The contents of this chapter include all of the following: Diffie-Hellman key exchange, ElGamal cryptography, Elliptic curve cryptography, Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers.
Trang 1(CSE348)
Trang 2Lecture # 17
Trang 3• have considered:
– RSA algorithm, implementation, security
Trang 4Chapter 10 – Other Public Key
Cryptosystems
Trang 5Amongst the tribes of Central Australia every man, woman,
and child has a secret or sacred name which is bestowed
by the older men upon him or her soon after birth, and
which is known to none but the fully initiated members of
the group This secret name is never mentioned except
upon the most solemn occasions; to utter it in the hearing of men of another group would be a most serious breach of tribal custom When mentioned at all, the name is spoken only in a whisper, and not until the most elaborate
precautions have been taken that it shall be heard by no
one but members of the group The native thinks that a
stranger knowing his secret name would have special
power to work him ill by means of magic.
Trang 6Diffie-Hellman Key Exchange
This chapter continues our overview of
public-key cryptography systems (PKCSs)
Begins with a description of one of the earliest and simplest PKCS
Diffie-Hellman key exchange
This first published public-key algorithm
appeared in the seminal paper by Diffie and
Trang 7Diffie-Hellman Key Exchange
That defined public-key cryptography [DIFF76b]
And is generally referred to as Diffie-Hellman
Trang 8Diffie-Hellman Key Exchange
The purpose of the algorithm is to enable two
users to securely exchange a key
That can then be used for subsequent
Trang 9Diffie-Hellman Key Exchange
First public-key type scheme proposed
By Diffie & Hellman in 1976 along with the
exposition of public key concepts
now know that Williamson (UK CESG)
secretly proposed the concept in 1970
Practical method for public exchange of a secret key
Trang 10Diffie-Hellman Key Exchange
The purpose of the algorithm is to enable two
users to securely exchange a key
That can then be used for subsequent
Trang 11Diffie-Hellman Key Exchange
Diffie-Hellman algorithm uses exponentiation in
a finite (Galois) field (modulo a prime or a
polynomial)
And depends for its effectiveness on the
difficulty of computing discrete logarithms
Trang 12Diffie-Hellman Key Exchange
A public-key distribution scheme
cannot be used to exchange an arbitrary
message
rather it can establish a common key
known only to the two participants
Value of key depends on the participants
and their private and public key information
Trang 13Diffie-Hellman Key Exchange
Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy
Security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard
Trang 14Diffie-Hellman Setup
In the Diffie-Hellman key exchange algorithm,
there are two publicly known numbers
A prime number q and an integer a that is a
primitive root of q
The prime q and primitive root a can be common
to all using some instance of the D-H scheme
The primitive root a is a number whose powers successively generate all the elements mod q
Trang 15Diffie-Hellman Setup
Users Alice and Bob choose random secrets x's
And then "protect" them using exponentiation to create their public y's
For an attacker monitoring the exchange of the y's
To recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard
Trang 16Diffie-Hellman Setup
All users agree on global parameters:
large prime integer or polynomial q
a being a primitive root mod q
Each user (eg A) generates their key
chooses a secret key (number): xA < q
compute their public key: yA = axA mod q
Each user makes public that key yA
Trang 17Diffie-Hellman Key Exchange
The actual key exchange for either party
consists of raising the others "public key' to
power of their private key
The resulting number (or as much of as is
necessary) is used as the key for a block cipher
or other private key scheme
For an attacker to obtain the same value they
need at least one of the secret numbers
Trang 18Diffie-Hellman Key Exchange
Which means solving a discrete log, which is
computationally infeasible given large enough numbers
If Alice and Bob subsequently communicate
They will have the same key as before, unless they choose new public-keys
Trang 19Diffie-Hellman Key Exchange
Shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yAxB mod q (which B can compute)
= yBxA mod q (which A can compute)
KAB is used as session key in private-key
encryption scheme between Alice and Bob
If Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
Trang 20Diffie-Hellman Example
Here is an example of Diffie-Hellman from the text using prime q=353
Showing how each computes its public key
And then how after they exchange public keys
Each can compute the common secret key
In this simple example, it would be possible by brute force to determine the secret key 160
Trang 21Diffie-Hellman Example
In particular, an attacker E can determine the
common key
By discovering a solution to the equation 3a mod
353 = 40 or the equation 3b mod 353 = 248
The brute-force approach is to calculate powers
of 3 modulo 353
Trang 22Diffie-Hellman Example
The desired answer is reached with the
exponent value of 97, which provides 397 mod
353 = 40
With larger numbers, the problem becomes
impractical
Trang 23Diffie-Hellman Example
Users Alice & Bob who wish to swap keys:
Agree on prime q=353 and a=3
Select random secret keys:
Compute respective public keys:
Compute shared session key as:
KAB= yAxB mod 353 = 40233 = 160 (Bob)
Trang 24Key Exchange Protocols
Now consider a simple protocol that makes use
of the Diffie-Hellman calculation
Suppose that user A wishes to set up a
connection with user B and use a secret key to encrypt messages on that connection
User A can generate a one-time private key XA, calculate YA, and send that to user B
User B responds by generating a private value
XB, calculating YB, and sending YB to user A
Trang 25Key Exchange Protocols
Both users can now calculate the key
The necessary public values q and a would need
to be known ahead of time
Alternatively, user A could pick values for q and
a and include those in the first message
Trang 26Key Exchange Protocols
Users could create random private/public D-H keys each time they communicate
Users could create a known private/public D-H key and publish in a directory, then consulted
and used to securely communicate with them
Both of these are vulnerable to a
Man-in-the-Middle Attack
Authentication of the keys is needed
Trang 28Man-in-the-Middle Attack
Darth prepares by creating two private / public
keys
Alice transmits her public key to Bob
Darth intercepts this and transmits his first public key to Bob
Darth also calculates a shared key with Alice
Bob receives the public key and calculates the
Trang 29Man-in-the-Middle Attack
Bob transmits his public key to Alice
Darth intercepts this and transmits his second
public key to Alice
Darth calculates a shared key with Bob
Alice receives the key and calculates the shared key (with Darth instead of Bob)
Trang 30ElGamal Cryptography
In 1984, T Elgamal announced a public-key
scheme based on discrete logarithms
Closely related to the Diffie-Hellman technique
Trang 31ElGamal Cryptography
As with Diffie-Hellman, the global elements of
ElGamal are a prime number q and a
Which is a primitive root of q
Trang 32ElGamal Cryptography
User A generates a private/public key pair as
shown
The security of ElGamal is based on the difficulty
of computing discrete logarithms
To recover either x given y, or k given K
Trang 33ElGamal Cryptography
Public-key cryptosystem related to D-H
Uses exponentiation in a finite field
With security based difficulty of computing discrete logarithms, as in D-H
Each user (eg A) generates their key
chooses a secret key (number): 1 < xA < q-1
compute their public key: yA = axA mod q
Trang 34ElGamal Message Exchange
Any user B that has access to A's public key can encrypt a message as shown
These steps correspond to Figure 9.1a in that
Alice generates a public/private key pair
Bob encrypts using Alice's public key; and Alice decrypts using her private key
See text for details of why these steps result in
M being recovered
Trang 35ElGamal Message Exchange
Trang 36ElGamal Message Exchange
K functions as a one-time key, used to encrypt and decrypt the message
If a message must be broken up into blocks and sent as a sequence of encrypted blocks, a
unique value of k should be used for each block
If k is used for more than one block, knowledge
of one block m of the message enables the user
to compute other blocks
Trang 37ElGamal Message Exchange
The basic idea with El Gamal encryption is to
choose a random key, protect it
Then use it to scramble the message by
multiplying the message with it
Two bits of info have to be sent: the first to
recover this temporary key
The second the actual scrambled message
Trang 38ElGamal Message Exchange
See that El Gamal encryption involves 1 modulo exponentiation
And a multiplication (vs 1 exponentiation for
RSA)
Trang 39ElGamal Message Exchange
Trang 40ElGamal Message Exchange
Trang 41ElGamal Example
Trang 42ElGamal Example
Trang 43ElGamal Example
Trang 44Elliptic Curve Cryptography
Majority of public-key crypto (RSA, D-H) use
either integer or polynomial arithmetic with very large numbers/polynomials
Imposes a significant load in storing and
processing keys and messages
An alternative is to use elliptic curves
Offers same security with smaller bit sizes
Trang 45Real Elliptic Curves
An elliptic curve is defined by an equation in
two variables x & y, with coefficients
Consider a cubic elliptic curve of form
y2 = x3 + ax + b
Where x,y,a,b are all real numbers
Also define zero point O
Consider set of points E(a,b) that satisfy
Have addition operation for elliptic curve
Geometrically sum of P+Q is reflection of the
intersection R
Trang 46Finite Elliptic Curves
Elliptic curve cryptography uses curves whose variables & coefficients are finite
Have two families commonly used
Prime curves Ep(a,b) defined over Zp
Use integers modulo a prime
Best in software
Binary curves E2m(a,b) defined over GF(2n)
Use polynomials with binary coefficients
Best in hardware
Trang 47Elliptic Curve Cryptography
ECC addition is analog of modulo multiply
ECC repeated addition is analog of modulo
exponentiation
need “hard” problem equiv to discrete log
Q=kP, where Q,P belong to a prime curve
is “easy” to compute Q given k,P
but “hard” to find k given Q,P
known as the elliptic curve logarithm problem
Certicom example: E23(9,17)
Trang 48Elliptic Curve Cryptography
Trang 49ECC Diffie-Hellman
Can do key exchange analogous to D-H
Users select a suitable curve Eq(a,b)
Select base point G=(x1,y1)
with large order n s.t nG=O
A & B select private keys nA<n, nB<n
Compute public keys: PA=nAG, PB=nBG
Compute shared key: K=nAPB, K=nBPA
same since K=nAnBG
Attacker would need to find k, hard
Trang 50ECC Encryption/Decryption
Several alternatives, will consider simplest
Must first encode any message M as a point on the elliptic curve Pm
select suitable curve & point G as in D-H
Each user chooses private key nA<n
And computes public key PA=nAG
To encrypt Pm : Cm={kG, Pm+kPb}, k random
Decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
Trang 51ECC Security
Relies on elliptic curve logarithm problem
Fastest method is “Pollard rho method”
Compared to factoring, can use much smaller
key sizes than with RSA etc
For equivalent key lengths computations are
roughly equivalent
Hence for similar security ECC offers significant computational advantages
Trang 52Comparable Key Sizes for
RSA/DSA (modulus size in
Trang 53Pseudorandom Number Generation
(PRNG) based on Asymmetric
Ciphers
Asymmetric encryption algorithm produce
apparently random output
Hence can be used to build a pseudorandom
number generator (PRNG)
Much slower than symmetric algorithms
Hence only use to generate a short
pseudorandom bit sequence (eg key)
Trang 54 have considered:
Diffie-Hellman key exchange
ElGamal cryptography
Elliptic Curve cryptography
Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers