Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock.

Similar presentations


Presentation on theme: "Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock."— Presentation transcript:

1 Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock

2 Public Key Infrastructures requires  Generation of user public keys  Registration of users and keys (LRA)  Certification (CA) –certificates bind a person to his key  Directories (DIR)  Blacklists/revocation  Key administration plus -

3 Format/syntax  ASN.1 based certificates (X.509)?  Special purpose certificates?  Integration into browsers?  Integration into applications (java?)  Security in transport layer (e.g. SSL)?  Format: S/MIME, PGP,….?  Use of smartcards?

4 PKI - Roles LRA Users CA DA

5 The world seen with the user’s eyes Business Transactions

6 Registration at Local Registration Authority

7 Communication with Directory under session

8 Revocation of key

9 Foundation  But the foundation is cryptographic algorithms, which is – mathematics!  So let’s focus on that for a while

10 Cryptographic Algorithms  Conventionel (symmetric) crypto systems –Quantum cryptography - unbreakable  Hash functions –perhaps the weakest point - art, not math.  Public key (asymmetric) systems –Today RSA, tomorrow elliptic curves?

11 Crypto systems  Symmetric systems –same key for encryption and decryption  Asymmetric systems –One key may be given to everybody  the public key, P –while the other is kept secret  the private key, S

12 Public Key encryption - RSA  Choose two large primes p,q and let n = pq  Choose a public exponent e –mutually prime to (n) = (p -1)(q -1)  Based on classical (Greek) math we find integers d, x < 0, with de + x(n) = 1  Fact (Euler, Fermat): –For m < n we have m  m ed mod n  Finding the private key means factoring n

13 Alternative: One way functions –Choose a large prime number p –Choose a “generator”, g –Choose a random number v as private key –Calculate the public key w = g v modp –Finding v from w is known as the discrete log problem

14 The new technique: Elliptic Curves  The set of points P = (x,y) satisfying y 2 = x 3 + ax + b in Z/pZ. can be added using a particular formula. It allows construction of a public key pair. Example: a = 6890847943309044493598067961180259058846730261 b = 45938986288872696329065378640786839725897820174 will correspond to an RSA security level of 768 bits for some prime p of length 200 bits!

15 Why Elliptic Curves?  More security per bit –Smaller key size –Smaller signature size –Faster computations –Less resources required (smart cards)  Well developed mathematical theory (complex)

16 RSA/DSA/EC - comparing performance (RSA: small public exp.)

17 RSA/DSA/EC - Comparing key sizes

18 Elliptic Curves An EC is the set of solutions (x,y) to equations of the form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x +a 6 over a (finite) field together with an additional point (called the point at infinity O)

19 Finite fields  (F, +, ): set of elements with addition, subtraction, multiplication and division.  GF(p): Integers modulo p (prime)  GF(2 n ) –polynomials with binary coefficients modulo and irreducible polynomial of degree n –(a+b) 2 = a 2 + b 2  Unique up to isomorphism

20 Implementation Issues  Choice of field –GF(2 n ) faster than GF(p) (at least in hardware)  Representation of elements for GF(2 n ) –Standard basis –Optimal normal basis –Polynomials over subfield

21 Elliptic Curves Example: GF(23) Curve defined by y 2 = x 3 + x + 1 {(0,1), (0,-1), (1,7), (1,-7), (3, 10), (3,-10), (4,0), (5,4), (5, -4), (6,4), (6,-4), (7,11), (7,-11), (9,7), (9,-7), (11,3), (11, -3), (12,4), (12,-4), (13,7), (13,-7), (17,3), (17,-3), (18,3),(18,-3), (19,5), (19,-5)}

22 Elliptic Curves Sum ( x s,y s ) of ( x 1,y 1 ) = (9,7) and ( x 2, y 2 ) = (18,3)=(-5,3), x 1 ≠y 1 is defined as follows: :=(y 2 -y 1 )/(x 2 -x 1 ) = -4/9 = 20 mod 23 x s = 2 -x 1 -x 2 =9-9+5=5 y s = (x 1 -x s )-y 1 = -3(9-5) - 7 = 4 Thus (9,7)+(18,3) = (5,4)

23 Elliptic Curves Double of (5,4) :=(3x 1 2 +1)/(2y 1 ) = 76/8 = 7/8 = 21 = -2 x d = 2 -2x 1 =4-5-5=17 y d = (x 1 -x s )-y 1 = -2(5+6) - 4 = -3 Thus (5,4)+(5,4) = (17,-3)

24 GF(2 n ) GF(2): p(u) irreducible polynomial of degree n EC over GF(2 n ) defined by y 2 +xy = x 3 + ax 2 + b

25 EC over GF(2 n ) Sum :=(y 1 +y 2 )/(x 1 +x 2 ) x s = 2 + + x 1 +x 2 + a y s = (x 1 +x s )+ x s + y 1 Double := x 1 + y 1 /x 1 x d = 2 + + a y d = ( + 1)x D + x 1 2

26 Key Generation  Choose field and equation  Determine the group order g –If large prime divisor q, choose curve randomly  Find a generator of subgroup of order q  Let g = qr  Choose random point P  Calculate rP  If rP  O, set generator := rP  Try our lab on www.cryptomathic.com!

27 How to blackmail a bank using RSA with public exponent 3

28 1. step  The well-known bank AMO announces a nation-wide PKI scheme based on RSA (1024 bits, public exponent 3)  Message received week 1 at AMO: –I know your private key! I am going to publish the 1st upper byte of the key, unless you send me 2 $!  Bank ignores

29 2. step  Message received week 2 by AMO: –Here is the 1st byte: 11011010 –I am going to publish the 2nd upper byte of your private key, unless you send me 4 $!  Bank is puzzled. The blackmailer is right about the first byte! Could he be guessing, or maybe the first byte is not so difficult?

30 3. step  Message received week 3 by AMO: –Here is the 2nd byte: 00011001 –I am going to publish the 3rd upper byte of your secret key, unless you send me 8 $!  The Bank hires a security specialist –the problem is that it will cost 100.000 $ to switch to a different key

31 About 1 year later  Message received week 52 by AMO: –Here is the 51st byte: 01111101 –I am going to publish the 52nd upper byte of your secret key, unless you send me 2 52 $! –Conclusion of the specialist:  offer him 25.000 $ now

32 Conclusion  If they had hired an expert rather than a specialist, they could have saved the money (less his fee of course!)  Expert opinion:  1024 bits is 128 bytes. He can only do what he does up to the first 64 bytes. –Here is how he does it:

33 Solution  1. Subtract 1 from the modulus n  2. Divide by 3 and multiply by 2  3. The upper half of this number is the upper half of your private exponent  AMO: What about the lower half?  Only the banks knows! The system is secure

34 Proof  ”Based on classical (Greek) math we find integers d, x < 0, with (*)de + x(n) = 1” –where d is chosen minimal of course  Now let e = 3. As d < (n), x is -1 or -2!  But as 3 is mutually prime to (n) = (p -1)(q -1),  p and q are both 2 mod 3,  and (*) above shows x = -2 as (n) = 1 mod3

35 Proof  Hence d = (1 + 2(n))/3  But (n) = (p -1)(q -1) = n –(p + q) + 1,  Thus we know the upper half of (n): It is equal to the upper half of n.  This suggest to consider very carefully what to store as the private key, e.g. if storage is a problem

36 Card trick  End up with two piles: A private key and the corresponding public key

37 Demo: Key Generation - the most vulnerable part -- using two suits in a deck of cards. Say spade (black) and hearts (red) 1Chose a very large prime number (13) 2Calculate ”modulo” 13: divide by 13 and take the remainder: 29 = 213 + 3 = 3 mod 13 5 3 = 125 = 10·13 - 5 = 8 mod 13 (= 9·13 + 8) 3Remove the king = 13 = 0 mod 13

38 My private key!!!  12, 11, 9, 5, 10, 7, 1, 2, 4, 8, 3, 6  Do you recognise a pattern?  We have illustrated Fermat’s little Theorem: 2 13 mod 13 = 2 (a p mod p = a)  2 is a generator: 2, 2 2, 2 3, 2 4, 2 5,…. up to 2 12 = 1 are all different mod 13!  Which power of 2 is e.g. 10 mod 13?

39 Mechanisms and (Interactive) Protocols  Mechanisms –To generate a digital signature is a mechanism  Comprising of cryptographic primitives, e.g. –Hash calculation (e.g. SHA-1) –Signature generation (e.g. RSA PKCS #1)  Interactive protocols –Can be used for  Key exchange (e.g. Diffie-Hellman)  User Identification

40 User Identification  Let’s assume Alice has a public key pair (P,S). –Alice wants to get access to a database DB –DB knows her public key (e.g. through a valid certificate) –We need to agree on an identification protocol?  How?

41 Many possibilities  How about? –Alice connects –BD sends a ransom challence r –Alice calculates S(r) and sends this to DB –DB verifies that P(S(r)) = r and lets her in  Is this safe?

42 Problem  DB can use Alice as an oracle –R might be the hash of a message which commits Alice unknowingly –The problem is that Alice calculates what may be a digital signature  How can this be prevented? –The problem is that we cannot be sure that Alice applies her private key to something completely random

43 Solution  1. step –DB chooses any r, calculates s = P(r), and sends s to Alice  2. step –Alice calculates S(s) = r and returns r to DB  What did DB learn, except that Alice was able to recover r – not known to her – from s? –Nothing at all  But....

44 Solution  Alice has no means of verifying that DB follows the protocol –Something else is needed:  Let E be some symmetric encryption which Alice and DB agrees is strong –We can now define a socalled zero-knowledge identification protocol:

45 Solution  1. step –DB chooses any r, calculates s = P(r), and sends s to Alice  2. step –Alice calculates S(s) = r, chooses a random key k and returns E k (r) to DB  3. step –DB sends r to Alice  4. step –Alice sends k to DB who verifies D k (E k (r)) = r

46 Succes!  This protocol –is secure  Alice will not be succesful without knowing S –is sound  DB will know that only a person able to compute r from randomly chosen P(r) can respond –is zero-knowledge  DB learns nothing from the protocol that he could not calculate by himself: P(r) = s S(s) = r – except that Alice can calculate r from s  In fact -

47 Zero-knowledge protocol can be simulated  1. step –DB chooses any r, calculates s = P(r), and sends s to DB  2. step –DB chooses a random key k and returns E k (r) to DB  3. step –DB sends r to DB  4. step –DB sends k to DB who verifies D k (E k (r)) = r

48 Zero-knowledge protocol can be simulated  A third party (an arbiter) cannot differentiate the traces of –a simulated zero-knowledge protocol from that of –a 2-party zero-knowledge protocol: –Only DB will know if he simulated it or he indeed did identity Alice in the protocol!

49 Useful definitions (Fiat-Shamir)  Authentication –A can prove to B that she is A  Identification –A can prove to B that she is A, but B cannot prove to C that he is A  Non-repudiation –A can prove to B that she is A, but B cannot even prove to himself that he is A

50 Conclusion  Cryptography is applied mathematics  Mathematics was ”invented” to be helpful –and it is!  T.H. Hardy wrote in ”A mathemathian’s Apology ”: –I have never done anything useful!  Not true: We use the Hardy-Littlewood conjecture in our products

51 How to store private keys  When signing, the time of calculation is reduced by a factor 2-4 by using the Chinese Remainder Theorem  If this is not an issue, we either store –n and d –n and e and calculate d  So assume in the following we want to use the CRT

52 Storing private keys using CRT The CRT states that if you know x = z mod p and y = z mod q, you can calculate z from x and y. All you need is an a < n which is 1 mod p and 0 mod q. Then z = xa + y(1-a) mod n

53 Storing private keys using CRT  We need to calculate z  m d mod n  Obviously, z mod p  m d mod(p-1) mod p z mod q  m d mod(q-1) mod q as m (p-1) mod p = 1 for a prime p So we need p,q, d(p)=d mod(p-1) and d(q)=d mod(q-1) What about a?

54  How about  a = (q p-2 modp)q?  This is obviously 0 modq, and 1 modp (by Fermat’s Little Theorem)  So we are home and dry: m d = (m d(p) modp)a + (m d(q) modq)(1-a) modn This may be refined slightly to ensure that equality holds

55 Appendix: Card trick  End up with two piles: A private key and the corresponding public key

56 Card trick 1Arrange both suits in order, ace to queen, face down, ace on top 2Deal the (entire) black suit (holding it face down) in two piles (left and right), face up: left (ace), right (2), left (3), right (4), …

57 Card trick 3Remove the top card of the right pile (queen = 12), place it face up in a new pile, and place the top red card (ace) face up where the black queen was. 4Place the left pile (6 black cards) on top of the right pile (1 red on top of 5 blacks), and turn over to have a new stack of 12 cards face down

58 Card trick 5Repeat step 2, 3 and 4 altogether 11 times  The two piles have now been interchanged - but in which order do the cards occur?  The black pile is my private key  The red pile is my public key  Identify me!

59 Card trick –Now run an identification protocol between A and B:  Keep both piles face down  black is the private key of A, red the public  the person (B) with the red pile names any black card, say no. 9.  B then turns over the red cards, one by one, and stops with the 9th: This is no. 3  A turns over the black cards. The 3. black is no. 9! Identification completed. The keys match!


Download ppt "Private Keys of Public Key Pairs and Zero-Knowledge Protocols Peter Landrock."

Similar presentations


Ads by Google