1. 15-349 Introduction to Computer and Network Security Iliano Cervesato 2 September 2008 – Public-key Encryption

2. 2 Where we are  Course intro  Cryptography  Intro to crypto  Modern crypto  Symmetric encryption  Asymmetric encryption  Beyond encryption  Cryptographic protocols  Attacking protocols  Program/OS security & trust  Networks security  Beyond technology

3. 3 Outline  Public-key cryptography – motivations  The Merkle-Hellman encryption algorithm  The knapsack problem  How Merkle-Hellman works  Cryptoanalysis  Basic number theory  Modular arithmetic  Primality and inverses  The El Gamal encryption scheme  The discrete logarithm problem  RSA  The factorization problem  RSA cryptographic challenges

4. 4 Asymmetric Encryption – Review D k (E k (m)) = m E D M M X X k Cleartext Ciphertext Public key Decryption box Encryption box k -1 Private key Public data k

5. 5 Motivations  Can 2 keys be better than 1?  How do we make data public?  Why bother?  Key management problem  Added flexibility  E.g., digital signatures

6. 6 Naïve Key Management Principals A 1, …, A n want to talk  Each pair needs a key  n(n-1)/2 keys  Keys must be established  Physical exchange  Secure channel …… A1A1 A2A2 A3A3 A4A4 A5A5

7. 7 Improved Solution Centralized key- distribution center  n key pairs needed  However  KDC must be trusted  KDC is single point of failure  Still n direct exchanges KDC A1A1 A2A2 A3A3 A4A4 A5A5 k1k1 k2k2 k3k3 k4k4 k5k5 … if A i wants to talk to A j …  A i  KDC: “connect me to A j ”  KDC generates new key k ij  KDC  A i : E ki (k ij )  KDC  A j : E kj (k ij, “A i wants to talk”) Still naïve  KDC online all the time

8. 8 Public-Key Solution  Pair (k i, k i -1 ) for each A i  k i ’s are published  Phonebook  Simple setup  A i generates (k i, k i -1 )  A i publishes k i  … details later  Secure web sites would be impossible without  https A1A1 k -1 1 AiAi k -1 i Public data A 1  k 1 … A i  k i …

9. 9 The Knapsack problem  Given objects of size s 1, s 2, … s n, is it possible to completely fill a knapsack of size s?  Is there binary vector v such that  i v i s i = s ?  NP-complete  What if s i+1 >  j<i s j ?  Easy: O(n)  Super-increasing knapsack  Hmm, this feels like encryption material … for (i=n; i > 0; i--) { if (s > s i ) s = s – s i } return (s == 0)

10. 10 Merkle-Hellman Encryption  Pick  a super-increasing sequence S = ( s 1,s 2,…,s n )  a prime p > s n 100-200 digits long  a multiplier w  (S, w) is the private key  Compute  h i = w s i mod p  H = (h 1, h 2, …, h n ) is the public key  Encryption of binary m  x =  i h i m i  Attacker has to solve general knapsack in H – hard  Decryption of x  Multiply x by w -1  Solve super-increasing knapsack problem in S – easy

11. 11 Cryptanalysis of Merkel-Hellman  Scheme based on a special instance of knapsack problem  modular knapsack generated from super- increasing sequence  Not as hard as general knapsack  If p is known  If s 1 can be found, all s i can be found  Can deduce w and p from H  Try successive values of w and observe where wh i rolls over  Right w is where they all roll over at the same time

12. 12 Number Theory – Divisors  Z  Z = {…, -1, 0, 1, …}  + is commutative, associative and invertible w.r.t. 0  * is commutative, associative with identity 1  a|b if  c. ac = b  E.g., 3|6  E.g., 3|10 Z  gcd(a, b) = largest d  Z s.t. d|a and d|b  E.g. gcd(18,15) = 3  Modular arithmetic  a = b mod n if  c. an + c = b  Z n = {0, …, n-1}  All operations modulo n  Also a ring Euclid’s algorithm Given a > b  r 0 = b, r 1 = a  r i-2 = q i r i-1 + r i  When r n+1 = 0, set gcd(a,b) = r n   u,v. gcd(a,b) = ua + vb Z Z is a ring

13. 13 Number Theory – Prime numbers  p>1 prime if 1 and p are its only divisors  E.g. 3, 5, 7, …  p and q are relatively prime if gcd(p,q) = 1  E.g. 4 and 5 are relative primes  There are infinitely many primes

14. 14 Arithmetic Modulo a Prime  p prime number  For us, at least 1024 bits (~ 300 digits)  Z  Z p = {0, 1, …, p-1}  Addition and multiplication are modulo p  Exponentiation is iterated multiplication  x is the inverse of y  0 if xy = 1 mod p Z  All non-null elements of Z p are invertible  x -1 = x p-2 mod p Z  We can solve linear equations in Z * p  If ax = b mod p, then x = ba p-2 mod p  Z  Z * p = {1, …, p-1} Z  Contains all invertible elements of Z p  ZZ  Z p = Z * p U {0} Fermat’s little theorem If a  0, then a p-1 = 1 mod p Z Z p is a Galois field

15. 15 Z Computing in Z p  Let n be the length of p  Usually around 1024 bits Z  Addition in Z p done in O(n)  Multiplication is O(n 2 )  Clever (and practical) algorithms achieve O(n 1.7 )  Same for inverse  x r mod p computed in O((log r) n 2 )  Repeated squares  E.g.: g 23 = g 10111 = g. g 2. g 4. g 16 (7 multiplications)  Addition chains  Saves 20% in average (but shortest chain is NP-complete)  g, g 2, g 3, g 5, g 10, g 20, g 23 (6 multiplications)

16. 16 Z Complexity in Z p  Easy problems  Generating p  Addition, multiplication, exponentiation  Inversion, solving linear equations  Problems believed to be hard  DL: Discrete logarithm Z  Given g and x  Z p, find r s.t. x = g r mod p  DH: Diffie-Hellman Z  Given g, g r, g s  Z p, find g rs mod p  Note  DL implies DH  Unknown if DH implies DL  Best known attack on DL requires space and O(2  n ) time

17. 17 Diffie-Hellman Key Exchange Public data p, g A B Choose random a 1  a  p-1 send g a mod p Receive g b mod p (g b ) a = g ab mod p k = f(g ab ) Receive g a mod p Choose random b 1  b  p-1 Send g b mod p (g a ) b = g ab mod p k = f(g ab ) g a mod p g b mod p

18. 18 Diffie-Hellman Key Exchange [2]  Allows 2 principals to produce a shared secret  Without secure channel or physical exchange  Without a key distribution center  f is typically a hash function  Agreed upon in advance  However, no authentication  Can be fixed with some infrastructure  Security relies on hardness of DH

19. 19 El Gamal Encryption Scheme  Security rests on hardness of DL  Criticisms  Transmitted message double of m  Public data has to be managed  Very slow (~10Kb/sec vs. 250Kb/s of DES) Public data A 1  p 1,g 1,g 1  1 … A i  p i,g i,g i  i … A B Choose random a Send g B a, g B  B a m mod p B Receive g B a, g B  B a m mod p B (g B a )  B = g B  B a mod p B Compute g B -  B a mod p B g B -  B a g B  B a m mod p B = m g B a, g B  B a m mod p B A wants to send AA BB Z secret m  Z p B to B

20. 20 Arithmetic Modulo a Composite  n natural number  For us, typically 1024 bits or ~ 300 digits  Typically n = pq, with p and q primes  Z  Z n = {0, 1, …, n-1}  x is inverse of y  0 if xy = 1 mod n  x has inverse iff gcd(x,n) = 1  ux + vn = 1 by Euclid’s algorithm so x -1 = u Z  Works also in Z p where more efficient than x -1 = x p-2 Z  We can solve linear equations in Z n  Z  Z * n = {x : gcd(x,n) = 1} Z  Contains all invertible elements of Z n

21. 21 Euler’s Totient Function   (n) is the number of positive integers relatively prime to n Z   (n) is the size of Z * n  If n =  i p i e i, then  (n) =  i p i e i-1 (p i -1)  If n=pq, then  (n) = (p-1)(q-1) = n – p – q – 1  a is invertible with inverse a  (n)-1 Euler’s theorem Z If a  Z * n, then a  (n) = 1 mod n

22. 22 Cyclic Groups Z   (n) is the size of Z * n (Euler’s totient function)  If n =  i p i e i, then  (n) =  i p i e i-1 (p i -1)  If n=p, then  (n) = n-1  ZZZ  Z * n is cyclic if  g  Z * n s.t. Z * n = {g 0,g 1,g 2,…g  (n)-1 } ZZ  g is a generator of Z * n ( Z * n = )  Z  Z * n is cyclic iff n = 2, 4, p a, 2p a for an odd prime p Z  Every Z * n is cyclic Z  The order of a  Z * n is the smallest non-null d s.t. a d =1 mod n  If factorization of p-1 is known, –ord p (g) Z –A generator of Z * p can be found efficiently Lagrange theorem Z If a  Z * n, then ord p (a) | p-1 

23. 23 Z Computing in Z n  Easy problems  Generating p  Addition, multiplication, exponentiation  Inversion, solving linear equations  Hard problems  Factoring  Given n, find p,q s.t. n = pq

24. 24 The set-up of RSA  n = pq  n is the product of 2 (large) primes  By Euler’s theorem,  (n) = (p – 1)(q – 1)  Select e and d such that (m e ) d = m  How?  Pick e relative prime to  (n)  E.g., a prime greater than  (n)  By Fermat’s theorem, compute d = e  (n)-1  ed = 1 mod  (n)  ed = k  (n) + 1 = k(p-1)(q-1) + 1 = k’(p-1) + 1  Now:  m p-1 = 1 mod p  m k’  (n) = 1 mod p  m k’  (n)+1 = m mod p  m ed = m mod p

25. 25 RSA [Rivest,Shamir,Adelman ’76]  Security of RSA rests on  Hard to factorize n = pq  Hard to compute  (n) from n  Factoring implies RSA  Unknown if RSA implies factoring Public data A 1  n 1,e 1 … A i  n i,e i … A B Send m e B mod n B Receive m e B mod n B (m e B ) d B mod n B = m e B d B mod n B = m k  (n B )+1 mod n B = (m  (n B ) ) k m mod n B = (1) k m mod n B = m mod n B m e B mod n B Z A wants to send secret m  Z n B to B p A,q A,d A p B,q B,d B n i = p i q i e i d i = 1 mod  (n i )

26. 26 Attacks on RSA  Small d for fast decryption  But easy to crack if d < (n 1/4 )/3 [Wiener]  d should be at least 10 80  Small e for fast encryption  If m sent to more than e recipients, then m easily extracted  Popular e = 2 16 + 1  Same message should not be sent more than 2 16 + 1 times  Modify message (still dangerous)  Timing attacks  Time to compute m d mod n for many m can reveal d  Homomorphic properties of RSA  If c i = m i e mod n (i=1,2), then c 1 c 2 = (m 1 m 2 ) e mod n  Easy chosen plaintext attack  Eliminated in standards based on RSA

27. 27 RSA Cryptographic Challenges  Factoring given primes set as challenge by RSA Labs  http://www.rsa.com/rsalabs/ –RSA-ddd: challenge in digits –RSA-bbb: challenge in bits  RSA-140: 1999 in 1 month  RSA-155: 1999 in 4 months  RSA-160: 2003 in 20 days  RSA-200: 2005 in 18 months  Challenges no longer active

28. 28 Key length  Public-key crypto has very long keys  1024, 2048, 4096 are common  Is it more secure than symmetric crypto?  56, 128, 192, 256  Key lengths don’t compare!  1024  80 bit  2048  112 bit  3072  128 bit  7680  192 bit  15,360  256 bit