CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

CS470, A.SelcukPublic Key Cryptography2 “New Directions in Cryptography”, Diffie&Hellman, 1976: Two fundamental problems in cryptography can be solved by an asymmetric “trapdoor one-way function”: key distribution source authentication An asymmetric encryption function: Encryption & decryption keys are different. Knowledge of the encryption key is not sufficient for deriving the decryption key efficiently. Hence, the encryption key can be made “public”.

CS470, A.SelcukPublic Key Cryptography3 Key distribution solution: Alice makes her encryption key K public Everyone can send her an encrypted message: C = E K (P) Only Alice can decrypt it with the private key K -1 : P = D K -1 (C) Source Authentication Solution: Only Alice can “sign” a message, using K -1. Anyone can verify the signature, using K. Only if such a function could be found...

CS470, A.SelcukPublic Key Cryptography4 Diffie-Hellman Key Exchange Public parameters: p: A large prime g: A generator of Z p *. ie., {g i | 0 ≤ i ≤ p-2} = {1, 2,...,p-1}. ,   {0, 1, 2,...,p-2} are secret. BobAlice g  mod p g  mod p computes (g  )  mod p computes (g  )  mod p K = g  mod p

CS470, A.SelcukPublic Key Cryptography5 Security of DH Discrete Logarithm Problem: Given p, g, g  mod p, what is  ? (easy in Z, hard in Z p.) DH Problem: Given p, g, g  mod p, g  mod p, what is g  mod p? Conjecture: DHP is as hard as DLP. (note: Neither is proven to be NP-complete.) “Safe prime”: If (p-1)/2 is also a prime. Best known method for DLP: “Number Field Sieve” with running time e ( O(1)) ((ln p)^(1/3)) ((ln ln p)^(2/3)).

CS470, A.SelcukPublic Key Cryptography6 Efficiency of DH Generating a large prime Generate a random number & test for primality. Primality testing is efficient. Density of primes: Prime Number Theorem: For π(n) denoting the number of primes ≤ n, we have π(n) ~ n / ln n. That is, lim n →  (π(n) ln n) / n = 1.

CS470, A.SelcukPublic Key Cryptography7 Efficiency of DH How to compute (g  mod p) for large p, g,  ? x n = (x k ) 2 if n = 2k (x k ) 2 xif n = 2k + 1 “Repeated squaring”: Start with the most significant bit of the exponent. E.g. Computing 3 25 mod = (11001) 2 y 0 = 3 (1) mod 20 = 3 y 1 = 3 (11) mod 20 = mod 20 = 7 y 2 = 3 (110) mod 20 = 7 2 mod 20 = 9 y 3 = 3 (1100) mod 20 = 9 2 mod 20 = 1 y 4 = 3 (11001) mod 20 = mod 20 = 3 Further efficiency with preprocessing x i, i < 2 k, for some k.

CS470, A.SelcukPublic Key Cryptography8 Structure of Z p * For a prime p, let Z p * denote all non-zero elements of Z p. Fermat’s (Little) Theorem: For all x  Z p *, we have x p-1 ≡ 1 (mod p). Let denote the numbers generated by powers of g in Z p *; = {g, g 2,…, g p-1 }. E.g. for Z 5 *: = {1} = {2,4,3,1} = {3,4,2,1} = {4,1} “order” of 1 is one; of 4 is two; of 2 & 3 is four. 2 & 3 are “generators” of Z 5 * (they have order p-1). Fact: For every prime p, Z p * has a generator.

CS470, A.SelcukPublic Key Cryptography9 Number Theory Review Euclid’s algorithm to compute gcd(m,n): Divide repeatedly until no divisor is left: m = q 0 n + r 0,0 ≤ r 0 < n n = q 1 r 0 + r 1,0 ≤ r 1 < r 0 r 0 = q 2 r 1 + r 2,0 ≤ r 2 < r 1 r k-2 = q k r k-1 + r k,0 ≤ r k < r k-2 r k-1 = q k+1 r k. (why is convergence guaranteed?) Theorem: gcd(m,n) = r k. Proof: r k divides all r i s, hence r k | m,n. Conversely, if d | m,n, then d | r i, including r k.....

CS470, A.SelcukPublic Key Cryptography10 Extended Euclid’s Algorithm Compute u, v, such that gcd(m,n) = um + vn. Maintain u i, v i, such that r i = u i m + v i n. (“loop invariant”) When the last r is reached, u & v are found. Given r i-2 = u i-2 m + v i-2 n and r i-1 = u i-1 m + v i-1 n, we have r i = r i-2 – q i r i-1 = (u i-2 m + v i-2 n) – q i (u i-1 m + v i-1 n) = (u i-2 – q i u i-1 )m + (v i-2 – q i v i-1 )n Hence, u i = u i-2 – q i u i-1 and v i = v i-2 – q i v i-1. Initial conditions: For r 0 = m – q 0 n, we have r -1 =n, r -2 =m. u -1 = 0, v -1 = 1 u -2 = 1, v -2 = 0.

CS470, A.SelcukPublic Key Cryptography11 Extended Euclid’s Algorithm E.g. Compute gcd(100, 18) with the u, v coefficients: i r i q i u i v i -2100– – (*) 3 04 – –  gcd(100, 18) = 2, 2 = 2*100 – 11*18.

CS470, A.SelcukPublic Key Cryptography12 Number Theory Review Def: m, n  Z are relatively prime if gcd(m,n) = 1. Def: Z n * : the numbers in Z n relatively prime to n. e.g., Z 6 * = {1, 5}, Z 7 * = {1, 2, 3, 4, 5, 6}. Def:  (n) = |Z n * |. e.g.,  (6) = 2,  (7) = 6. Theorem: If n is prime,  (n) = n – 1. Theorem (Euler): For all m  Z n *, we have m  (n) ≡ 1 (mod n). (This result generalizes Fermat’s theorem to composite values of n.)

CS470, A.SelcukPublic Key Cryptography13 Number Theory Review Chinese Remainder Theorem: For n 1, n 2,..., n k pairwise relatively prime, the system x ≡ r 1 (mod n 1 ) x ≡ r 2 (mod n 2 ) x ≡ r k (mod n k ) has a unique solution in Z n, where n = n 1 n 2...n k. E.g., x ≡ 1 (mod 3), x ≡ 1 (mod 4)  x ≡ 1 (mod 12). But x ≡ 1 (mod 2), x ≡ 1 (mod 4) is either 1 or 5 in Z 8, whereas x ≡ 1 (mod 2), x ≡ 2 (mod 4) has no solutions....