Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

Published byAlaina Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena."— Presentation transcript:

1 Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena

2 Course Administration HW1 solution has been posted Grades posted We will distribute after lecture today Any questions, or help needed? We need to something to make-up the missed material – Waiting on UAB for guidelines 2

3 Outline of Today’s Lecture The RSA Cryptosystem (Encryption) 3

4 “Textbook” RSA: KeyGen Alice wants people to be able to send her encrypted messages. She chooses two (large) prime numbers, p and q and computes n=pq and. [“large” = 1024 bits +] She chooses a number e such that e is relatively prime to and computes d, the inverse of e in, i.e., ed =1 mod She publicizes the pair (e,n) as her public key. (e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and Plaintext and ciphertext messages are elements of Z n and e is the encryption key. 4

5 RSA: Encryption Bob wants to send a message x (an element of Z n * ) to Alice. He looks up her encryption key, (e,n), in a directory. The encrypted message is Bob sends y to Alice. 5

6 RSA: Decryption To decrypt the message she’s received from Bob, Alice computes Claim: D(y) = x 6

7 RSA: why does it all work Need to show  D[E[x]] = x  E[x] and D[y] can be computed efficiently if keys are known  E -1 [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently  This does not have to be done too often, so efficiency requirements are less stringent. 7

8 E and D are Inverses 8 Because From Euler’s Theorem

9 Tiny RSA example. Let p = 7, q = 11. Then n = 77 and Choose e = 13. Then d = 13 -1 mod 60 = 37. Let message = 2. E(2) = 2 13 mod 77 = 30. D(30) = 30 37 mod 77=2 9

10 Slightly Larger RSA example. Let p = 47, q = 71. Then n = 3337 and Choose e = 79. Then d = 79 -1 mod 3220 = 1019. Let message = 688232… Break it into 3 digit blocks to encrypt. E(688) = 688 79 mod 3337 = 1570. E(232) = 232 79 mod 3337 = 2756 D(1570) = 1570 1019 mod 3337 = 688. D(2756) = 2756 1019 mod 3337 = 232. 10

11 Security of RSA: RSA assumption Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) If Oscar can compute d = e -1 mod then he can use to recover the plaintext x. If Oscar can compute, he can compute d (the same way Alice did). 11

12 Security of RSA: factoring Oscar knows that n is the product of two primes If he can factor n, he can compute But factoring large numbers is very difficult: – Grade school method takes divisions. – Prohibitive for large n, such as 160 bits – Better factorization algorithms exist, but they are still too slow for large n – Lower bound for factorization is an open problem 12

13 How big should n be? Today we need n to be at least 1024-bits – This is equivalent to security provided by 80-bit long keys in private-key crypto No other attack on RSA known – Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem! 13

14 Key selection To select keys we need efficient algorithms to – Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. – Compute multiplicative inverses Extended Euclidean algorithm 14

15 RSA in Practice Textbook RSA is insecure – Known-plaintext? – CPA? – CCA? In practice, we use a “randomized” version of RSA, called RSA-OAEP – Use PKCS#1 standard for RSA encryption http://www.rsa.com/rsalabs/node.asp?id=2125 – Interested in details of OAEP: refer to (section 3.1 of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf 15

16 Some questions c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). – What is RSA_Enc(m1m2)? Homomorphic property – What is RSA_Enc(2m1)? Malleability (not a good property!) Is it possible to find inverses mod n (RSA modulus)? 16

17 Some Questions RSA stands for Robust Security Algorithm, right? If e is small (such as 3) – Encryption is faster than decryption or the other way round? Private key crypto has key distribution problem and Public key crypto is slow – How about a hybrid approach? – Do you know how ssl/ssh works? 17

18 Some Questions I encrypt m with Alice’s RSA PK, I get c – I encryt m again, I get --? – What does this mean? What if I do the above with DES? 18

19 Further Reading Section 8.2 of HAC Section 9 of Stallings 19

20 Outline of Today’s Lecture Discrete Logarithm System El Gamal Encryption Digital Signatures Lecture 3.4: Public Key Cryptography IV

21 Discrete Logarithm Assumption Work with a cyclic group G with generator g Let |G| = m G = {g 0, g 1, g 2,…,g m-1 } Given any y = g x in G (where x belongs to Z m ), g and and m, it is not possible to compute x This is known as the DL assumption Of course, x should be fairly large – at least 160-bits in length This suggests that one can possibly use x as the secret key, and y (and other parameters) as the public key

22 El Gamal Encryption -- KeyGen p, q primes such that q|p-1 g is an element of order q and generates a group G q of order q – g = g ’(p-1)/q (were g’ is the generator of Z p *) x in Z q, y = g x mod p DL assumption -- given (p, q, g, y), it is computationally hard to compute x – No polynomial time algorithm known – p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key

23 ElGamal Encryption/Decryption Encryption (of m in G q ): – Choose random r in Z q – k = g r mod p – c = my r mod p – Output (k,c) Decryption of (k,c) – M = ck -x mod p Secure under (a variant of) the discrete logarithm assumption Lecture 3.4: Public Key Cryptography IV

24 ElGamal Example: dummy Let’s construct an example KeyGen: – p = 11, q = 2 or 5; let’s say q = 5 – g’ = 2 is a generator of Z 11 * – g = 2 2 = 4 – x = 2; y = 4 2 mod 11 = 5 Enc(3): – r = 4  k = 4 4 mod 11 = 3 – c = 3*5 4 mod 11 = 5 Dec(3,5): – m = 5*3 -2 mod 11 = 3 Lecture 3.4: Public Key Cryptography IV

25 El Gamal Security Secure against CPA attacks assuming that discrete logarithm is hard Not secure against CCA attacks; why? – It is possible to massage the ciphertext in a meaningful way – Given a ciphertext (k, c), compute k’ = kg r’ and c’ = cy r’ (r’ is picked by the adversary) – Query the decryption oracle on (k’,c’); it decrypts and returns the response -- m Lecture 3.4: Public Key Cryptography IV

26 CCA Security Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption Just prevent any massaging of the ciphertext Integrity protection mechanism is needed – But, now a public-key based mechanism is needed Digital signatures -- next Lecture 3.4: Public Key Cryptography IV

27 Digital Signatures Message Integrity – Detect if message is tampered with while in the transit Source/Sender Authentication – No forgery possible Non-repudiation – If I sign something, I can not deny later – A trusted third party (court) can resolve dispute Many applications – signed email, e-contracts, e-transactions…

28 Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer Lecture 3.4: Public Key Cryptography IV

29 Security Notion/Model for Signatures Existential Forgery under (adaptively) chosen message attack (CMA) – Adversary (adaptively) chooses messages m i of its choice – Obtains the signature s i on each m i – Outputs any message m (≠ mi) and a signature s on m Lecture 3.4: Public Key Cryptography IV

30 RSA Signatures Key Generation: same as in encryption Sign(m): s = m d mod N Verify(m,s): (s e == m mod N) The above text-book version is insecure; why? In practice, we use a randomized version of RSA (implemented in PKCS#1) – Hash the message and then sign the hash Lecture 3.4: Public Key Cryptography IV

31 Digital Signature Standard (DSS) Adopted as standard in 1994 Security based on hardness of the discrete logarithm problem Lecture 3.4: Public Key Cryptography IV

32 DSS – KeyGen; Signing; Verification KeyGen: the same way as El Gamal – p, q primes such that q|p-1 – g is an element of order q and generates a group G q of order q g = g ’(p-1)/q (were g’ is the generator of Z p *) – x in Z q, y = g x mod p Sign: – Pick random r from Z* q – k = (g r mod p) mod q; c = (m + xk)r -1 mod q – Output (k,c) and also the message m Verify: k c == g m.y k mod p Lecture 3.4: Public Key Cryptography IV

33 DSS Example Refer to 11.57 of HAC Lecture 3.4: Public Key Cryptography IV

34 Some Questions I encrypt m with Alice’s ElGamal PK, I get c – I encrypt m again, I get --? – What does this mean? Is RSA-OAEP CCA secure? Is El Gamal CCA secure? Lecture 3.4: Public Key Cryptography IV

35 Further Reading Stalling Chapter 10 HAC Chapter 8 and Chapter 11 Lecture 3.4: Public Key Cryptography IV

Download ppt "Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google