What kind of security ? Relies on computational security. It means that the cryptanalyst must deploy more computational efforts to recover the plaintext than its life expectancy. This gives challenges for breaking RSA keys :

Public Key Cryptography

• • •

of 140 digits (463 bits in 1999) 2000 mips year of 155 digits (512 bits in 1999) 8000 mips year of 232 digits (768 bits in 2010)

http://infoscience.epfl.ch/record/173017/files/hetero.pdf

https://en.wikipedia.org/wiki/RSA_numbers

Public Keys Invented recently by Diffie and Hellman [3]. We stand today on the brink of a revolution in cryptography. Bright idea : asymmetrical ; enciphering 6= deciphering. Encipher by means of a public key. Decipher by means of a private key. Useful to solve the key distribution problem ! Kerckhoff principle (1883) still useful The security of an algorithm must not depend upon the secrecy of the algorithm but only upon the secrecy of the key. http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

One-way function Let M and C be two sets and f : M ! C and f (M) is the image of M by f . f is one-way if 1. 8x 2 M, the computation of f (x) is easy (f poly-time computable) and 2. it is hard to find, for most of the y 2 f (M) an x 2 M such that f (x) = y (this problem must be difficult [5, 7, 2]). With only point 2., the deciphering problem is as hard as the cyptanalysis problem. We need to add another notion for allowing decipherment and render the cryptanalyst’s life as hard as possible.

! Trapdoor.

Trapdoor one-way function f : M ! C is a trapdoor function if it is one-way. Computing in the reverse direction is easy provided we have a private information, the trapdoor, which allows constructing g s.t. g f = Id. It is easy to compute the image by f but computationally hard to invert f without knowing g. Constructing pairs (f , g) must be easy. The publication of f should not reveal anything on g. Idea : use two 6= algorithms, f to encipher and g to decipher.

1.st PKC 1978 : RSA ; Rivest Shamir et Adleman were

• •

seeking a contradiction in the idea of public key successful to find the contrary and obtained the Turing award in 2002 !

http://amturing.acm.org/lectures.cfm

Almost at the same time, Hellman and one of his student Merkle propose another PKC.

Merkle Hellman A problem is computationnaly hard if there is no deterministic algorithm to find a solution. NP -complete problems [4] are good candidates. Merkle and Hellman have chosen SSP : Data A n-tuple of distinct integers A = (a1 , . . . , an ) and an integer k . Question Is there a subset of A whose elements sum up to k ? Example : For A = (43, 129, 215, 473, 903, 302, 561, 1165, 697, 1523) and k = 3231, 3231 = 129 + 473 + 903 + 561 + 1165 is a solution.

Finding a solution Testing the sum of each possible subset and find which ones sum up to k . In the example, this means testing 210 subsets. Merkle Hellman’s Argument : If this bound is not enough, take a n-tuple with hundreds of integers. Like, for instance for n = 300 and with a 1Mflops machine, it would require 6, 4.1076 years of computation !

One-way function f 2n

8x 2 N, 0  x  1, its n-bit binary representation Bx f (x) : inner product between A of dim. n and Bx of dim. n : f (x) = hA, Bx i. Thus, f (1) = f (0 . . . 01) = an f (2) = f (0 . . . 10) = an 1 f (3) = f (0 . . . 11) = an + an .. .

1

For instance, f (364) = f (0101101100) = 129 + 473 + 903 + 561 + 1165 = 3231.

Transformation into a trapdoor OWF But. . . Bob must solve SSP for deciphering ! Consider easy knapsack problems for which the elements of A form a super-increasing sequence, i.e. P 8j, 1 < j  n, ji=11 ai < aj .

Traverse A from the greatest element to the smallest : given k , we test if k an . If k < an , an is not in the sum and we consider the next element an 1 . If k an , an is in the sum, and we test next if k1 = k an an 1 ... We stop when a1 is reached, also providing uniqueness of the solution. But, when publishing A, deciphering becomes as easy as enciphering !

Operation mode f is applied on n bits blocks, a sequence of bits in the plaintext. For example, if we encode a by 1 = 00001. . . z by 26 = 11010 we would have on the plaintext sauna and health :

Perturbation P Choose a modulus m >> ni=1 ai Choose a multiplicand t : gcd(t, m) = 1 (invertible) Compute bi ⌘ ai ⇥ t mod m 8i, 1  i  n ! new n-tuple B : public key.

Example sa un a an d he al th (2942 3584 903 3326 215 2817 2629 819) Find x when only f (x) is given is as hard as solving SSP, a computationnally hard. f good candidate for being OW provided n is sufficiently large.

A = (1, 3, 5, 11, 21, 44, 87, 175, 349, 701) m = 1590, t = 43 We get t 1 = 37 mod m B = (43, 129, 215, 473, 903, 302, 561, 1165, 697, 1523) t, t 1 an m are the trapdoor information. Encipher p : hB, pi = c 0 .

Decipher Bob knows t, t 1 , m and can recover A from B. Received c 0 2 N, compute t 1 c 0 ⌘ c mod m and solve SSP on A and c. The solution defines a unique sequence p of n bits ; it’s a plaintext block Every sol. p0 of SSP on B and c 0 is identical with p : 1 0

1

c ⌘t

hB, p0 i ⌘ t

1

thA, p0 i ⌘ hA, p0 i mod m P Observe that hA, p0 i < m since m > ni=1 ai , thus implying that the above congruence relation simplifies to c = hA, p0 i. Since the problem defined by A and c cannot have several solutions, we have p = p0 . c⌘t

Example Decipher (2942, 3584, 903, 3326, 215, 2817, 2629, 819). Multiplying by t 1 = 37 mod m = 1590 leads to : (734, 638, 21, 632, 4, 879, 283, 93). Decipher 734 with A = (1, 3, 5, 11, 21, 44, 87, 175, 349, 701) 734 > 701, the bit number 10 of p is 1 ; recurse with 734-701=33 33 > 21, the bit number 6 is 1 and we recurse with 33-21=12 12 > 11, bit 7 is 1 and we recurse with 12-11=1 1 = 1, bit 10 is 1 and we’re done Then p = 10011 00001 which decodes to the block of two letters sa.

Fruitful attacks •

1978, Herlestam «Critical remarks on some public-key cryptosystems» : a single bit of the ciphertext can be revealed.

•

1979, Shamir, STOC : cryptanalysis in certain circumstances [7].

•

Shamir and Zippel find flows in the transformation which reconstructs the super-increasing sequence from the PK.

•

1982, Adleman shows a successful attack against the knapsack with the help of an Apple II [1].

•

Finaly, a nice attack was proposed in 1990 by [6] using LLL algorithm.

Rivest, Shamir, Adleman (1978) Relies on the hardness to factor an integer and on the hardness of deciding whether an integer is a prime. For instance, is 1829 prime ? No : given 31 and 59, their product equals 1829, but finding the factors is hard since we do not know either how many factors we need.

Or, is 7919 composite ? No, but the primality certificate is hard to exhibit.

Some maths

By hand

Euler totient function of n 2 N : '(n) : counts how many integers from [[1, n]] are prime with n. '(1) = 1 and if p is prime, '(p) = p 1. '(n) = card{j 2 {1, . . . , n} : gcd(j, n) = 1} Q Computation : factor n in n = p|n,p prime p↵p then, Q Q '(n) = p|n,p prime (p↵p p↵p 1 ) = n p|n (1 p1 ). Example : '(12) = (4

2)(3

1) = 12(1

1 2 )(1

1 3)

=4

Theorem (Fermat-Euler)

hbk , bk

1773 mod 100. 73 = h1001001i i bi 0 1 1 0 2 0 3 1 4 0 5 0 6 1

i

172 17 172 232 1302 92 812 442

i

172 17 289 7921 441 1681 6561 3721

mod mod mod mod mod mod mod mod

100 value 100 17 100 89 100 21 100 41 100 81 100 61 100 21

m'(n) ⌘ 1 mod n if gcd(m, n) = 1

and 1773 mod 100 = 17.172 .172 = 17.41.21 mod 100 = 37.

Compute ab mod n

RSA cipher

1 , . . . b0 i

binary representation of b : b =

3

Pk

6

i i=0 bi 2 .

Modular Exponentiation (a, b, n) c, d 0, 1 ; Let hbk , bk 1 , . . . b0 i the binary representation of b For i k to 0 step -1 do c 2.c ; d (d.d) mod n ; if bi = 1 then c c + 1; d (d.a) mod n ; endif endfor return d

1. choose p, q primes relatively large approx. 10100 2. compute n = pq and publish n 3. compute '(n) = (p

1)(q

1)

4. publish e st gcd(e, '(n)) = 1 (PK, encipher ) 5. compute d st d.e ⌘ 1 mod '(n) (private key, decipher )

Encipher : E : M 7! M e mod n. Decipher : D : C 7! C d mod n (d is the trapdoor). Implementations : software, hardware or mixed. On dedicated hardware, RSA is 1000 times slower than DES.

Attack on the parameters

Sieve of Eratosthenes

Cycles : Eve observes c = me mod n ; he tries to find out ⌫ st. ce ⌘ c ⌫

mod n , e⌫ ⌘ 1

mod '(n)

1

Allowing to find m ⌘ c e mod n ⌫ ⌫ Since c e ⌘ c mod n , c e 1 ⌘ 1 mod n and, by Euler-Fermat, one gets e⌫ 1 ⌘ 0 mod '(n) , e⌫ ⌘ 1 mod '(n). Since c = me mod n and de ⌘ 1 mod '(n), we can take the value d = e⌫ 1 to decipher.. Example : Alice publishes her public parameters e et n, 17 and 143. Eve sniffs c = 19 a message to Alice and computes : ⌫

i i ce

p Divide n by all odd numbers between 3 and b nc. Efficient for n < 1012 and known sincepancient times. Sieve of Eratosthenes runs in time O( n). It’s not polynomial ! The time-complexity is not polynomial in the length of the input. It is pseudo polynomial. In addition, in the case of RSA, the modulus n has no small prime factors.

2 3 4 84 28 19

Eve just has to read m for i = 3, thus 28.

Attack when '(n) is known Given (n,⇢'(n)) allows to find the factorization of n [5]. n = pq We let : and q = pn : '(n) = (p 1)(q 1) '(n)

(p

1)

✓

n p

◆ 1 = 0 , p2 + p ('(n)

n

1) + n = 0

equation of order two with solutions p and q. Thus, computing '(n) is as hard as factoring n.

Example n = p.q = 133 and '(n) = 108. '(n)

(p

1)

⇣

Security RSA is as secure as factoring n is hard. Time complexity of some good factoring algorithms : p quadratic sieve O(e((1+o(1))plog n log log n) ) elliptic curves algebraic sieve

n p

⌘ 1 =0

, p2 + p ('(n) n 1) + n = p2 + p(108 133 1) + 133 = 0 , p2 26.p + 133 = 0 with = ( 26)2 (4.133) = 144 = 122 and of solutions p = 26±12 = {19, 7}. 2

O(e((1+o(1)) 2 log p log log p) ) 1/3 2/3 O(e((1,92+o(1))(log n) (log log n) ) )

(p : smallest prime factor of n).

Man in the middle

In the transmission of the public keys :

• • • • • •

Example

Bob (client) asks Alice (server) for her public parameters Alice sends eS , nS to Bob Melchior intercepts eS , nS ; replaces by its values eM , nM Bob enciphers by using eM , nM and sends c Melchior intercepts c and deciphers it into secret Melchior enciphers secret with Alice’s parameters eS , nS and transmits to Alice. . .

secreteS mod nS

Melchior eM,nM

Client

Serveur

eS,nS

Client

Serveur eS,nS

eM,nM

Let G = Z?7 a cyclic group. For the discrete logarithm in basis 2, only 1, 2 and 4 have a discrete log. In basis g=3, we have : number y logarithm

1 6

2 2

3 1

4 4

5 5

6 3

For instance for number = 1 and log = 6. This means that log3 1 = 6, which can be checked with 36 mod 7 = 1.

secreteM mod nM

Bob should have checked that the data were coming from Alice (lack of authentication).

Another hard problem The discrete log problem. Find the discrete log of y in basis g : Instance : g, y elements of a finite group G. Question : find x st g x ⌘ y in G or, for a big prime p, g a generator of G = Z?p , g x ⌘ y mod p and x = logg (y ) mod p 1.

Computing the discrete log Becomes hard when the cardinal of G grows. Algo for computing the discrete log : Shanks applies to every p finite group G. Its time complexity is O( |G| log |G|) and its p space complexity is O( |G|). Idea : construct two lists of the powers of g : p ne 1} with n = |G| • baby steps :n{g⇣i : i =p 0..d ⌘ p o d nej giant steps y g : j = 0..d ne . • Then find a common term to the two lists. Then, p p g i0 = y (g j0 d ne ) and m = i0 + j0 d ne

Example p In Z⇥ n = r = 11. We search the 113 =< 3 > of order n = 112 ; discrete log of y = 57 in basis g = 3 : Unordered list of baby steps by (exponent, value) : B = {(0, 1), (1, 3), (2, 9), (3, 27), (4, 81), (5, 17), (6, 51), (7, 40), (8, 7), (9, 21), (10, 63)} Unordered list of giant steps by (exponent, value) L = {(0, 57), (1, 29), (2, 100), (3, 37), (4, 112), (5, 55), (6, 26), (7, 39), (8, 2), (9, 3), (10, 61), (11, 35)} 3 is common to both lists. It has been generated for i0 = 1 in the list B and for j0 = 9 in the list L. The value of the discrete log is x = i0 + r .j0 = 100. Verification : we compute g x mod 113 = 57.

Signatures Notion introduced in the Diffie and Hellman seminal paper [3]. Goal of the signatures : prove the sender’s identity and provide integrity of the message. The signature depends upon the sender’s identity and on the message contents. Must counter two kinds of frauds

• •

Other objectives of PKC • • • • •

change the origin of the message (sender’s identity)

Requirements for sig(M)

secrecy authentication : proof of origin authenticity identification : electronic proof of its own identity integrity : guarantee that there was no modification non repudiation : A service that provides proof of the integrity and origin of data.

Other cryptographic techniques are required

• • • •

message modification

signature : the way to associate the sender to a message certificate : guarantees the relation (identity, PK) trusted third party : authority who delivers certificates timestamps : append timestamps to grant uniqueness of the message.

• • • • •

easy to compute by the sender for every message M the recipient must be able to check the signature a third party must be able to check the signature the signature must be hard to forge the sender should not be able to say that his signature was forged

General mechanism for signatures •

a private algorithm for signing denoted sig which, given a fixed key SK , returns a signature S for the plaintext M ;

RSA allows to ensure secrecy and autentication How can Bob send an authenticated secret message to Alice ?

sigSK (M) = S

•

a verification algorithm ver which, given a fixed key PK and for every pair plaintext/signature (M, S) checks if the signature corresponds to the plaintext. ⇢ true if S = sigSK (M) verPK (M, S) = false if S 6= sigSK (M)

Alice Bob

Private DA (C) = C dA mod nA DB (C) = C dB mod nB

Public EA (M) = M eA mod nA EB (M) = M eB mod nB

Bob sends C = EA (DB (M)) which is deciphered by Alice : EB (DA (C)) provided that M < nB < nA .

Signing with RSA Bob wants to send a signed message M to Alice. They have their respective RSA parameters : Alice Bob

Private dA dB

Public nA , eA nB , eB

El Gamal Signature Let p be a prime for which the discrete log problem is hard in Z?p and let ↵ be a generator of Z?p . The message M 2 Z?p and its signature is made of the pair (M, S) 2 Z?p ⇥ (Z?p ⇥ Zp 1 ). The set of keys is K = {(p, ↵, a, ) : Private a

Signing algorithm : sigSK (M) = M dB

mod nB = S

Verification algorithm : verPK (M, S) = true , S

eB

mod nB ⌘ M

Randomly choose k 2 Z?p Signing algorithm : for

= ↵k mod p

1

= ↵a

mod p}

Public p, ↵,

; keep it secret ; k is st gcd(k , p

sigK (M, k ) = ( , ) /a + k ⌘ M mod (p

1)

1) = 1.

L.M. Adleman. On breaking the iterated Merkle-Hellman public-key cryptosystem. In Springer Verlag, editor, CRYPTO’82, LNCS, pages 303–304, 1982.

Example Let p = 467 and a = 127. We check that gcd(a, p ↵ = 2 be a generator of Z⇥ p . We compute = ↵a

mod p = 2127

1) = 1. Let

W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Trans. on Inform. Theory, 22(6) :644–654, 1976.

mod 467 = 132

If Bob wants to sign the message M = 100 for the random value k = 213 which verifies gcd(k , p 1) = 1, he computes the multiplicative inverse k 1 mod p 1 by the Extended Euclidean algo which gives k 1 = 431. Then, = ↵k

mod p = 2213

mod 467 = 29

1

mod (p 1) = (100 127.29).431

mod 466 = 51

Verification Given M,

2 Z?p and

2 Zp

1,

we define

verK (M, , ) = true ,

⌘ ↵M

mod p

If the signature is correct, the verification algorithm validates the signature since : ⌘ ↵a ↵k since a + k ⌘ M mod (p

mod p ⌘ ↵M

mod p

1).

Exemple : We verify the signature (100, 29, 51) : verK (M, , ) = true , which is correct

M.R. Garey and D.S. Johnson. Computers and intractability. Freeman, 1979. N. Koblitz. A course in number theory and cryptography. Graduate texts in mathematics. Springer Verlag, 1987. A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In C. Pomerance, editor, Cryptology and Computational Number Theory, volume 42 of Proc. Symp. Appl. Math., pages 75–88, 1990. A. Salomaa. Public Key Cryptography. EATCS monographs. Springer Verlag, 1990.

and = (M a )k

G. Brassard. Cryptologie contemporaine. Logique, mathématiques, informatique. Masson, 1993.

⌘ ↵M (p) , 13229 2951 ⌘ 2100 (p) ⌘ 189