Public Key Systems 1 Public Key Systems q
Public Key Systems 1
Public Key Systems q We o o o o briefly discuss the following Merkle-Hellman knapsack Diffie-Hellman key exchange Arithmetica key exchange RSA Rabin cipher NTRU cipher El. Gamal signature scheme Public Key Systems 2
Public Key Crypto q Some public key systems provide it all, encryption, digital signatures, etc. o For example, RSA q Some are only for key exchange o For example, Diffie-Hellman q Some are only for signatures o For example, El. Gamal q All of these are public key systems Public Key Systems 3
Public Key Systems q Here we present different systems and mention basic attacks/issues q In next sections we consider more substantial attacks, namely, o Factoring (RSA, Rabin) o Discrete log (Diffie-Hellman, El. Gamal) o RSA implementation attacks Public Key Systems 4
Merkle-Hellman Knapsack Public Key Systems 5
Merkle-Hellman Knapsack q One of first public key systems q Based on NP-complete problem q Original algorithm is weak o Lattice reduction attack q Newer knapsacks are more secure o But nobody uses them… o Once bitten, twice shy Public Key Systems 6
Knapsack Problem Given a set of n weights W 0, W 1, . . . , Wn-1 and a sum S, is it possible to find ai {0, 1} so that S = a 0 W 0+a 1 W 1 +. . . + an-1 Wn-1 (technically, this is “subset sum” problem) q Example q o Weights (62, 93, 26, 52, 166, 48, 91, 141) o Problem: Find subset that sums to S = 302 o Answer: 62+26+166+48 = 302 q The (general) knapsack is NP-complete Public Key Systems 7
Knapsack Problem General knapsack (GK) is hard to solve q But superincreasing knapsack (SIK) is easy q In SIK each weight greater than the sum of all previous weights q Example q o o Weights (2, 3, 7, 14, 30, 57, 120, 251) Problem: Find subset that sums to S = 186 Work from largest to smallest weight Answer: 120+57+7+2 = 186 Public Key Systems 8
Knapsack Cryptosystem 1. 2. 3. 4. q q q Generate superincreasing knapsack (SIK) Convert SIK into “general” knapsack (GK) Public Key: GK Private Key: SIK plus conversion factors Easy to encrypt with GK With private key, easy to decrypt (convert ciphertext to SIK) Without private key, must solve GK ? Public Key Systems 9
Knapsack Cryptosystem q q q Let (2, 3, 7, 14, 30, 57, 120, 251) be the SIK Choose m = 41 and n = 491 with m and n relatively prime, n > sum of SIK elements General knapsack 2 41 (mod 491) = 82 3 41 (mod 491) = 123 7 41 (mod 491) = 287 14 41 (mod 491) = 83 30 41 (mod 491) = 248 57 41 (mod 491) = 373 120 41 (mod 491) = 10 251 41 (mod 491) = 471 q General knapsack: (82, 123, 287, 83, 248, 373, 10, 471) Public Key Systems 10
Knapsack Example q Private key: (2, 3, 7, 14, 30, 57, 120, 251) m 1 mod n = 41 1 (mod 491) = 12 Public key: (82, 123, 287, 83, 248, 373, 10, 471), n=491 q Example: Encrypt 10010110 q 82 + 83 + 373 + 10 = 548 q To decrypt, o 548 · 12 = 193 (mod 491) o Solve (easy) SIK with S = 193 o Obtain plaintext 10010110 Public Key Systems 11
Knapsack Weakness Trapdoor: Convert SIK into “general” knapsack using modular arithmetic q One-way: General knapsack easy to encrypt, hard to solve; SIK easy to solve q This knapsack cryptosystem is insecure q o Broken in 1983 with Apple II computer o The attack uses lattice reduction “General knapsack” is not general enough! q This special knapsack is easy to solve! q Public Key Systems 12
Lattice Reduction q Many problems can be solved by finding a “short” vector in a lattice q Let b 1, b 2, …, bn be vectors in m q All 1 b 1+ 2 b 2+…+ nbn, each i is an integer is a discrete set of points Public Key Systems 13
What is a Lattice? Suppose b 1=[1, 3]T and b 2=[ 2, 1]T q Then any point in the plane can be written as 1 b 1+ 2 b 2 for some 1, 2 q o Since b 1 and b 2 are linearly independent We say the plane 2 is spanned by (b 1, b 2) q If 1, 2 are restricted to integers, the resulting span is a lattice q Then a lattice is a discrete set of points q Public Key Systems 14
Lattice Example Suppose b 1=[1, 3]T and b 2=[ 2, 1]T q The lattice spanned by (b 1, b 2) is pictured to the right q Public Key Systems 15
Exact Cover q Exact cover given a set S and a collection of subsets of S, find a collection of these subsets with each element of S is in exactly one subset q Exact Cover is a combinatorial problems that can be solved by finding a “short” vector in lattice Public Key Systems 16
Exact Cover Example Set S = {0, 1, 2, 3, 4, 5, 6} q Spse m = 7 elements and n = 13 subsets q Subset: 0 1 2 3 4 5 6 7 8 9 10 11 12 Elements: 013 015 024 025 036 124 126 135 146 1 256 345 346 Find a collection of these subsets with each element of S in exactly one subset q Could try all 213 possibilities q If problem is too big, try heuristic search q Many different heuristic search techniques q Public Key Systems 17
Exact Cover Solution q Exact cover in matrix form o Set S = {0, 1, 2, 3, 4, 5, 6} o Spse m = 7 elements and n = 13 subsets Subset: 0 1 2 3 4 5 6 7 8 9 10 11 12 Elements: 013 015 024 025 036 124 126 135 146 1 256 345 346 e l e m e n t s subsets Solve: AU = B where ui {0, 1} Solution: U = [0001001]T m x 1 m x n Public Key Systems n x 1 18
Example q We can restate AU = B as MV = W where Matrix M q Vector V Vector W The desired solution is U o Columns of M are linearly independent Let c 0, c 1, c 2, …, cn be the columns of M q Let v 0, v 1, v 2, …, vn be the elements of V q Then W = v 0 c 0 + v 1 c 1 + … + vncn q Public Key Systems 19
Example q Let L be the lattice spanned by c 0, c 1, c 2, …, cn (ci are the columns of M) q Recall MV = W o Where W = [U, 0]T and we want to find U o But if we find W, we’ve also solved it! q Note W is in lattice L since all vi are integers and W = v 0 c 0 + v 1 c 1 + … + vncn Public Key Systems 20
Facts W = [u 0, u 1, …, un-1, 0, 0, …, 0] L, each ui {0, 1} q The length of a vector Y N is ||Y|| = sqrt(y 02+y 12+…+y. N-12) q Then the length of W is ||W|| = sqrt(u 02+u 12+…+un-12) sqrt(n) q So W is a very short vector in L where q o First n entries of W all 0 or 1 o Last m elements of W are all 0 q Can we use these facts to find U? Public Key Systems 21
Lattice Reduction q If we can find a short vector in L, with first n entries all 0 or 1 and last m entries all 0, then we might have found U o Easy to test putative solution LLL lattice reduction algorithm will efficiently find short vectors in a lattice q Less than 30 lines of pseudo-code for LLL! q No guarantee LLL will find a specific vector q But probability of success is often good q Public Key Systems 22
Knapsack Example What does lattice reduction have to do with the knapsack cryptosystem? q Suppose we have q o Superincreasing knapsack S = [2, 3, 7, 14, 30, 57, 120, 251] o Suppose m = 41, n = 491 m 1 = 12 (mod n) o Public knapsack: ti = 41 si (mod 491) T = [82, 123, 287, 83, 248, 373, 10, 471] q Public key: T Public Key Systems Private key: (S, m 1, n) 23
Knapsack Example Public key: T Private key: (S, m 1, n) S = [2, 3, 7, 14, 30, 57, 120, 251] T = [82, 123, 287, 83, 248, 373, 10, 471] n = 491, m 1 = 12 q Example: 10010110 is encrypted as 82+83+373+10 = 548 q Then receiver computes 548 12 = 193 (mod 491) and uses S to solve for 10010110 q Public Key Systems 24
Knapsack LLL Attack q Attacker knows public key T = [82, 123, 287, 83, 248, 373, 10, 471] q Attacker knows ciphertext: 548 q Attacker wants to find ui {0, 1} s. t. 82 u 0+123 u 1+287 u 2+83 u 3+248 u 4+373 u 5+10 u 6+471 u 7 = 548 q This can be written as a matrix equation (dot product): T U = 548 Public Key Systems 25
Knapsack LLL Attack q q Attacker knows: T = [82, 123, 287, 83, 248, 373, 10, 471] Wants to solve: T U = 548 where each ui {0, 1} o Same form as AU = B on previous slides o We can rewrite problem as MV = W where q LLL gives us short vectors in the lattice spanned by the columns of M Public Key Systems 26
LLL Result LLL finds short vectors in lattice of M q Matrix M’ is result of applying LLL to M q q Column marked with “ ” has the right form Possible solution: U = [1, 0, 0, 1, 1, 0]T Easy to verify this is the plaintext! Public Key Systems 27
Bottom Line q Lattice reduction is a surprising method of attack on knapsack q A cryptosystem is only secure as long as nobody has found an attack q Lesson: Advances in mathematics can break cryptosystems Public Key Systems 28
Diffie-Hellman Key Exchange Public Key Systems 29
Diffie-Hellman Key Exchange Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) q A “key exchange” algorithm q o To establish a shared symmetric key Not for encrypting or signing q Security rests on difficulty of discrete log problem: given g, p, and gk (mod p), find k q Public Key Systems 30
Diffie-Hellman q Let p be prime, let g be a generator o For any x {1, 2, …, p-1} there is n s. t. x = gn (mod p) Alice selects secret value a q Bob selects secret value b q Alice sends ga (mod p) to Bob q Bob sends gb (mod p) to Alice q Both compute shared secret gab (mod p) q Shared secret can be used as symmetric key q Public Key Systems 31
Diffie-Hellman Suppose that Bob and Alice use gab (mod p) as a symmetric key q Trudy can see ga (mod p) and gb (mod p) q Note ga gb = ga+b gab (mod p) q If Trudy can find a or b, system is broken q If Trudy can solve discrete log problem, then she can find a or b q Public Key Systems 32
Diffie-Hellman Public: g and p q Secret: Alice’s exponent a, Bob’s exponent b q ga (mod p) gb (mod p) Alice, a Bob, b Alice computes (gb)a = gba = gab (mod p) q Bob computes (ga)b = gab (mod p) q Could use K = gab (mod p) as symmetric key q Public Key Systems 33
Diffie-Hellman q Subject to man-in-the-middle (Mi. M) attack ga (mod p) gt (mod p) gb (mod p) Alice, a q q q Trudy, t Bob, b Trudy shares secret gat (mod p) with Alice Trudy shares secret gbt (mod p) with Bob Alice and Bob don’t know Trudy exists! Public Key Systems 34
Diffie-Hellman q How o o to prevent Mi. M attack? Encrypt DH exchange with symmetric key Encrypt DH exchange with public key Sign DH values with private key Other? q You MUST be aware of Mi. M attack on Diffie-Hellman Public Key Systems 35
Diffie-Hellman Conclusions q Simple and elegant q Widely used q Has several clever uses o For example, to make weak PIN-based authentication protocol much stronger q Man-in-the-middle Public Key Systems is serious issue 36
Arithmetica Key Exchange Public Key Systems 37
Arithmetica Key Exchange q Relatively new, invented in 1999 q Uses fancy math: group theory q First, some group theory background q Then Arithmetica key exchange q Then simple example q We mention one attack Public Key Systems 38
Arithmetica Key Exchange q For example, let G be the set of all finite words from the alphabet {1 G, a, b, a 1, b 1} o Where 1 G is empty word o Note that ab ba, that is, G is not commutative o Not commutative == non-abelian Element of G include abaab 1 b 1, bba 1 a 1 Gba, bbbb q Apply properties of exponents to simplify: aba 2 b 2, b 3 a, b 4 q Public Key Systems 39
Arithmetica Key Exchange q Define binary operation “ ” on G q The operation is concatenation q For example, aba 2 b 2 b 3 a = aba 2 ba q The set G with “ ” is a group o The free group on two generators q We write G = < a, b > Public Key Systems 40
Arithmetica Key Exchange Can impose other relations on G = < a, b > q For example, abab 1 a 1 b 1 = 1 G, a 2 = 1 G, b 2 = 1 G q Can write 1 G in infinite number of ways q Denote this as S 3 = <a, b | abab 1 a 1 b 1, a 2, b 2> q A finite presentation of the group S 3 q o The group S 3 is a well-known symmetric group Public Key Systems 41
Arithmetica Key Exchange q Sometimes relations can be used to put any word into a canonical form o Necessary for Arithmetica A subgroup is a subset of the group that is closed under group operation q For example q o Integers are a subset of real numbers o Add two integers, you get another integer Public Key Systems 42
Arithmetica Key Exchange Let G be a finitely presented, infinite, nonabelian group q Alice choose subgroup SA = <s 0, s 1, …, sn 1> q Bob chooses subgroup SB = <t 0, t 1, …, tm 1> q Group G and subgroups SA and SB are public q Public Key Systems 43
Arithmetica Key Exchange q Alice and Bob choose private keys respectively q For key exchange… o Alice sends {a 1 t 0 a, …, a 1 tm 1 a} to Bob sends {b 1 s 0 b, …, b 1 sn 1 b} to Alice q Rewrite to “obscure” private a and b Public Key Systems 44
Arithmetica Key Exchange q Alice can compute b 1 ab since q Similarly, Bob can compute a 1 ba q Then a 1 b 1 ab can be shared key o How can Bob compute this? Public Key Systems 45
Arithmetica Example Let G = < x, y | x 4, y 2, yxyx > q Alice: SA = <s 0, s 1> = <x 2, y> = {1 G, x 2, y, x 2 y} q Bob: SB = < t 0 > = < x > = {1 G, x, x 2, x 3} q Public: G, SA, SB q Private q o Alice: a = (x 2)2(y) 1 = x 4 y 1 = 1 Gy 1 = y 1 o Bob: b = (x)3 = x 3 Public Key Systems 46
Arithmetica Example q Key exchange q Alice computes: a 1 t 0 a = y 1 xy = yxy o Alice sends {yxy} to Bob q Bob computes: b 1 s 0 b and b 1 s 1 b o Bob sends {x 2, x 2 y} to Alice q Now to establish the shared key… Public Key Systems 47
Arithmetica Example q Alice: then q Bob: then and, finally, Public Key Systems 48
Arithmetica Example q Alice and Bob shared secret: x 2 q Use this to compute symmetric key q This example used a small, finite, nonabelian group q In realistic implementation, G, SA, SB must be infinite non-abelian groups o Each with a large numbers of generators Public Key Systems 49
Arithmetica q Arithmetica based on a math problem known as conjugacy problem q Given two words x, y G, does there exits g G such that y = g 1 xg ? q For finitely presented group G, no efficient algorithm for this problem Public Key Systems 50
Arithmetica Length Attack Spse, in canonical form, w = g 0 i g 1 j g 2 k G q Define length of w as | i | + | j | + | k | q Use this to find factors (probabilistic) q o Existence of canonical form makes this work o Canonical form necessary for Arithmetica q New attack, subject of ongoing research Public Key Systems 51
Arithmetica: Bottom Line q Relatively new, fancy mathematics q Probably not really practical q Shows potential for advanced math q Not many attacks on it (yet) q More time needed to judge security Public Key Systems 52
RSA Public Key Systems 53
RSA Invented by Cocks (GCHQ), independently, by Rivest, Shamir, Adleman (MIT) q Let p and q be two large prime numbers q Let N = pq be the modulus q Choose e relatively prime to (p 1)(q 1) q Find d so that ed = 1 (mod (p 1)(q 1)) q Public key is (N, e) q Private key is d q Public Key Systems 54
RSA To encrypt M compute: C = Me (mod N) q To decrypt C compute: M = Cd (mod N) q Recall that e and N are public q If attacker can factor N, can use e to easily find d since ed = 1 (mod (p 1)(q 1)) q Factoring the modulus breaks RSA! q It is not known whether factoring is the only way to break RSA q Public Key Systems 55
Does RSA Really Work? Given C = Me (mod N) we must show M = Cd (mod N) = Med (mod N) q We use Euler’s Theorem: If x is relatively prime to n then x (n) = 1 (mod n) q o o Fact: ed = 1 (mod (p 1)(q 1)) ed = k(p 1)(q 1) + 1 (N) = (p 1)(q 1) ed 1 = k(p 1)(q 1) = k (N) Med = M(ed 1) + 1 = M Med 1 = M Mk (N) = M (M (N))k = M 1 k = M (mod N) Public Key Systems 56
Simple RSA Example q Example o o of RSA Select “large” primes p = 11, q = 3 Then N = pq = 33 and (p 1)(q 1) = 20 Choose e = 3 (relatively prime to 20) Find d such that ed = 1 (mod 20), we find that d = 7 works q Public key: (N, e) = (33, 3) q Private key: d = 7 Public Key Systems 57
Simple RSA Example q Public key: (N, e) = (33, 3) q Private key: d = 7 q Suppose message M = 8 q Ciphertext C is computed as C = Me (mod N) = 83 = 512 = 17 (mod 33) q Decrypt C to recover message: M = Cd (mod N) = 177 = 410, 338, 673 = 12, 434, 505 33 + 8 = 8 (mod 33) Public Key Systems 58
RSA Conclusions q RSA is the “gold standard” in public key crypto q Provides encryption and signatures q Has stood the test of time o Virtually unchanged since its invention q We look closely at RSA attacks in later section (implementation attacks) Public Key Systems 59
Rabin Cipher Public Key Systems 60
Rabin Cipher q Based on difficulty of factoring o Like RSA q Recall that factoring N breaks RSA q It is not known whether factoring is the only way to break RSA algorithm q Can be shown that breaking Rabin algorithm is equivalent to factoring Public Key Systems 61
Sign and Encrypt vs Encrypt and Sign q Before Rabin, a short detour q Suppose we want both confidentiality and non-repudiation q We can sign and encrypt… q …or encrypt and sign q Does the order matter? Public Key Systems 62
Public Key Notation q Sign message M with Alice’s private key: [M]Alice q Encrypt message M with Alice’s public key: {M}Alice q Then {[M]Alice}Alice = M [{M}Alice]Alice = M Public Key Systems 63
Confidentiality and Non-repudiation q Suppose that we want confidentiality and non-repudiation q Can public key crypto achieve both? q Alice sends message to Bob o Sign and encrypt {[M]Alice}Bob o Encrypt and sign [{M}Bob]Alice q Can the order possibly matter? Public Key Systems 64
Sign and Encrypt q M = “I love you” {[M]Alice}Bob {[M]Alice}Charlie Bob Alice Charlie Q: What is the problem? q A: Charlie misunderstands crypto! q Public Key Systems 65
Encrypt and Sign q M = “My theory, which is mine…. ” [{M}Bob]Alice [{M}Bob]Charlie Bob Note that Charlie cannot decrypt M q Q: What is the problem? q A: Bob misunderstands crypto! q Public Key Systems 66
Rabin Cipher Choose N = pq, where p and q prime q Assume p = 3 (mod 4) and q = 3 (mod 4) q o Just to simplify discussion Public key: N q Private key: (p, q) q Encrypt: C = M 2 (mod N) q Decrypt: Given p and q, we must find the square root of C, modulo N q Public Key Systems 67
Rabin Cipher q How to find square root of C (mod N)? o Given p and q, where N = pq First, consider square root, mod p q If C = 0 (mod p) then square root is 0 q If C 0 (mod p), let y = C(p+1)/4 (mod p) q By Euler’s Theorem, Cp-1 = 1 (mod p) q Therefore, y 4 = Cp+1 = C 2 Cp-1 = C 2 (mod p) q Public Key Systems 68
Rabin Cipher q Have y 4 = Cp+1 = C 2 Cp-1 = C 2 (mod p) o Where y is known Then y 4 C 2 = (y 2 C)(y 2 + C) = 0 (mod p) q And therefore, y 2 = C (mod p) q Square roots of C (mod p) are y or square roots of C (mod p) are y q o But not both q Also find square root mod q and use Chinese Remainder Theorem (CRT) for result mod N Public Key Systems 69
Chinese Remainder Theorem Use Euclidean algorithm to find r, s so that qr + ps = 1 q CRT says that x (mod pq) satisfying x = a (mod p) and x = b (mod p) is given by x = bpr + aqs (mod pq) q For Rabin, we have 4 cases to consider: a (mod p) and b (mod q) q Public Key Systems 70
Rabin Cipher Example q Suppose C = 16 (mod 33) o Have p = 3 and q = 11 q Compute C(3+1)/4 = C = 16 = 1 (mod 3) o Easy to verify 1 are square roots of C (mod p) q Compute C(11+1)/4 = 53 = 4 (mod 11) o Easy to verify 4 are square roots of C (mod q) q Use CRT and consider four cases… Public Key Systems 71
Rabin Cipher Example Euclidean algorithm: find r = 1, s = 4 gives 11 r + 3 s = 1 q Four cases of the form x = a (mod 11) and x = b (mod 3), namely, q x = 4 (mod 11) and x = 1 (mod 3) q Find x = bpr + aqs (mod 33) for each case Public Key Systems 72
Rabin Cipher Example q In this example: x = 4, 26, 7, 29 q Easy to verify x 2 = 16 (mod 33) for each case q One of these x is the plaintext q But which one? o Add header before encrypting o Only one x will have correct header Public Key Systems 73
Chosen Ciphertext Attack q Spse Trudy can find square roots (mod N) of C, namely, u, v, with u v q Trudy can then factor N, since u 2 = v 2 = C (mod N) u 2 v 2 = (u v)(u + v) divisible by N q Then gcd(u + v, N) is p or q q This breaks Rabin cipher Public Key Systems 74
Chosen Ciphertext Attack Trudy knows M and corresponding C encrypted with Alice’s public key q Trudy gets Alice to “decrypt” C q o That is, find square root mod N Suppose result of decryption is y q If y M then previous attack applies q o This happens with probability 1/2 q Then Trudy can find Alice’s private key Public Key Systems 75
Chosen Ciphertext Attack q Can prevent this attack by using a tricky padding scheme q We do not discuss it here q Mentioned in textbook o But not discussed in detail Public Key Systems 76
NTRU Cipher Public Key Systems 77
NTRU Cipher q “Nth degree TRUncated polynomial ring” or “Number Theorists a. Re Us” o Depending on who you ask Invented in 1995 by 3 mathematicians q A complicated encryption process q o Operations in a funny polynomial ring q Cipher has evolved as flaws found o In contrast to, say, RSA q But NTRU considered theoretically sound Public Key Systems 78
NTRU q NTRU is not widely used q NTRU Cryptosystems, Inc. o Patents, challenge problems, etc. q Some standards support NTRU q May gain more popularity o Unlikely to ever rival RSA q General Public Key Systems attack is lattice reduction 79
NTRU q Three parameters: (N, p, q) q Four sets of polynomials o Degree N 1, with integer coefficients o Denote sets Lf, Lg, Lr, Lm q Choose p and q so that gcd(p, q) = 1 o Also, q > p with q “much larger” than p Public Key Systems 80
NTRU Example All polynomials are of the form a(x) = a 0 + a 1 x + a 2 x 2 + … + a. N 1 x. N 1 where ai are integers, modulo p or q q Add polynomials in usual way q Multiply polynomials mod x. N 1, that is, replace x. N with 1, x. N+1 with x and so on q Use symbol “ ” to represent this multiply q Public Key Systems 81
NTRU q In math terms, NTRU polynomials in the quotient ring R = Z[x]/(x. N 1) q The messages space Lm consists of polynomials in R modulo p, that is, Public Key Systems 82
NTRU q For examples, if we choose p = 3 q Then polynomials in Lm have degree N 1 or less and coefficients in { 1, 0, 1} q Let L(d 0, d 1) to be polynomials in R with d 0 coeficients +1 and d 1 coeficients 1 q For example, 1+x 2+x 3 x 5+x 9 L(3, 2) Public Key Systems 83
NTRU q Given NTRU parameters (N, p, q) we must select 3 more params: df, dg, d o From NTRU recommended parameters q Define Lf = L(df, df 1), Lg = L(dg, dg) and Lr = L(d, d) q Now we can (finally) generate key pair Public Key Systems 84
NTRU Key Pair q Alice selects f(x) Lf and g(x) Lg o Choose f(x) invertible mod p and mod q o Easy to find such an f(x) o Let fp(x) and fq(x) be the inverses, that is, f(x) fp(x) = 1 (mod p) and f(x) fq(x) = 1 (mod q) q Let h(x) = pfq(x) g(x) (mod q) q Public key: h(x) and (N, p, q) q Private key: (f(x), fp(x)) Public Key Systems 85
NTRU Encryption Bob wants to encrypt message to Alice q Bob select “message” M(x) Lm q Bob choose random r(x) Lr q o This is a “blinding” polynomial Using Alice’s public key, Bob computes C(x) = r(x) h(x) + M(x) (mod q) q The ciphertext is polynomial C(x) q Public Key Systems 86
NTRU Decryption Alice receives C(x) from Bob q Using her private key, Alice computes a(x) = f(x) C(x) = f(x) r(x) h(x) + f(x) M(x) (mod q) q Coefficients of a(x) taken in q/2 to q/2 q Alice computes b(x) = a(x) (mod p) q Then M(x) = fp(x) b(x) (mod p) q Not obvious that this works! q Public Key Systems 87
NTRU Example q Suppose (N, q, p) = (11, 32, 3) q And Lf = L(4, 3), Lg = L(3, 3), Lr = L(3, 3) q Generate key: Alice chooses f(x), g(x) o o Both polynomials of degree 10 Where f(x) has 4 coefficients +1, g(x) has 3 Both have 3 coefficients 1 Both have all other coefficients 0 Public Key Systems 88
NTRU Example Suppose (N, q, p) = (11, 32, 3) q And Lf = L(4, 3), Lg = L(3, 3), Lr = L(3, 3) q Suppose Alice chooses q q She computes inverse mod p and mod q Public Key Systems 89
NTRU Example q Alice’s private key is (f(x), fp(x)) q Alice computes q Alice’s public key is h(x) q Note (N, q, p) = (11, 32, 3) also public Public Key Systems 90
NTRU Example q Suppose Bob chooses message q He chooses random blinding polynomial, say, q Bob computes ciphertext Public Key Systems 91
NTRU Example q Alice receives C(x) and computes q With coefficients between 15 and 16 q Alice reduces coefficients mod 3, Public Key Systems 92
NTRU Example q Finally, Alice computes which is the plaintext, M(x) q Why does this work? q In fact, it does not always work! q Decryption is probabilistic… Public Key Systems 93
Why Does NTRU Work? q Ciphertext is C(x) = r(x) h(x) + M(x) (mod q) q Where h(x) = pfq(x) g(x) (mod q) q To decrypt, Alice first computes Public Key Systems 94
Why Does NTRU Work? q The polynomial pr(x) g(x) + f(x) M(x) is probably the same mod q or not q If so, mod q has no effect and b(x) = a(x) (mod p) = f(x) M(x) and fp(x) b(x) = M(x) (mod p) q But, mod q can make decryption fail! o Probability is low: r, g, f, M are all “small” Public Key Systems 95
NTRU Lattice Hard math problem behind NTRU? q Ironically, it is lattice reduction q o Same problem that breaks Knapsack! If Trudy can determine f(x) or fq(x), from h(x), she gets Alice’s private key q Recall h(x) = pfq(x) g(x) (mod q) q Equivalently, h(x) f(x) = pg(x) (mod q) q Public Key Systems 96
NTRU Lattice q Denote q Define h(x) = h 0 + h 1 x + … + h. N 1 x. N 1 q Let h be coefs of h(x), as a column vector and similarly for f(x) and g(x) Public Key Systems 97
NTRU Lattice q By the definition of “ ”, we have Hf = pg (mod q) q Equivalent to block matrix equation q That is, f = f and Hf + qs = pg (mod q) Public Key Systems 98
NTRU Lattice q Trudy gets private key if she gets V or W o W in lattice spanned by columns of M o W has special form (number of +1 and 1) o W is a “short” vector q Lattice reduction attack! o Just like the knapsack? q No, this NTRU lattice is hard to break! o As far as anybody knows… Public Key Systems 99
NTRU Lattice q Note that success against this NTRU lattice would recover private key q Knapsack lattice just broke 1 message q Unfair to compare these attacks? q We can rewrite NTRU attack so it breaks only a single message q And it’s still a hard problem! Public Key Systems 100
Why Bother with NTRU? Efficiency — for public key, NTRU is fast! q Compared to RSA 512 -bit modulus, NTRU inventors claim for “equivalent” NTRU q o Encryption is 5. 9 times faster o Decryption is 14. 4 times faster o Key creation is 5. 0 times faster Good for resource constrained environment? q But, the higher the security level, the less impressive the advantage for NTRU q Public Key Systems 101
NTRU Attacks q Lattice reduction o Generic attack (like factoring for RSA) q Meet-in-the-middle o Square root of “exhaustive search” work o Inherent in use of polynomials q Multiple transmission o Encrypt M(x) multiple times with different r(x) o Complex padding can prevent it q Chosen ciphertext o Broke earlier version of NTRU Public Key Systems 102
NTRU Conclusions q. A very different public key system q Based on “hard” lattice problem q Has evolved since its introduction q Considered theoretically sound q Not widely used q An interesting system Public Key Systems 103
El. Gamal Signature Public Key Systems 104
El. Gamal Signature q Based on discrete log problem o Same hard problem as Diffie-Hellman q Only for signatures o No encryption q Widely used in the form of the Digital Signature Standard (DSS) Public Key Systems 105
El. Gamal Alice choose large prime p and number s and a, both between 2 and p 2 q Alice computes = sa (mod p) q Private: a Public: (p, s, ) q Spse Alice wants to sign M q o Selects random k with gcd(k, p 1) = 1, computes r = sk (mod p) and t = k 1(M ra) (mod (p 1)) q Alice sends the triple (M, r, t) Public Key Systems 106
El. Gamal Private: a Public: (p, s, ) q Where = sa (mod p) q Alice sends the triple (M, r, t), where r = sk (mod p) and t = k 1(M ra) (mod (p 1)) q To verify signature, Bob computes v = s. M (mod p) and w = r rt (mod p) q If v = w (mod p) the signature is accepted q Public Key Systems 107
El. Gamal q Why does this work? If Trudy can compute discrete logs, she can find private key a from q To forge signature, Trudy must find r, t so that s. M = r rt q Unknown whether this is equivalent to discrete log problem q Public Key Systems 108
El. Gamal Issues If all prime factors of p 1 are small, easy to compute discrete log q If Trudy can guess k, she can find private key (with high probability) q If Alice repeats k, Trudy can find Alice’s private key q Alice must sign h(M), not M, or else Trudy can forge Alice’s signature q o But “message” M is nonsense Public Key Systems 109
Public Key Systems q. A quick intro to several systems q Public key encryption/decryption o RSA, Rabin, NTRU, Knapsack q Key exchange protocols o Diffie-Hellman, Arithmetica q Signature o El. Gamal Public Key Systems 110 scheme
Public Key Systems q Each rests on a (presumed) difficult math problem q RSA, Rabin o Factoring q Diffie-Hellman, El. Gamal o Discrete log q Lack of “genetic diversity” in public key Public Key Systems 111
Public Key Systems q Next, we discuss factoring algorithms q Then discrete log algorithms q Finally, we consider implementation attacks on RSA o Do not attack algorithm directly o Attack based on timing the computation o Attack based on induced error Public Key Systems 112
- Slides: 112