Download presentation

Presentation is loading. Please wait.

1
**Electronic Payment Systems 20-763 Lecture 5: ePayment Security II**

ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

2
**Outline Public-key Cryptography One-way trapdoor functions RSA**

Protocol Failure Discrete Logarithms Diffie-Hellman El Gamal Elliptic Curve Cryptosystems ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

3
**Public Key Encryption Clear-text Input Cipher-text Clear-text Output**

“The quick brown fox jumps over the lazy dog” “The quick brown fox jumps over the lazy dog” Encryption Decryption public private Different but mathematically linked keys Recipient’s public key Recipient’s private key SOURCE: ALBERTO PACE

4
**One-Way Trapdoor Function**

A function that is easy to compute Computationally difficult to invert without knowing the secret (the “trapdoor”) Easy to invert with the secret Example: f x (y) = x • y Given f x (y), it is difficult to find either x or y Given f x (y) and x (the secret), it is easy to find y: y = x • y / x ANY one-way trapdoor function can be used in public-key cryptography. ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

5
**Trapdoor Functions for Cryptogrpahy**

Alice wants to send message m to Bob Bob’s public key e is a parameter to the trapdoor function fe(x) The inverse fe -1(y) is easy to compute knowing Bob’s private key d but difficult without d Alice computes fe(m), sends it to Bob Bob computes fe -1(fe(m)) = m (easy if d is known) Eavesdropper Eve can’t compute m = fe -1(fe(m)) without the trapdoor d to find the inverse fe -1 Symmetric encryption satisfies the trapdoor criteria except that e and d are the same, so neither can be made public ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

6
**Rivest-Shamir-Adelman (RSA)**

It is easy to multiply two numbers but apparently hard to factor a number into a product of two others. Given p, q, it is easy to compute n = p • q Example: p = ; q = Easy to find n = Given n, hard to find two numbers p, q with p • q = n Now suppose n = What are p and q such that p • q = n ? Multiplication is a one-way function RSA exploits this fact in public-key encryption ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

7
**RSA Encryption Select two large prime numbers p, q (e.g. 1024 bits)**

Let n = p • q Choose a small odd integer e that does not divide m = (p - 1)(q - 1). Then x(p-1)(q-1) = 1 (mod n) Compute d = e-1(mod m) That is, d • e gives remainder 1 when divided by m Then xe •d = x (mod n) (by Fermat’s “Little” Theorem) Public key is the pair (e, n) Private key is the pair (d, n) d cannot be calculated quickly from (e, n) Still need p and q, which involves factoring n ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

8
**RSA Encryption Message M is a number**

To encrypt message M using key (e, n): Compute E(M) = M e (mod n) To decrypt message E(M) using key (d, n): Compute D(E(M)) = E(M) d (mod n) Note that D(E(M)) = E(D(M)) = (M e)d (mod n) = M e•d (mod n) = M because e • d = 1 (mod m) and m = (p-1)(q-1) DEMO ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

9
Protocol Failure A “secure” cryptosystem is not secure if used carelessly Protocols must be followed carefully or a “protocol failure” occurs Example: “common modulus” failure Bob and Carol have the same public-key modulus n with encryption exponents eBOB and eCAROL having no common factor Alice sends the same plaintext M to both Bob and Carol Bob gets yBOB = MeBOB mod n Carol gets yCAROL = MeCAROL mod n If Eve intercepts both, she can read the message WARNING: NEVER SEND THE SAME MESSAGE TWICE! ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

10
Protocol Failure Eve computes: c1 = eBOB-1 (mod eCAROL ) c2 = ((c1 eBOB) - 1 )/ eCAROL M = yBOBc1 ( yCAROLc2 )-1 (mod n) = (MeBOB)c1 ((MeCAROL)c2)-1 (mod n) = (MeBOB)c1 ((MeCAROL)(c1(eBOB)-1)/eCAROL)-1 (mod n) = (MeBOB)c1 (M(c1eBOB-1))-1 (mod n) = M (Mc1(eBOB)-1)) (M( c1(eBOB)-1))-1 (mod n) = M mod n So Eve recovers the original message! KNOWN QUANTITIES: n eBOB eCAROL yBOB yCAROL ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

11
**Discrete Logarithms If ab = c, we say that logac = b**

Example: 232 = so log2( ) = 32 Computing ab and logac are both easy for real numbers In a finite field, it is easy to calculate c = ab mod p but given c, a and p it is very difficult to find b This is the “discrete logarithm” problem Analogy: Given x it is easy to find two real numbers y, z such that x = y•z Given an integer n it is hard to find two integers p, q such that n = p•q ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

12
**Diffie-Hellman Key Exchange**

Object: allow Alice and Bob to exchange a secret key Protocol has two public parameters: a prime p and a number g < p such that given 0 < n < p there is some k such that gk = n (g is called a generator) Alice and Bob generate random private values a, b between 1 and p-2 Alice’s public value is ga (mod p); Bob’s is gb (mod p) Alice and Bob share their public values Alice computes (gb)a (mod p) = gba (mod p) Bob computes (ga)b (mod p) = gab = gba (mod p) Let key = gab. Now both Alice and Bob have it. No one else can compute it -- they don’t know a or b ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

13
**El Gamal Encryption Based on the discrete logarithm**

Bob’s public key is (p, q, r) Bob’s private key is s such that r = qs mod p Alice sends Bob the message m by picking a random secret number k and sending (a, b) = (qk mod p, mrk mod p) Bob computes b (as )-1 mod p = mrk (qks)-1 = mqks (qks)-1 = m (Bob knows s; nobody else can do this) ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

14
**Relative Time in Seconds Required for RSA Modular Exponentiation y = xe mod n**

RSA key size k [bits] Processing time t [s] 512 8 768 22 1024 48 1536 150 2048 335 RSA Benchmarks for the 20 MHz SOURCE: ANDREAS STEFFEN, ZHW

15
**Elliptic Curves y2 = x3 4x y2 = x3 + ax + b 4a3 + 27b2 0**

General form: y2 = x3 + ax + b Condition for distinct single roots: 4a b2 0 Example: y2 = x3 4x = x(x 2)(x +2) ONLINE TUTORIAL SOURCE: ANDREAS STEFFEN, ZHW

16
The Group <G,> A set G and an operation defined on pairs of elements of set G such that for all elements a, b and c in G we have: Closure: a b is also an element of G Associativity: a (b c) = (a b) c Identity Element: For some e in G, for all a, a e = e a = a Inverse Element: Every a has an inverse a' : a a' = a' a = e Commutativity: a b = b a (Abelian Group) Examples: Addition: <R, +> e = 0 , a' = -a Multiplication: <R-{0}, · > e = 1 , a' = a-1 SOURCE: ANDREAS STEFFEN, ZHW

17
**The Points P(x,y) on an Elliptic Curve form a Group**

Group set: All points P(x,y) lying on an elliptic curve R R' P Group operation: Point addition Q R = P Q SOURCE: ANDREAS STEFFEN, ZHW

18
**Identity and Inverse Elements**

P'(x,-y) = P(x,y) is mirrored on x-axis P' Point addition with inverse element: P P' = O results in the identity element O(x,) at infinity P Identity element: P O = P O SOURCE: ANDREAS STEFFEN, ZHW

19
**Point Doubling – Adding a point to itself**

Form the tangent in Point P(x,y) R R' P R = P P SOURCE: ANDREAS STEFFEN, ZHW

20
**Point Iteration – Adding a point k-1 times to itself**

Pk = P P ... P P3 P2 P SOURCE: ANDREAS STEFFEN, ZHW

21
**Calculation of Point Addition**

Line g: y = s x+y0 with g P(xP , yP) R(xR, yR) Q (xQ , yQ) Intersection with curve: (s x+y0)2 = x3 +ax+b Coordinates of point R: R' (xR, -yR) SOURCE: ANDREAS STEFFEN, ZHW

22
**Elliptic Curves Over Finite Fields**

Elliptic curves can be defined in a finite or Galois field GFp (mod p) y2 = x3 + ax + b mod p where the field size p is a prime number and {0,1, ..., p-1} is an abelian group under addition mod p and {1, ..., p-1} is an abelian group under multiplication mod p. SOURCE: ANDREAS STEFFEN, ZHW

23
**Points on an Elliptic Curve Over a Finite Field**

Which points P(x,y) with x and y in GF11 satisfy the elliptic curve equation: y2 = x3 + x + 6 mod 11 In Mathematica, compute Position[Table[Mod[y^2 – (x^3 + x + 6), 11], {x, 1, 10}, {y, 1, 10}], 0] SOURCE: ANDREAS STEFFEN, ZHW

24
**Solution: Points on the Elliptic Curve**

6 - 8 - 5 4,7 (2,4) (2,7) 3 5,6 (3,5) (3,6) 4 2,9 (5,2) (5,9) 4 2,9 (7,2) (7,9) 9 3,8 (8,3) (8,8) 7 - 4 2,9 (10,2) (10,9) y2 y1,2 P(x,y) P'(x,y) 1 2 3 4 5 6 7 8 9 10 x There are 12 points lying on the elliptic curve. Together with the point O at infinity, the points on the elliptic curve form a group with n=13 elements. n is called the order of the elliptic curve group and depends on the choice of the curve parameters a and b. SOURCE: ANDREAS STEFFEN, ZHW

25
**Elliptic Curve Discrete Logarithm Problem (ECDLP)**

( 2,4) ( 5,9) ( 8,8) (10,9) ( 3,5) ( 7,2) ( 7,9) ( 3,6) (10,2) ( 8,3) ( 5,2) ( 2,7) - O - Pk s y0 1 2 3 4 5 6 7 8 9 10 11 12 13 k Given an elliptic curve y2 = x3 + ax + b mod p and a basis point P, we can compute Q = Pk through k-1 iterative point additions. Fast algorithms for this task exist. The order of P is the smallest k for which Pk = O (the identity element) Question: Is it possible to compute k when points Q and P are known? Answer: This is a hard problem called the Elliptic Curve Discrete Logarithm Problem. SOURCE: ANDREAS STEFFEN, ZHW

26
**Defining An Elliptic Curve Cryptosystem**

Must specify the following parameters: version is currently v1 fieldID the finite field over which curve is defined curve coefficients a and b of the elliptic curve base the base point P order the order of the base point, a LARGE prime number SOURCE: ANDREAS STEFFEN, ZHW

27
**Secret Key Exchange: Diffie-Hellman v. ECC**

A = ga mod p Diffie-Hellman: Basis g and prime p B = gb mod p Secret: s = Ab = Ba = gab mod p QA = P a Elliptic Curve Cryptosystem: ECC, basis point P and prime p Secret: S = Q Ab = Q Ba = P ab QB = P b Cryptographic Applications • The following ECC algorithms have been defined: • ECDH (Elliptic Curve Diffie-Hellman) for secret key exchange • ECIES (Elliptic Curve Integrated Encryption Scheme) for public key encryption • ECDSA (Elliptic Curve Digital Signature Algorithm) for digital signatures • Elliptic curve certificates based on the X.509 standard can either be ordered from several trust centers (e.g. Certicom) or can be generated with the current OpenSSL snapshot. • A set of elliptic curves have been standardized by NIST. • Several ECC cipher suites based on the NIST curves have been defined for the SSL/TLS secure transport layer. SOURCE: ANDREAS STEFFEN, ZHW

28
**Elliptic Curves for El Gamal**

Multiplication in the elliptic group corresponds to exponentiation of real numbers Solving y = k x (mod p) for k in the elliptic group is similar to solving c = ab (mod p) for b in El Gamal (discrete logarithm) Select a generator g (an elements whose successive powers generate all group elements) Bob’s private key is s; Bob’s public key is (g, s g) A plaintext message m is transformed to a point x in the group Alice encrypts x by picking a random value k and sending (k g, x + k s g) Bob decrypts by computing (x + k s g) - (k g) s = x Can’t find s from g and sg g and sg are public; Alice knows x and k Alice sent him these Bob knows s (his private key)

29
**Table of Equivalent Cryptographic “Strength”**

Key Lengths Symmetric RSA n ECC p 56 512 112 80 1024 160 2048 224 128 3072 256 192 7680 384 15360 Key size ratio 5:1 6:1 9:1 12:1 20:1 30:1 Elliptic curve cryptography standards: PKCS#13 FIPS 186-2 ECC Cipher Suites for TLS ANSI X9.63, X9.63, Public Key Cryptography for the Financial Services Industry SOURCE: ANDREAS STEFFEN, ZHW

30
**Security of ECC versus RSA**

ECC Advantages 1. The elliptic curve logarithm problem is harder than the discrete logarithm problem. 2. Key size in ECC is much smaller for a given security level. 3. ECC is complicated; fewer people understand it. 4. ECC is not patented. GRAPHIC: RICHARD SOUTHERN ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

31
Major Ideas Any one-way trapdoor function can be used as the basis of a public-key cryptosystem Public-key encryption is slow because of the need to work with huge numbers (~2000 bits) Cryptosystems can be insecure if not used properly Elliptic curve cryptography allows high security with small key sizes ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS 52

32
Q A & ELECTRONIC PAYMENT SYSTEMS SPRING COPYRIGHT © 2004 MICHAEL I. SHAMOS

33
**Calculation of Point Doubling**

Tangent g: y = s x+y0 g P(xP , yP) R (xR, yR) Intersection with curve: (s x+y0)2 = x3 +ax+b R' (xR, -yR) Coordinates of point R: SOURCE: ANDREAS STEFFEN, ZHW

34
**Task 1 - Multiplication c = ab in GF11**

Compile a multiplication table for c = a b mod 11 Determine the solutions of the equation x2 = 5 mod 11 You have about 10 minutes for this task SOURCE: ANDREAS STEFFEN, ZHW

35
**Solution 1 - Multiplication c = ab in GF11**

1 2 3 4 5 6 7 8 9 10 a b c x2 = 5 mod 11 ? x1 = 4, x2 = 7 SOURCE: ANDREAS STEFFEN, ZHW

36
**Task 3 – Iterate a Point on the Elliptic Curve**

Iterate the point P(2,4) lying on y2 = x3 + x + 6 mod 11: Compute P2 = P P by doubling the point P Compute P3 = P P P = P2 P by point addition All operations are computed in GF11 SOURCE: ANDREAS STEFFEN, ZHW

37
**Solution 3 – Iterate a Point on the Elliptic Curve**

Compute P2 = P P by doubling the point P(2,4) P2=(5,9) Compute P3 = P P P = P2 P by point addition P3=(8,8) SOURCE: ANDREAS STEFFEN, ZHW

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google