Introduction to Computer Security Asymmetric Cryptography Pavel Laskov Wilhelm Schickard Institute for Computer Science

Key distribution problem any valid key

shared key

shared key

unitue

unitue

Alice

Bob

plaintext I love you

ciphertext Encryption

C ywoy cih

plaintext Decryption

I love you

Key distribution problem any valid key

shared key

shared key

unitue

unitue

Alice

Bob

plaintext I love you

ciphertext Encryption

C ywoy cih

plaintext Decryption

I love you

How can Alice send a key to Bob over an insecure channel?

Key distribution problem any valid key

shared key

shared key

unitue

unitue

Alice

Bob

plaintext I love you

ciphertext Encryption

C ywoy cih

plaintext Decryption

I love you

How can Alice send a key to Bob over an insecure channel? Idea: Instead of sending a key from one party to another, both parties should work out a key in a series of secure transactions.

Key distribution problem any valid key

shared key

shared key

unitue

unitue

Alice

Bob

plaintext I love you

ciphertext Encryption

C ywoy cih

plaintext Decryption

I love you

How can Alice send a key to Bob over an insecure channel? Idea: Instead of sending a key from one party to another, both parties should work out a key in a series of secure transactions. Enter group theory...

Definition of a group

A group is a set G equipped with a binary operation ◦ such that the following properties hold: 1. Closure: ∀g, h ∈ G, g ◦ h ∈ G 2. Existence of identity: There exists an identity element e ∈ G such that ∀g ∈ G, e ◦ g = g ◦ e = g. 3. Existence of inverse: There exists an inverse element h ∈ G such that ∀g ∈ G, h ◦ g = g ◦ h = e. 4. Associativity: (g1 ◦ g2 ) ◦ g3 = g1 ◦ (g2 ◦ g3 ).

Finite and abelian groups

A group is called finite if it has a finite number of elements. The number of elements in a group |G| is called the order of the group. A group is called abelian if, in addition to the four basic properties, the commutativity property holds: g ◦ h = h ◦ g.

Subgroups

If G is a group, a set H is a subgroup of G if H itself forms a group under the same operation ◦ associated with G.

Examples of groups

The set of integers Z is an abelian group under addition. The set of integers Z is not a group under multiplication. The sef of real numbers R is not a group under multiplication. The set of non-zero real numbers R is an abelian group under multiplication. For any N ≥ 2, the set ZN = {0, 1, . . . , N − 1} is an abelian group of order N under addition modulo N.

Group exponentiation Group exponentiation is a repetitive application of the group operation: def

gm = g ◦ . . . ◦ g m times

Group exponentiation Group exponentiation is a repetitive application of the group operation: def

gm = g ◦ . . . ◦ g m times

Some useful properties of exponentiation for finite groups G of order m: For any element g ∈ G, gm = 1. For any element g ∈ G and any integer i, gi = g[i mod m] .

Group exponentiation Group exponentiation is a repetitive application of the group operation: def

gm = g ◦ . . . ◦ g m times

Some useful properties of exponentiation for finite groups G of order m: For any element g ∈ G, gm = 1. For any element g ∈ G and any integer i, gi = g[i mod m] . Example: How much is 152 · 11 mod 15?

152 · 11 = [152 mod 15] · 11 = 2 · 11 = 11 + 11 = 22 = 7 mod 15

Element order

We saw that, for a group of order m, applying the group operation m times always produces the identity element. But can this happen for some i < m?

Element order

We saw that, for a group of order m, applying the group operation m times always produces the identity element. But can this happen for some i < m? Consider, for some element g ∈ G a sequence

hgi = {g0 , g1 , . . .} Let k be the smallest i ≤ m such that gi = 1. Then

k is called the order of an element g,

hgi = {g0 , g1 , . . . gk−1 } is a finite subgroup of G.

Group generator and cyclic groups

We saw that the element order k determines the “wrap-around period” of exponentiation. Does there exist an element g whose order is equal to m, the group order?

Group generator and cyclic groups

We saw that the element order k determines the “wrap-around period” of exponentiation. Does there exist an element g whose order is equal to m, the group order? An element g of order m is called a generator for a group G of order m. A group which has a generator is called cyclic.

Examples of cyclic groups

ZN is cyclic for any N > 1. Z15 is cyclic but has multiple generators, e.g.,

h2i = {0, 2, 4, . . . , 14, 1, 3, 5, . . . , 13} Some other elements of Z15 have orders less than 15, e.g.,

h10i = {0, 10, 5} Zp∗ is cyclic for any prime p.

Discrete logarithm (DL)

If G is a cyclic group of order m with a generator g, then

hgi = {g0 , g1 , . . . , gm−1 } = G. Equivalently, for every h ∈ G there is a unique x ∈ Zm such that gx = h, called a discrete logarithm of h.

Discrete logarithm (DL)

If G is a cyclic group of order m with a generator g, then

hgi = {g0 , g1 , . . . , gm−1 } = G. Equivalently, for every h ∈ G there is a unique x ∈ Zm such that gx = h, called a discrete logarithm of h. Good news / bad news: While computing the exponentiation in most groups is easy (polylogarithmic in m, how?), there exist groups for which computing discrete logarithms is believed to be hard (no efficient solutions are known).

Brute force computation of DL

Let G be the group of order m. For each x ∈ {0, 1, . . . , m − 1, compute gx and compare it with h. Output x if equality is found.

Brute force computation of DL

Let G be the group of order m. For each x ∈ {0, 1, . . . , m − 1, compute gx and compare it with h. Output x if equality is found. Complexity analysis. Each exponentiation takes O(log2 m), hence the overall complexity is O(m log m).

Brute force computation of DL

Let G be the group of order m. For each x ∈ {0, 1, . . . , m − 1, compute gx and compare it with h. Output x if equality is found. Complexity analysis. Each exponentiation takes O(log2 m), hence the overall complexity is O(m log m). The catch. Usually, m is so large that such numbers cannot be considered constant but rather an exponential function of the number of bits: m = 2k . Then O(m log m) becomes O(k · 2k ) /.

Diffie-Hellman key exchange

How can Alice and Bob compute a key K using group theory?

Diffie-Hellman key exchange

How can Alice and Bob compute a key K using group theory? 1. Agree on a cyclic group G with a generator g. 2. Choose random numbers x (Alice) and y (Bob) from G. 3. Compute X = gx (Alice) and Y = gy (Bob). 4. Transmit X and Y to each other. 5. Compute Yx = gyx (Alice) and Xy = gxy (Bob). These are the same, hence they can use gxy as a key!

Diffie-Hellman key exchange

How can Alice and Bob compute a key K using group theory? 1. Agree on a cyclic group G with a generator g. 2. Choose random numbers x (Alice) and y (Bob) from G. 3. Compute X = gx (Alice) and Y = gy (Bob). 4. Transmit X and Y to each other. 5. Compute Yx = gyx (Alice) and Xy = gxy (Bob). These are the same, hence they can use gxy as a key! An attacker only sees gx and gy , but can compute neither x nor y, and hence also not gxy . For finite groups, gx · gy 6= gxy ,.

Scalability of key exchange

Alice

Bob

Cathy

Dan

Quadratic growth of the number of keys: for n parties, n(n − 1) keys must be generated.

Scalability of key exchange

Alice

Bob

Cathy

Dan

Quadratic growth of the number of keys: for n parties, n(n − 1) keys must be generated. Can the problem be solved with linear number of keys?

Asymmetric cryptography

specially generated keypair

Bob’s public key

Bob’s private key

unitue

zxtr9y

Alice

Bob

plaintext I love you

ciphertext Encryption

C ywoy cih

plaintext Decryption

I love you

Prime numbers

An integer p is a prime number if its only divisors are ±1 and ±p. A positive integer c is said to be the greatest common divisor of a and b if c is a divisor of a and of b; any divisor of a and of b is a divisor of c.

Integers a and b are said to be relatively prime if

gcd(a, b) = 1.

Euler’s totient function

A totient φ(n) of an integer n is the number of integers less than n that are relatively prime to n. Example:

φ (9) = 6 :

{1, 2, 4, 5, 7, 8}

Two integers a and b are congruent modulo n, written as a ≡ b mod n, if

(a mod n) = (b mod n) Euler’s Theorem: If a and n are relatively prime, then

aφ(n) ≡ 1 mod n.

RSA overview

Alice sends her love message to Bob via RSA: Alice

Bob Generate a keypair Ku / Kr Send Ku to Alice

Encrypt plaintext M with Ku Send ciphertext C to Bob Decrypt C with Kr

RSA key generation

Step Select p, q Compute n = p × q Compute φ(n) = (p − 1)(q − 1) Select 1 < e < φ(n) Compute d Public key Private key

Condition p, q prime, p 6= q

gcd(φ(n), e) = 1 (de) mod φ(n) = 1 Ku = {e, n} Kr = {d, n}

(∗)

RSA encryption and decryption

Encryption: Plaintext: Ciphertext:

M