -bit RSA o ~1 ms on 1 GHz Pentium q Time to decrypt 1024 -bit RSA o ~10 ms on 1 GHz Pentium q Time o o to encrypt 1 Mbyte file? 1024 bits / RSA operation = 128 bytes = 27 1 Mbyte = 220 time: 220 / 27 * 1 ms = 213 ms = 8 sec! Any other way of doing faster?

conclusion? q Public key crypto is inefficient for encryption/decryption o Take too much time q Symmetric key crypto is much faster to encrypt than public key crypto q However, symmetric key crypto raises a problem to exchange(distribute) symmetric key secretly

Key exchange for sym key crypto q Based on what we learned so far, we have the following methods to exchange(or distribute) symmetric key o Manual exchange § Infeasible except for a small system o Use Diffie-Hellman o Use public key crypto

Notation Reminder q Public key notation o Sign M with Alice’s private key [M]Alice o Encrypt M with Alice’s public key {M}Alice q Symmetric key notation o Encrypt P with symmetric key K C = E(P, K) o Decrypt C with symmetric key K P = D(C, K) Part 1 Cryptography 68

Real World Confidentiality q Hybrid cryptosystem o Public key crypto to establish a key o Symmetric key crypto to encrypt data… {K}Bob E(Bob’s data, K) E(Alice’s data, K) Alice q Bob Can Bob be sure he’s talking to Alice? Part 1 Cryptography 69