報告人:呂恩佑
1
Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keystone a public key and one a private key. It is also known as public-key encryption.
Asymmetric encryption transforms plaintext into ciphertext using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the ciphertext.
2
Asymmetric encryption can be used for confidentiality, authentication, or both.
The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on the difficulty of finding the prime factors of a composite number.
3
That public-key encryption is more secure from cryptanalysis than is symmetric encryption.
That public-key encryption is a general-purpose technique that has made symmetric encryption obsolete.
That key distribution is trivial when using public-key encryption, compared to the rather cumbersome handshaking involved with key distribution centers for symmetric encryption.
4
如何能夠確保金鑰的安全???
5
Public Key
Private Key
Private Key
Public Key
Public Key
Public Key
Public Key
Private Key
Private Key
Public Key+ +=
6
Public KeyPublic Key今晚8點
橢圓辦公室小文上
Public Key
今晚8點橢圓辦公室小文上
Public Key Privat
e Key
7
Y = E(PUb , X)X = D(PRb , Y)
8
今晚8點橢圓辦公室小文上
Public Key
我想我們該分手吧小文上
Public Key Privat
e Key
我想我們該分手吧小文上
Public Key我想我們該分手吧小文上
Public Key
9
今晚8點橢圓辦公室小文上
Private Key
今晚8點橢圓辦公室小文上
Private Key Publi
c Key
Public Key
10
今晚8點橢圓辦公室小文上
Private Key
今晚8點橢圓辦公室小文上
Private Key
Public Key
我想我們該分手吧小文上
我想我們該分手吧小文上
Private Key
Public Key
11
Y = E(PRa , X)X = D(PUa , Y)
12
Z = E(PUb , E(PRa , X))X = D(PUa , D(PRb , Z))
13
Algorithm Encryption/Decrption
Digital Signature
Key Exchange
RSA Yes Yes Yes
Elliptic Curve Yes Yes Yes
Diffie-Hellman No No Yes
DSS No Yes No
14
1. 金鑰容易產生
2. 知道明文和 Public Key ,容易計算出密文
3. 知道密文和 Private Key ,容易計算出明文
4. 無法由 Public Key 計算出 Private Key
5. 無法只靠密文及 Public Key 來計算出明文
15
One-Way Function
Y = f(X) easy
X = f-1(Y) infeasible
Trap-Door One-Way Function
Y = fk(X) easy, if k and X are known
X = fk-1(Y) easy, if k and Y are known
X = fk-1(Y) infeasible, if Y is known but k is not
known16
Brute-force attack
Find some way to compute the private
key given the public key
Probable-message attack
17
Conventional Encryption Public-Key Encryption
Needed to Work: Needed to Work:
1. The same algorithm with the same key is used for encryption and decryption.
1. One algorithm is used for encryption and decryption with a pair of keys, one for encryption and one for decryption.
2. The sender and receiver must share the algorithm and the key.
2. The sender and receiver must each have one of the matched pair of keys (not the same one).
Needed for Security: Needed for Security:
1. The key must be kept secret. 1. One of the two keys must be kept secret.
2. It must be impossible or at least impractical to decipher a message if no other information is available.
2. It must be impossible or at least impractical to decipher a message if no other information is available.
3. Knowledge of the algorithm plus samples of ciphertext must be insufficient to determine the key.
3. Knowledge of the algorithm plus one of the keys plus samples of ciphertext must be insufficient to determine the other key.
18
It was developed in 1977 by Ron Rivest,
Adi Shamir, and Len Adleman at MIT
and first published in 1978
The RSA scheme is a block cipher in
which the plaintext and ciphertext are
integers between 0 and n-1 for some n
19
The scheme makes use of an
expression with exponentials.
Plaintext is encrypted in blocks, with
each block having a binary value less
than some number n.
20
Keys
PU = { e , n } , PR = { d , n }
Encryption
C = Me mod n
Decryption
M = Cd mod n = (Me)d mod n = Med mod n
21
It is possible to find values of e, d, n such
that
Med mod n = M for all M < n.
It is relatively easy to calculate Me mod n and
Cd mod n for all values of M < n.
It is infeasible to determine d given e and n.
22
The preceding relationship holds if e
and d are multiplicative inverses
modulo φ(n), where φ(n) is the Euler
totient function.
23
Key Generation
Select p , q p and q are both prime , p ≠ q
Calculate n = p × q
Calculate φ(n) = ( p – 1 ) × ( q – 1 )
Select integer e gcd( φ(n) , e ) = 1; 1 < e < φ(n)
Calculate d ed ≡ 1 ( mod φ(n) )
Public key PU = { e , n }
Private key PR = { d , n }
24
Encryption
Plaintext M < n
Ciphertext C = Me mod n
Decryption
Ciphertext C
Plaintext M = Cd mod n
Select two prime numbers, p = 17 and q = 11.
Calculate n = pq = 17 x 11 = 187.
Calculate φ(n) = (p - 1)(q - 1) = 16 x 10 =
160.
Select e such that e is relatively prime to φ(n)
= 160 and less than φ(n); we choose e = 7.
Determine d such that ed ≡ 1 ( mod φ(n) ) and
d < 160. The correct value is d = 23.25
Public Key : { 7 , 187 } ; Private key : { 23 , 187 }
Plaintext : M = 88
Ciphertext : C = Me mod n =887 mod 187
887 mod 187 = [(884 mod 187) x (882 mod 187) x (881 mod 187)]
mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 772 mod 187 = 5929 mod 187 = 132
887 mod 187 = (88 x 77 x 132) mod 187 = 894,432 mod 187 = 11
Ciphertext = 1126
Public Key : { 7 , 187 } ; Private key :
{ 23 , 187 }
Ciphertext : C = 11
Plaintext : M = Cd mod n =1123 mod 187
1123 mod 187 = 11( 1+2+4+16 ) mod 187
Plaintext : M = 8827
suppose we wish to find the value ab with a
and b positive integers. If we express b as
a binary number bkbk1 ... b0 then we have
ab = a =
ab mod n = mod n
= ( ) mod n
28
0
2ib
i] mod [
0
2 nai
i
b
f ← 1;for i ← k downto 0
do f ← ( f x f ) mod nif bi = 1
do f ← ( f x a ) mod nreturn f
29
Result of the Fast Modular Exponentiation Algorithm for ab mod n, where a = 7, b = 560 = 1000110000(2), n = 561
i 9 8 7 6 5 4 3 2 1 0
bi 1 0 0 0 1 1 0 0 0 0
f 7 49 157 526 160 241 298 166 67 1
To speed up the operation of the RSA
algorithm using the public key, a
specific choice of e is usually made.
The most common choice is 65537 (216
+ 1); two other popular choices are 3
and 17.
30
RSA becomes vulnerable to a simple
attack if we use a very small public key.
31
Determining two prime numbers, p and
q.
Selecting either e or d and calculating
the other.
32
At present, there are no useful
techniques that yield arbitrarily large
primes.
States that the primes near N are
spaced on the average one every
ln(N/2) integers
33
We need to select an e such that
gcd(φ(n) , e) = 1 and then calculate ed
≡ 1 ( mod φ(n) ) .
The probability that two random
numbers are relatively prime is about
0.6
34
Brute force
Mathematical attacks
Timing attacks
Chosen ciphertext attacks
35
Factor n into its two prime factors. This enables
calculation of φ(n) = (p - 1) x (q - 1), which, in
turn, enables determination of ed ≡ 1 ( mod
φ(n) ).
Determine φ(n) directly, without first determining
p and q. Again, this enables determination of d ed
≡ 1 ( mod φ(n) ).
Determine d directly, without first determining
φ(n).36
Number of Decimal Digits
Approximate Number
of Bits
Date Achieved
MIPS-years
Algorithm
100 332 April 1991 7 Quadratic sieve
110 365 April 1992 75 Quadratic sieve
120 398 June 1993 830 Quadratic sieve
129 428 April 1994 5000 Quadratic sieve
130 431 April 1996 1000Generalized number field
sieve
140 465February
19992000
Generalized number field
sieve
155 512 August 1999 8000Generalized number field
sieve
160 530 April 2003 Lattice sieve
174 576December
2003Lattice sieve
200 663 May 2005 Lattice sieve
37
38MIPS-years: a million-instructions-per-second processor running for one year
p and q should differ in length by only a
few digits. Thus, for a 1024-bit key (309
decimal digits), both p and q should be on
the order of magnitude of 1075 to 10100.
Both (p - 1) and (q - 1) should contain a
large prime factor.
gcd(p - 1, q - 1) should be small.
39
Paul Kocher, a cryptographic
consultant, demonstrated that a
snooper can determine a private key by
keeping track of how long a computer
takes to decipher messages.
40
Constant exponentiation time.
Random delay
Blinding
41
The basic RSA algorithm is vulnerable to
a chosen ciphertext attack.
The adversary could select a plaintext,
encrypt it with the target's public key and
then be able to get the plaintext back by
having it decrypted with the private key.
42
E(PU, M1) x E(PU, M2) = E(PU, [M1 x M2])
C = Me mod n
X = ( C x 2e ) mod n
Submit X as a chosen ciphertext and
receive back Y = Xd mod n.
43
X = (C mod n) x (2e mod n)
= (Me mod n) x (2e mod n)
= (2M)e mod n
Therefore, Y = (2M) mod n
44