Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock
Public Key Infrastructures requires Generation of user public keys Registration of users and keys (LRA) Certification (CA) –certificates bind a person to his key Directories (DIR) Blacklists/revocation Key administration plus -
Format/syntax ASN.1 based certificates (X.509)? Special purpose certificates? Integration into browsers? Integration into applications (java?) Security in transport layer (e.g. SSL)? Format: S/MIME, PGP,….? Use of smartcards?
PKI - Roles LRA Users CA DA
The world seen with the user’s eyes Business Transactions
Registration at Local Registration Authority
Communication with Directory under session
Revocation of key
Foundation But the foundation is cryptographic algorithms, which is – mathematics! So let’s focus on that for a while
Cryptographic Algorithms Conventionel (symmetric) crypto systems –Quantum cryptography - unbreakable Hash functions –perhaps the weakest point - art, not math. Public key (asymmetric) systems –Today RSA, tomorrow elliptic curves?
Crypto systems Symmetric systems –same key for encryption and decryption Asymmetric systems –One key may be given to everybody the public key, P –while the other is kept secret the private key, S
Public Key encryption - RSA Choose two large primes p,q and let n = pq Choose a public exponent e –mutually prime to (n) = (p -1)(q -1) Based on classical (Greek) math we find integers d, x < 0, with de + x(n) = 1 Fact (Euler, Fermat): –For m < n we have m m ed mod n Finding the private key means factoring n
Alternative: One way functions –Choose a large prime number p –Choose a “generator”, g –Choose a random number v as private key –Calculate the public key w = g v modp –Finding v from w is known as the discrete log problem
The new technique: Elliptic Curves The set of points P = (x,y) satisfying y 2 = x 3 + ax + b in Z/pZ. can be added using a particular formula. It allows construction of a public key pair. Example: a = b = will correspond to an RSA security level of 768 bits for some prime p of length 200 bits!
Why Elliptic Curves? More security per bit –Smaller key size –Smaller signature size –Faster computations –Less resources required (smart cards) Well developed mathematical theory (complex)
RSA/DSA/EC - comparing performance (RSA: small public exp.)
RSA/DSA/EC - Comparing key sizes
Elliptic Curves An EC is the set of solutions (x,y) to equations of the form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x +a 6 over a (finite) field together with an additional point (called the point at infinity O)
Finite fields (F, +, ): set of elements with addition, subtraction, multiplication and division. GF(p): Integers modulo p (prime) GF(2 n ) –polynomials with binary coefficients modulo and irreducible polynomial of degree n –(a+b) 2 = a 2 + b 2 Unique up to isomorphism
Implementation Issues Choice of field –GF(2 n ) faster than GF(p) (at least in hardware) Representation of elements for GF(2 n ) –Standard basis –Optimal normal basis –Polynomials over subfield
Elliptic Curves Example: GF(23) Curve defined by y 2 = x 3 + x + 1 {(0,1), (0,-1), (1,7), (1,-7), (3, 10), (3,-10), (4,0), (5,4), (5, -4), (6,4), (6,-4), (7,11), (7,-11), (9,7), (9,-7), (11,3), (11, -3), (12,4), (12,-4), (13,7), (13,-7), (17,3), (17,-3), (18,3),(18,-3), (19,5), (19,-5)}
Elliptic Curves Sum ( x s,y s ) of ( x 1,y 1 ) = (9,7) and ( x 2, y 2 ) = (18,3)=(-5,3), x 1 ≠y 1 is defined as follows: :=(y 2 -y 1 )/(x 2 -x 1 ) = -4/9 = 20 mod 23 x s = 2 -x 1 -x 2 =9-9+5=5 y s = (x 1 -x s )-y 1 = -3(9-5) - 7 = 4 Thus (9,7)+(18,3) = (5,4)
Elliptic Curves Double of (5,4) :=(3x )/(2y 1 ) = 76/8 = 7/8 = 21 = -2 x d = 2 -2x 1 =4-5-5=17 y d = (x 1 -x s )-y 1 = -2(5+6) - 4 = -3 Thus (5,4)+(5,4) = (17,-3)
GF(2 n ) GF(2): p(u) irreducible polynomial of degree n EC over GF(2 n ) defined by y 2 +xy = x 3 + ax 2 + b
EC over GF(2 n ) Sum :=(y 1 +y 2 )/(x 1 +x 2 ) x s = x 1 +x 2 + a y s = (x 1 +x s )+ x s + y 1 Double := x 1 + y 1 /x 1 x d = a y d = ( + 1)x D + x 1 2
Key Generation Choose field and equation Determine the group order g –If large prime divisor q, choose curve randomly Find a generator of subgroup of order q Let g = qr Choose random point P Calculate rP If rP O, set generator := rP Try our lab on
How to blackmail a bank using RSA with public exponent 3
1. step The well-known bank AMO announces a nation-wide PKI scheme based on RSA (1024 bits, public exponent 3) Message received week 1 at AMO: –I know your private key! I am going to publish the 1st upper byte of the key, unless you send me 2 $! Bank ignores
2. step Message received week 2 by AMO: –Here is the 1st byte: –I am going to publish the 2nd upper byte of your private key, unless you send me 4 $! Bank is puzzled. The blackmailer is right about the first byte! Could he be guessing, or maybe the first byte is not so difficult?
3. step Message received week 3 by AMO: –Here is the 2nd byte: –I am going to publish the 3rd upper byte of your secret key, unless you send me 8 $! The Bank hires a security specialist –the problem is that it will cost $ to switch to a different key
About 1 year later Message received week 52 by AMO: –Here is the 51st byte: –I am going to publish the 52nd upper byte of your secret key, unless you send me 2 52 $! –Conclusion of the specialist: offer him $ now
Conclusion If they had hired an expert rather than a specialist, they could have saved the money (less his fee of course!) Expert opinion: 1024 bits is 128 bytes. He can only do what he does up to the first 64 bytes. –Here is how he does it:
Solution 1. Subtract 1 from the modulus n 2. Divide by 3 and multiply by 2 3. The upper half of this number is the upper half of your private exponent AMO: What about the lower half? Only the banks knows! The system is secure
Proof ”Based on classical (Greek) math we find integers d, x < 0, with (*)de + x(n) = 1” –where d is chosen minimal of course Now let e = 3. As d < (n), x is -1 or -2! But as 3 is mutually prime to (n) = (p -1)(q -1), p and q are both 2 mod 3, and (*) above shows x = -2 as (n) = 1 mod3
Proof Hence d = (1 + 2(n))/3 But (n) = (p -1)(q -1) = n –(p + q) + 1, Thus we know the upper half of (n): It is equal to the upper half of n. This suggest to consider very carefully what to store as the private key, e.g. if storage is a problem
Card trick End up with two piles: A private key and the corresponding public key
Demo: Key Generation - the most vulnerable part -- using two suits in a deck of cards. Say spade (black) and hearts (red) 1Chose a very large prime number (13) 2Calculate ”modulo” 13: divide by 13 and take the remainder: 29 = 2 = 3 mod = 125 = 10· = 8 mod 13 (= 9·13 + 8) 3Remove the king = 13 = 0 mod 13
My private key!!! 12, 11, 9, 5, 10, 7, 1, 2, 4, 8, 3, 6 Do you recognise a pattern? We have illustrated Fermat’s little Theorem: 2 13 mod 13 = 2 (a p mod p = a) 2 is a generator: 2, 2 2, 2 3, 2 4, 2 5,…. up to 2 12 = 1 are all different mod 13! Which power of 2 is e.g. 10 mod 13?
Mechanisms and (Interactive) Protocols Mechanisms –To generate a digital signature is a mechanism Comprising of cryptographic primitives, e.g. –Hash calculation (e.g. SHA-1) –Signature generation (e.g. RSA PKCS #1) Interactive protocols –Can be used for Key exchange (e.g. Diffie-Hellman) User Identification
User Identification Let’s assume Alice has a public key pair (P,S). –Alice wants to get access to a database DB –DB knows her public key (e.g. through a valid certificate) –We need to agree on an identification protocol? How?
Many possibilities How about? –Alice connects –BD sends a ransom challence r –Alice calculates S(r) and sends this to DB –DB verifies that P(S(r)) = r and lets her in Is this safe?
Problem DB can use Alice as an oracle –R might be the hash of a message which commits Alice unknowingly –The problem is that Alice calculates what may be a digital signature How can this be prevented? –The problem is that we cannot be sure that Alice applies her private key to something completely random
Solution 1. step –DB chooses any r, calculates s = P(r), and sends s to Alice 2. step –Alice calculates S(s) = r and returns r to DB What did DB learn, except that Alice was able to recover r – not known to her – from s? –Nothing at all But....
Solution Alice has no means of verifying that DB follows the protocol –Something else is needed: Let E be some symmetric encryption which Alice and DB agrees is strong –We can now define a socalled zero-knowledge identification protocol:
Solution 1. step –DB chooses any r, calculates s = P(r), and sends s to Alice 2. step –Alice calculates S(s) = r, chooses a random key k and returns E k (r) to DB 3. step –DB sends r to Alice 4. step –Alice sends k to DB who verifies D k (E k (r)) = r
Succes! This protocol –is secure Alice will not be succesful without knowing S –is sound DB will know that only a person able to compute r from randomly chosen P(r) can respond –is zero-knowledge DB learns nothing from the protocol that he could not calculate by himself: P(r) = s S(s) = r – except that Alice can calculate r from s In fact -
Zero-knowledge protocol can be simulated 1. step –DB chooses any r, calculates s = P(r), and sends s to DB 2. step –DB chooses a random key k and returns E k (r) to DB 3. step –DB sends r to DB 4. step –DB sends k to DB who verifies D k (E k (r)) = r
Zero-knowledge protocol can be simulated A third party (an arbiter) cannot differentiate the traces of –a simulated zero-knowledge protocol from that of –a 2-party zero-knowledge protocol: –Only DB will know if he simulated it or he indeed did identity Alice in the protocol!
Useful definitions (Fiat-Shamir) Authentication –A can prove to B that she is A Identification –A can prove to B that she is A, but B cannot prove to C that he is A Non-repudiation –A can prove to B that she is A, but B cannot even prove to himself that he is A
Conclusion Cryptography is applied mathematics Mathematics was ”invented” to be helpful –and it is! T.H. Hardy wrote in ”A mathemathian’s Apology ”: –I have never done anything useful! Not true: We use the Hardy-Littlewood conjecture in our products
How to store private keys When signing, the time of calculation is reduced by a factor 2-4 by using the Chinese Remainder Theorem If this is not an issue, we either store –n and d –n and e and calculate d So assume in the following we want to use the CRT
Storing private keys using CRT The CRT states that if you know x = z mod p and y = z mod q, you can calculate z from x and y. All you need is an a < n which is 1 mod p and 0 mod q. Then z = xa + y(1-a) mod n
Storing private keys using CRT We need to calculate z m d mod n Obviously, z mod p m d mod(p-1) mod p z mod q m d mod(q-1) mod q as m (p-1) mod p = 1 for a prime p So we need p,q, d(p)=d mod(p-1) and d(q)=d mod(q-1) What about a?
How about a = (q p-2 modp)q? This is obviously 0 modq, and 1 modp (by Fermat’s Little Theorem) So we are home and dry: m d = (m d(p) modp)a + (m d(q) modq)(1-a) modn This may be refined slightly to ensure that equality holds
Appendix: Card trick End up with two piles: A private key and the corresponding public key
Card trick 1Arrange both suits in order, ace to queen, face down, ace on top 2Deal the (entire) black suit (holding it face down) in two piles (left and right), face up: left (ace), right (2), left (3), right (4), …
Card trick 3Remove the top card of the right pile (queen = 12), place it face up in a new pile, and place the top red card (ace) face up where the black queen was. 4Place the left pile (6 black cards) on top of the right pile (1 red on top of 5 blacks), and turn over to have a new stack of 12 cards face down
Card trick 5Repeat step 2, 3 and 4 altogether 11 times The two piles have now been interchanged - but in which order do the cards occur? The black pile is my private key The red pile is my public key Identify me!
Card trick –Now run an identification protocol between A and B: Keep both piles face down black is the private key of A, red the public the person (B) with the red pile names any black card, say no. 9. B then turns over the red cards, one by one, and stops with the 9th: This is no. 3 A turns over the black cards. The 3. black is no. 9! Identification completed. The keys match!