VIEWS: 21 PAGES: 65 POSTED ON: 8/8/2012 Public Domain
CS4288 Cryptographic Algorithms and Protocols Cryptographic Algorithms and Protocols Text Book: Williams Stalling Lecture Notes: Adapted from that of Lawrie Brown Lecturer: Professor Frances Yao & Professor Xiaotie Deng Department of Computer Science City University of Hong Kong 2012/8/7 1 CS4288 Cryptographic Algorithms and Protocols Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively as the true name and the good name, or the great name and the little name; and while the good or little name was made public, the true or great name appears to have been carefully concealed. —The Golden Bough, Sir James George Frazer Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 2 CS4288 Cryptographic Algorithms and Protocols Outline Introduction of public-key cryptosystem RSA trapdoor one-way function RSA digital signature Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 3 CS4288 Cryptographic Algorithms and Protocols 1. Public-key cryptosystem Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 4 CS4288 Cryptographic Algorithms and Protocols Introduction First proposed in public by Diffie and Hellman at Stanford University in 1976. known earlier in classified community http://www.research.att.com/~smb/nsam-160/ Enable secure message exchange between sender and receiver without ever having to meet in advance to agree on a common secret-key. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 5 CS4288 Cryptographic Algorithms and Protocols Private-Key Cryptography Traditional private/secret/single key cryptography uses one key shared by both sender and receiver If this key is disclosed, communications are compromised The key also is symmetric, parties are equal it does not protect sender from receiver forging a message & claiming is sent by sender Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 6 CS4288 Cryptographic Algorithms and Protocols Public-Key Cryptography Probably most significant advance in the 3000 year history of cryptography It uses two keys – a public & a private key It is asymmetric: parties are not equal It uses clever applications of number theoretic concepts to function It complements rather than replaces private key cryptography Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 7 CS4288 Cryptographic Algorithms and Protocols Public-Key Cryptography Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 8 CS4288 Cryptographic Algorithms and Protocols Public-Key Cryptography Public-key/two-key/asymmetric cryptography involves in, for each agent u, the use of its associated pair of keys <Pu, Su> : the public key Pu which is published under the user’s name in a ``public directory” accessible for everyone to read, can be used to encrypt messages, and verify signatures the private-key Su which is known only to the agent u, used to decrypt messages, and sign (create) signatures It is asymmetric because Those who encrypt messages or verify signatures may not be able to decrypt messages or create signatures Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 9 CS4288 Cryptographic Algorithms and Protocols Encoding: To send a secret message M to u, everyone looks up Pu, computing C=E(Pu, M) where E is a public encryption algorithm, and sending the resulting ciphertext C to u. Decoding: Upon receiving ciphertext C, u uses his private key Su and computing D(Su, C), where D is the corresponding decryption algorithm. Clearly, for this to work we need that D(Su, E(Pu, M))=M. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 10 CS4288 Cryptographic Algorithms and Protocols Why Public-Key Cryptography? Initially to address two key issues: key distribution – how to have secure communications in general without having to trust a KDC with your key digital signatures – how to verify a message comes intact from the claimed sender Ripple Effect: Make E-commerce possible. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 11 CS4288 Cryptographic Algorithms and Protocols Computational Characteristics Public-Key algorithms rely on two keys with the characteristics: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes). Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 12 CS4288 Cryptographic Algorithms and Protocols Use of Public-Key Cryptosystems Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 13 CS4288 Cryptographic Algorithms and Protocols Public-Key Applications 3 major categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) Some algorithms are suitable for all uses, others are specific to one Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 14 CS4288 Cryptographic Algorithms and Protocols Security of Public Key Schemes Security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems Similar to private key schemes, brute force exhaustive search attack is always theoretically possible But keys used are too large (>512bits) to break that way It requires the use of very large numbers slow when compared to private key schemes Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 15 CS4288 Cryptographic Algorithms and Protocols 2. RSA trapdoor one-way function Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 16 CS4288 Cryptographic Algorithms and Protocols One-Way Function and the Factorization assumption The most basic primitive for cryptosystem is a one-way function (OWF). Informally, this is a function which is EASY to compute but HARD to invert. For example, the following Factorization assumption is a well-known candidate for OWF. Randomly select two prime numbers: p and q. Set N=pq. Only given N it is HARD to compute p or q By the Factorization assumption Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 17 CS4288 Cryptographic Algorithms and Protocols Trapdoor one-way function A trapdoor function f is a one-way function with an extra property. There also exists a secret inverse information (the trapdoor) that allows its possessor to EFFICIENTLY invert f at any point in the domain of his choosing. It should be easy to compute f on any point, but infeasible to invert f on any point without knowledge of the trapdoor. Inverting f is easy with knowledge of the trapdoor. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 18 CS4288 Cryptographic Algorithms and Protocols Use Trapdoor Function for PKC Given a pair (f, tf) where f is a trapdoor functions and tf is its associated trapdoor information, Diffe and Hellman suggested in 1976 using the supposed existence of trapdoor functions to implement Public-Key Cryptosystem as follows. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 19 CS4288 Cryptographic Algorithms and Protocols (1). For every message mM, E(f, m)=f(m). (2). Given c= E(f, m)=f(m) and tf, D(tf, c)=f-1 (c) =f-1(f(m))=m. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 20 CS4288 Cryptographic Algorithms and Protocols RSA In 1977 Rivest, Shamir and Adelman proposed the first candidate trapdoor function, Now called the RSA. The story of modern cryptography followed. The best known & widely used public-key scheme It is based on exponentiation in a finite (Galois) field over integers modulo a number exponentiation takes O((log n)3) operations (easy) It uses large integers (eg. 1024 bits) The security relies on difficulty of factoring large numbers log n log log n factorization takes O(e ) operations (hard) Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 21 CS4288 Cryptographic Algorithms and Protocols Use of trapdoor one-way function in PKC Each user u in the network has a pair of keys <Pu, Su> associated with him, The public key Pu which is published under the users name in a ``public directory” accessible for everyone to read, and The private-key Su which is the trapdoor information, known only to u. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 22 CS4288 Cryptographic Algorithms and Protocols RSA Key Setup Each user generates a public/private key pair by: Selecting two large primes at random: p, q Computing their system modulus N=p.q note (N)=(p-1)(q-1) Selecting at random the encryption key e where 1<e< (N), gcd(e, (N))=1 Solve following equation to find decryption key d e.d=1 mod (N) and 0≤d≤N Fast to do it using Euclid's Algorithm. publish their public encryption key: Pu ={e,N} keep secret private decryption key: Su ={d,p,q} Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 23 CS4288 Cryptographic Algorithms and Protocols RSA Encryption/Decryption Encrypt a message M by the sender: obtains public key of recipient Pu={e,N} computes: C=Me mod N, where 0≤M<N Decrypt the ciphertext C by the owner u: use its private key Su={d,p,q} compute: M=Cd mod N note that the message M must be smaller than the modulus N (block if needed) Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 24 CS4288 Cryptographic Algorithms and Protocols Number Theory Background for RSA Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 25 CS4288 Cryptographic Algorithms and Protocols Definition of The Euler Totient Function Euler’s Totient Function is defined by (n) {x : 1 x n and gcd(x,n) 1} (2)=|{1}|=1 (3)=|{1,2}|=2 (4)={1,3}=2 (5)=|{1,2,3,4}|=4 (6)=|{1,5}|=2 Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 26 CS4288 Cryptographic Algorithms and Protocols Calculation of Euler Totient Function The following are facts about Euler Totient Function: (1) For p a prime and 1, (p)= p-1(p-1) (2) For integers m, n with gcd(m, n)=1, (m*n)= (m) (n) Corollary: (p*q)= (p-1)*(q-1) for p, q primes Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 27 CS4288 Cryptographic Algorithms and Protocols The Group Z*n Zn*={k: gcd(k,n)=1, 1<=k<n} For any positive integer n, Zn* forms a group under multiplication modulo n. If GCD(a,n)=GCD(b,n)=1, then GCD(a*b,n)=GCD(a,n)*GCD(b,n)=1*1=1 For any Zn*, it is the case that (n)=1 (mod n). Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 28 CS4288 Cryptographic Algorithms and Protocols Why RSA Works By Euler's Theorem: a(n)mod N = 1 where gcd(a,N)=1 In RSA, we have: N=p.q (N)=(p-1)(q-1) carefully chosen e & d to be inverses mod (N) hence e.d=1+k.(N) for some k Hence (if M is relatively prime to N): Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))k = M1.(1)k = M1 = M mod N Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 29 CS4288 Cryptographic Algorithms and Protocols Corollary of Euler’s theorem Given two prime numbers p and q, and integers n = pq and m, with 0<m<n, the following relationship holds: m(n)+1 m mod n (Eq. 8.5) Proof: When GCD(m,n)1, and m is a multiply of p m = cp, GCD(m,q) = 1 since m < pq m(q) 1 mod q [m(q)](p) 1 mod q m(n) 1 mod q m(n) = 1 + kq m(n)+1 = m + kcpq = m + kcn (multiply m = cp in both side) m(n)+1 = m mod n Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 30 CS4288 Cryptographic Algorithms and Protocols Exponentiation A useful operation for PKC: Given a, n, m, where a Zn and m is an integer, computes am mod n. By repeated squaring, am mod n can be computed in O(log m) multiplications in mod n, hence O(log3n) time, if m<n. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 31 CS4288 Cryptographic Algorithms and Protocols RSA Example 1. Select primes: p=17 & q=11 2. Compute n = pq =17×11=187 3. Compute (n)=(p–1)(q-1)=16×10=160 4. Select e : gcd(e,160)=1; choose e=7 5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1 6. Publish public key P={7,187} 7. Keep secret private key S={23,17,11} Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 32 CS4288 Cryptographic Algorithms and Protocols RSA Example cont sample RSA encryption/decryption is: given message M = 88 Encryption (using public key): C = 887 mod 187 = 11 Decryption (using private key): M = 1123 mod 187 = 88 Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 33 CS4288 Cryptographic Algorithms and Protocols Exponentiation Use the Square and Multiply Algorithm a fast, efficient algorithm for exponentiation Concept is based on repeatedly squaring base and multiplying in the ones that are needed to compute the result look at binary representation of exponent only takes O(log2 n) multiples for number n eg. 75 = 74.71 = 3.7 = 10 mod 11 eg. 3129 = 3128.31 = 5.3 = 4 mod 11 Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 34 CS4288 Cryptographic Algorithms and Protocols Exponentiation Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 35 CS4288 Cryptographic Algorithms and Protocols Equivalently, the algorithm looks at binary expansion of m. What we did is collect all the powers of two corresponding to the ones and multiply them. For example: compute 221 mod 22. 21=`10101’ 4 3 2 1 0 a16 a8 a4 a2 a1 1 0 1 0 1 Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 36 CS4288 Cryptographic Algorithms and Protocols 21=2 (mod 22) 22=4 (mod 22) 24=16 (mod 22) 28=16*16=256=220+36=36(mod 22)=14 (mod 22) 216=14*14=196=22*8+20=20 (mod 22) Therefore, 221=216*24*21=20*16*2=20*32= =20*10 (mod 22)=200 (mod 22)=22*9+2=2 (mod 22). Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 37 CS4288 Cryptographic Algorithms and Protocols Some Remarks on RSA Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 38 CS4288 Cryptographic Algorithms and Protocols The hardness to invert RSA Thus far, the best way known to invert RSA is to first factor n. The best running time for a fully proved algorithm is Dixon’s random squares algorithms which runs in time: O(e ) log n log log n But, in practice we may consider others. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 39 CS4288 Cryptographic Algorithms and Protocols Let l=|p| where p is the smallest prime divisor of n. The Elliptic Curve algorithm takes expected time O(e 2 ln l ln ln l ) The Quadratic Sieve algorithm runs in expected time: O(e ln n ln ln n ) The recommended size for n these days is 1024 bits. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 40 CS4288 Cryptographic Algorithms and Protocols Knowledge of (n) is equivalent to knowledge of the factorization To computer (n) from p and q: (n) =(p-1)(q-1)=n+1-(p+q). To compute out p and q from (n). Since pq=n and p+q=n+1- (n). Define 2b= n+1- (n) since (n) is even. p and q must be the root of equation x2-2bx+n=0. Thus p and q equal to b b2 n Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 41 CS4288 Cryptographic Algorithms and Protocols RSA Key Generation Users of RSA must: determine two primes at random - p, q select either e or d and compute the other Primes p,q must not be easily derived from modulus N=p.q means must be sufficiently large typically guess and use probabilistic test Exponents e, d are inverses, so use Inverse algorithm to compute the other Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 42 CS4288 Cryptographic Algorithms and Protocols RSA Security three approaches to attacking RSA: brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing (N), by factoring modulus N) timing attacks (on running of decryption) Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 43 CS4288 Cryptographic Algorithms and Protocols Factoring Problem mathematical approach takes 3 forms: factor N=p.q, hence find (N) and then d determine (N) directly and find d find d directly currently believe all equivalent to factoring have seen slow improvements over the years as of Aug-99 best is 130 decimal digits (512) bit with GNFS biggest improvement comes from improved algorithm cf “Quadratic Sieve” to “Generalized Number Field Sieve” barring dramatic breakthrough 1024+ bit RSA secure ensure p, q of similar size and matching other constraints Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 44 CS4288 Cryptographic Algorithms and Protocols How to choose p and q (1). The two primes should not be too close to each other (e. g. one should be a few decimal digits longer than the other). Also, any one of p and q should not be too small due to the Elliptic Curve algorithm Reason: n=pq n=((p+q)/2)2-((p-q)/2)2=t2-s2. Since p and q are close together we get: s is small and t is an integer only slightly larger than n . If you test the successive integers t > n you will soon find one such that n= t2-s2, at which point you have p=t+s and q=t-s. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 45 CS4288 Cryptographic Algorithms and Protocols (2). p-1 and q-1 should have a fairly small g.c.d. and both have at least one large prime factor. (3). Of course, if someone discovers a factorization method that works quickly under certain other conditions on p and q, then further users of RSA would have to take care to avoid those conditions as well. Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 46 CS4288 Cryptographic Algorithms and Protocols Summary We covered: principles of public-key cryptography RSA algorithm, implementation, security Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 47 Chapter 10 – Key Management; CS4288 Cryptographic Algorithms and Protocols Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman he would fear that some devil might take advantage of his weak state to slip into his body. —The Golden Bough, Sir James George Frazer Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 48 CS4288 Cryptographic Algorithms and Protocols Key Management Public-key encryption helps address key distribution problems in two aspects: distribution of public keys use of public-key encryption to distribute secret keys Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 49 CS4288 Cryptographic Algorithms and Protocols Distribution of Public Keys Can use the following approaches: Public announcement Publicly available directory Public-key authority Public-key certificates Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 50 CS4288 Cryptographic Algorithms and Protocols Public Announcement Users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to email messages or post to news groups or email list Major weakness is forgery anyone can create a key claiming to be someone else and broadcast it can masquerade as claimed user until forgery is discovered Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 51 CS4288 Cryptographic Algorithms and Protocols Publicly Available Directory Achieve greater security by registering keys with a public directory Directory must be trusted with properties: contains {name,public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 52 CS4288 Cryptographic Algorithms and Protocols Public-Key Authority Further improve security by tightening control over distribution of keys from directory Keeps all the properties of directory Requires users to know the public key for the directory Users interact with directory to obtain any desired public key securely does require real-time access to directory when 2012/8/7 keys are needed fromFrances Yao & by Lawrie Brown Adopted Lecturer: Lecture slides Xiaotie Deng 53 CS4288 Cryptographic Algorithms and Protocols Public-Key Authority Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 54 CS4288 Cryptographic Algorithms and Protocols Public-Key Certificates Certificates allow key exchange without real-time access to public-key authority a certificate binds identity to a public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public- Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities’ public-key Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 55 CS4288 Cryptographic Algorithms and Protocols Public-Key Certificates Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 56 CS4288 Cryptographic Algorithms and Protocols Distribution of Secret Keys using Public-Key public-key cryptography can be used for secrecy or authentication but public-key algorithms are slow so usually we want to use private-key encryption to protect message contents, such as using a session key There are several alternatives for negotiating a suitable session key Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 57 CS4288 Cryptographic Algorithms and Protocols Simple Secret Key Distribution proposed by Merkle in 1979 A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use problem is that an opponent can intercept and impersonate both halves of protocol Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 58 CS4288 Cryptographic Algorithms and Protocols Public-Key Distribution of Secret Keys if A and B have securely exchanged public-keys: Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 59 CS4288 Cryptographic Algorithms and Protocols Diffie-Hellman Key Exchange The first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts note: now know that James Ellis (UK CESG) secretly proposed the concept in 1970 http://www.gchq.gov.uk/press_office/ellis.html http://www.gchq.gov.uk/about/heroes.html is practical for public exchange of a secret key is used in a number of commercial products Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 60 CS4288 Cryptographic Algorithms and Protocols Diffie-Hellman Key Exchange A public-key distribution scheme NOT used to exchange an arbitrary message BUT to establish a common key known only to the two participants Value of key depends on the participants (and their private and public key information) Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy Security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 61 CS4288 Cryptographic Algorithms and Protocols Diffie-Hellman Setup All users agree on global parameters: Large prime integer or polynomial q α a primitive root mod q Each user (eg. A) generates their key chooses a secret key (number): xA < q xA compute their public key: yA = α mod q Each user makes public that key yA Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 62 CS4288 Cryptographic Algorithms and Protocols Diffie-Hellman Key Exchange Shared session key for users A & B is KAB: xA.xB KAB = α mod q xB = yA mod q (which B can compute) x = yB A mod q (which A can compute) KAB is used as session key in private-key encryption scheme between Alice and Bob If Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys Attacker needs an x, must solve discrete log Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 63 CS4288 Cryptographic Algorithms and Protocols Diffie-Hellman Example Users Alice & Bob who wish to swap keys: Agree on prime q=353 and α=3 Select random secret keys: A chooses xA=97, B chooses xB=233 Compute public keys: 97 yA=3 mod 353 = 40 (Alice) 233 yB=3 mod 353 = 248 (Bob) Compute shared session key as: xA 97 KAB= yB mod 353 = 248 = 160 (Alice) x 233 KAB= yA B mod 353 = 40 = 160 (Bob) Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 64 CS4288 Cryptographic Algorithms and Protocols Summary have considered: Distribution of public keys Public-key distribution of secret keys Diffie-Hellman key exchange Adopted from Lecture slides by Lawrie Brown 2012/8/7 Lecturer: Frances Yao & Xiaotie Deng 65