Cryptography

1
Cryptography

• Lecture 7Stefan Dziembowskiwww.dziembowski.net
• stefan_at_dziembowski.net

2
Plan

1. Introduction to public-key cryptography
2. Diffie-Hellman key exchange
3. Trapdoor one-way permutations

3
How to distribute the cryptographic keys?

• If the users can meet in person beforehand its
  simple.
• But what to do if they cannot meet?(a typical
  example on-line shopping)

4
A naive solution
give to every user Pi a separate key Kij to
communicate with every Pj
P2
P3
K12
K13
P4
K14
K15
P1
P5
5
In generala quadratic number of keys is needed
P2
P3
P4
P1
P5
6
Problems

• Someone (a Key Distribution Center, KDC) needs to
  give the keys
• feasible if the users are e.g. working in one
  company
• infeasible on the internet
• relies on the honesty of KDC
• KDC needs to be permanently available
• ...
• The users need to store large numbers of keys in
  a secure way

7
The solution

• Public-Key Cryptography

Whitfield Diffie and Martin Hellman (1976)
Ralph Merkle (1974)
8
A little bit of history

• Diffie and Hellman were the first to publish a
  paper containing the idea of the public-key
  cryptographyW.Diffie and M.E.Hellman, New
  directions in cryptographyIEEE Trans. Inform.
  Theory, IT-22, 6, 1976, pp.644-654.
• A similar idea was described by Ralph Merkle
• in 1974 he described it in a project proposal for
  a Computer Security course at UC Berkeley (it
  was rejected)
• in 1975 he submitted it to the CACM journal (it
  was rejected)
• (see http//www.merkle.com/1974/ )
• It 1997 the GCHQ (the British equivalent of the
  NSA) revealed that they new it already in 1973.

9
The idea

• Instead of using one key K,
• use 2 keys (e,d), where
• e is used for encryption,
• d is used for decryption, or
• d is used for computing a tag,
• e is used for verifying correctness of the tag.
• Moreover e can be public, and only d has to be
  kept secret!
• Thats why its called public-key cryptography

this will be called signatures Sign the
signing algorithm
10
Anyone can send encrypted messages to anyone else
4. P3 computes D(d3,m)
P3
P2
public register
d3
e1
e2
e3
e4
e5
3. sends E(e3,m)
P4
2. reads e3
P1
1. P1 wants to send m to P3
P5
11
Anyone can verify the signatures
Sign(d3,m)
P3
P2
public register
d3
e1
e2
e3
e4
e5
1. Sign(d3,m)
Sign(d3,m)
P4
2. reads e3
P1
3. computes Vrfy(e3,m)
P5
12
Things that need to be discussed

• Who maintains the register?
• How to contact it securely?
• How to revoke the key (if it is lost)?
• ...

We will discuss this things later(when we will
be talking about the Public-Key Infrastructure)
13
But is it possible?

• In physical world yes!
• Examples
• normal signatures
• padlocks

anyone can lock it
the key is needed to unlock
14
Diffie and Hellman (1976)

• Diffie and Hellman proposed the public key
  cryptography in 1976.
• They just proposed the concept, not the
  implementation.
• But they have shown a protocol for key-exchange.

15
Key exchange
initially they share no secret
listens
Alice
Bob
key k
key k
Eve should have no information about k
We will formalize it later.Lets first show the
protocol.
16
The Diffie-Hellman Key exchange

• G a group, where discrete log is hard
• q G
• g a generator of G

x ? Zq
y ? Zq
Bob
Alice
outputkA(h2)x
outputkB(h1)y
equal togyx
equal togxy
equal!
17
Security of the Diffie-Hellman exchange
h1 gx
h2 gy
G,g
knows
gyx ?
Eve
Eve should have no information about gyx
18
Is it secure?

• If the discrete log in G is easy then the DH key
  exchange is not secure.
• (because the adversary can compute x and y from
• gx and gy)
• If the discrete log in G is hard, then...
• it may also not be completely secure

19
Example G Zp
x is even iff h1 is a QR
x ? Zq
h1 gx
y ? Zq
h2 gy
Bob
Alice
y is even iff h2 is a QR
Therefore gyx is a QR iff (h1 is a QR)
or (h2 is a QR) So, Eve can compute some
information about gyx(namely if it is a QR, or
not).
gyx ?
20
Is it a problem, or not?

• We need to
• formalize what we mean by secure key exchange,
• identify the assumptions needed to prove the
  security.

21
interactive randomizedTuring machine A
interactiverandomized Turing machine B
transcript T the sequence of exchanged
messages
Alice
Bob
key k
key k
A protocol is a pair (A,B) of randomized Turing
machines.
Informal definition(A,B) is secure if no
efficient adversary can distinguish k from
random, given T, with a non-negligible
advantage.
key k
?
T
random string of the same length
22
How to formalize it?
security parameter 1n
T
A
B
key k ? 0,1n
key k ? 0,1n

• We say (A,B) is secure a secure key-exchange
  protocol if
• the output of A and B is always the same, and

A
Prob M(1n,T,k) 1 - Prob M(1n,T,r) 1 is
negligible in n
polynomial-time Mthat outputs 0 or 1
r is random and r n
23
How does the protocol look now?

• It needs to be defined for any parameter 1n.
• Therefore we need an algorithm H that
• on input 1n
• outputs
• a description of G of order q, such that q n,
• a generator g of G.

24
How does the protocol look now?
security parameter 1n
(G,g) ? H(1n)
x ? Zq
(G,g),q, h1 gx
y ? Zq
h2 gy
Bob
Alice
outputkA(h2)x
outputkB(h1)y
(Note that we cheat a bit because k is a
pseudorandom group element, not a string of
bits.)
If such a key exchange protocol is secure, we say
thatthe Decisional Diffie-Hellman (DDH) problem
is hard with respect to H)
25
An example of H where DDH is believed to be hard

• QR(p)
• H(1n)
• generate a random strong prime p of length n1.
• set q (p-1)/2.
• choose any x ? Zp such that x ? 1 (mod p) .
• set g x2 mod p.
• output (p,g).
• Other groups are also used (e.g. groups based on
  the elliptic curves).

26
Practical considerations

• It is common to chose any Zp (for prime p),
  instead of QR(p).
• In some standards p is fixed, for example the
  RFC3526 document specifies the primes of
  following lengths 1536, 2048, 3072, 4096, 6144,
  8192.This is the 1536-bit prime
• FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B
  80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22
  514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D
  F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6
  F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB
  5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
  C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8
  FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB
  9ED52907 7096966D 670C354E 4ABC9804 F1746C08
  CA237327 FFFFFFFF FFFFFFFF.the generator is 2.

27
A problem

• The protocols that we discussed are secure only
  against a passive adversary (that only
  eavesdrop).
• What if the adversary is active?
• She can launch a man-in-the-middle attack.

28
Man in the middle attack
I am Bob
I am Alice
Alice
Bob
key k
key k
key k
key k
A very realistic attack!
So, is this thing totally useless?No! (it is
useful as a building block)
29
Two questions remain

• How to construct the public-key encryption?
• How to construct the signature schemes?

turns out these questions are related
30
The observation of Diffie and Hellman
(e,d) the key pair
public-key encryption
ciphertexts
plaintexts
E(e,x)
D(d,y)
easy only if one knows d
signature schemes
tags(signatures)
messages
Tag(d,y)
Vrfy(e,x)
easy only if one knows d
Looks similar...
31
Trapdoor permutations
A family of permutations indexed by pairs (e,d)
E X ? X(e,d) ? keys
this is denoted Dd
such that
Ee
easy
X
X

• easy one can compute Ee-1 if one knows a
  trapdoor d
• hard (otherwise)

32
How to encrypt a message m
encryption
c Ee(m)
messages
plaintexts
decryption
m Dd(c)
one can compute it only if one knows d
Warning in general its not that simple. We
will explain it later.
33
How to sign a message m
one can compute it only if one knows d
signing
signatures
messages
Dd(m)
verifying
Ee(m)
Warning in general its not that simple. We
will explain it later.
34
Do such functions exist?
yes!

• Ron Rivest, Adi Shamir, and Leonard Adleman (1977)

RSA function is a trapdoor permutation!
35
The RSA function

• N pq, such that p and q are large primes
• e is such that gcd(e,d) 1
• d is such that ed 1 (mod f(N))
• Ee ZN ? ZN is defined as
• E(m) me mod N.
• Dd ZN ? ZN is defined as
• D(c) cd mod N.
• Does it work?
• D(E(m)) md mod N.
• we get
• Dd(Ee(m)) (me)d med m1 mod f(N)

f(N)) (p-1)(q-1).
public key(N,e)private key(N,d)
36
Is it a trapdoor permutation?

• If one can factor large integers ? no!
• (because one can compute f(N))
• Is there an implication in the opposite
  direction?
• nobody knows...

37
What can be shown

1. Computing f(N) is as hard as factoring(we have
   shown it a week ago).
2. Computing d from (e,N) is as hard as factoring.