# CS计算机代考程序代写 algorithm scheme Public-Key Crypto

Public-Key Crypto

Review: Integrity
Problem: Sending a message over an
untrusted channel without being changed
Provably-secure solution: Random function
Practical solution:
m, v := fk(m) Mallory m’, v’ =? fk(m’) e.g. “Attack at dawn”, 628369867…
Pseudorandom function (PRF) Input: arbitrary-length k
Output: fixed-length value
Secure if practically indistinguishable from
a random function, unless know k Real-world use:
Message authentication codes (MACs) built on cryptographic hash functions
Popular example: HMAC-SHA256k(m) [Cautions?!]
k
Alice
k
Bob
2

Review: Confidentiality
Problem: Sending message in the presence
of an eavesdropper without revealing it Provably-secure solution: One-time pad
Practical solution:
Pseudorandom generator (PRG)
c
Bobk
p := D (c) k
Input: fixed-length k
Output: arbitrary-length stream
Secure if practically indistinguishable from a random stream, unless know k
Real-world use:
Stream ciphers (can’t reuse k)
Popular example: AES-128 + CTR mode
Popular example: AES-128 + CBC mode
[Cautions?!]
k
Alice
c := E (p) k
Eve

Review: Diffie-Hellman Key Exchange Lets Alice and Bob agree on a shared secret
value by having a public conversation
Alice
Generates random secret a (0 < a < p) Bob Generates random secret b (0 < b < p) gb mod p Computes x′ a g modp Eve Computes x ba ab =(g modp) modp =(g modp) modp a Alice b Bob ba =g modp ab =g modp x == x′ Problem: Man-in-the-middle attacks ga modp gv modp gu modp gb modp Caution: D-H gives you a shared secret, but don’t know who’s on the other end! a Alice uv Mallory b Bob Suppose Alice publishes data to lots of people, and they all want to verify integrity... Can’t share an integrity key with everybody, or else anybody could forge messages Suppose Bob wants to receive data from lots of people, confidentially... Schemes we’ve discussed would require a separate key shared with each person [What to do?] Solution: Public-key Crypto So far, encryption key == decryption key “symmetric key crypto” New idea: Keys are distinct, and you can’t find one from the other Almost always used by splitting key-pair Alice keeps one key private (“private key”) Publishes the other key (“public key”) Many applications Invented in 1976 by Diffie and Hellman (earlier by Clifford Cocks of British intelligence, in secret) Best known, most common public-key algorithm: RSA Rivest, Shamir, and Adleman 1978 Requirements for a public key crypto system to be secure 1. Computationally easy for B to generate a key pair: PUb, PRb 2. Computationallyeasyforsender A to generate the ciphertext for message M: C=E(PUb, M) 3. Computationally easy for receiver B to decrypt the ciphertext: M=D(PRb, C) 4. Computational infeasible to guess PRb knowing PUb. 5. Computational infeasible to recover M from PUb and C. How RSA works Key generation: 1. Pick large (say, 1024 bits) random primes p and q 2. Compute N := pq (RSA uses multiplication mod N) 3. Pick e to be relatively prime to (p-1)(q-1) 4. Find d so that ed mod (p-1)(q-1) = 1 5. Finally: To encrypt: To decrypt: Public key is (e,N) Private key is (d,N) e E(x) = x mod N D(x) = xd mod N Why RSA works “It works” theorem: For all 0 < x < N, can show that D(E(x)) = x Proof: ed D(E(x)) = (x mod pq) mod pq ed =x modpq = xa(p-1)(q-1)+1 mod pq for some a (because ed mod (p-1)(q-1) = 1) = (x(p-1)(q-1))ax mod pq = (x(p-1)(q-1) mod pq)ax mod pq = 1ax mod pq (because of the fact that if p,q are prime, then for all 0 < x < N, x(p-1)(q-1) mod pq = 1) =x Is RSA secure? Best known way to compute d from e is factoring N into p and q. Best known factoring algorithm: General number field sieve Takes more than polynomial time but less than exponential time to factor n-bit number. (Still takes way too long if p,q are large enough and random.) Fingers crossed... but can’t rule out a breakthrough! Signing with the public key for confidentiality or secrecy: Does this provide integrity? Signing with private key for integrity/authentication. Does this provide confidentiality? Subtle fact: RSA can be used for either confidentiality or integrity RSA for confidentiality: Encrypt with public key Decrypt with private key “your eyes only” message RSA for integrity: Encrypt (“sign”) with private key Decrypt (“verify”) with public key called a digital signature [What if we want both confidentiality and integrity on the same message?] How to have both confidentiality and integrity (using RSA)? Alice (A) wants to send a secret message M to Bob (B) so that Bob can verify that it comes from Alice. Which one(s) is/are secure? 1. E(E(M,PRA),PUB) 2. E(E(M, PUB), PRA) 3. C=E(M, PRA) t=E(H(C), PUB) • Send C||t 4. C=E(M, PUB) t=E(H(C), PRA) • Send C||t Review: Public-key Crypto So far, encryption key == decryption key “symmetric key crypto” New idea: Keys are distinct. RSA: N := pq Public key is (e,N) Private key is (d,N) To encrypt: E(x) = x mod N e To decrypt: D(x) = xd mod N RSA for confidentiality: Encrypt with public key Decrypt with private key RSA for integrity (digital signatures): Encrypt (“sign”) with private key Decrypt (“verify”) with public key [Cautions?!] RSA drawback: Performance Factor of 1000 or more slower than AES. Dominated by exponentiation – cost goes up (roughly) as cube of key size. Message must be shorter than N. [How big should the RSA keys be?] Use in practice: Encryption: Use RSA to encrypt a random x < N, compute k := PRF(x), encrypt message using a symmetric cipher and key k Signing: Compute v := PRF(m), use RSA to sign a carefully padded version of v (many gotchas!) Almost always should use crypto libraries to get the details right True or false: Public-key encryption is a general- purpose technique that has made symmetric encryption obsolete True or false: Key distribution is trivial when using public-key encryption, compared to the cumbersome handshaking involved with key distribution centers for symmetric encryption. Attacks against RSA 1. Bruteforce:tryingallpossible private keys 2. Mathematicalattacks:factoring 3. Timingattacks:usingtherunning time of decryption 4. Hardware-based fault attack: induce faults in hardware to generate digital signatures 5. Chosenplaintextattackon unpadded RSA Exercise Suppose Bob uses RSA crypto with a very large modulus n for which the factorization cannot be found in a reasonable amount of time. Suppose Alice sends a message to Bob by representing each alphabet letter as an integer between 0 and 25 (A->0, …, Z->25) and then encrypting each number separately using RSA with large e and large n.
Is this method secure?
If yes, why?
If not, how to efficiently attack this encryption method?

Solution:
For a set of message block values SM = {0, 1, 2, …, 25}. The set of corresponding ciphertext block values SC = {0e mod N, 1e mod N, …, 25e mod N}, and can be computed by everybody with the knowledge of the public key of Bob.
The most efficient attack is to compute Me mod N for all possible values of M, then create a look-up table with a ciphertext as an index, and the corresponding plaintext as a value of the appropriate location in the table.

Two subtle “textbook” RSA problems:
1. For small e and m: m^e mod N == m^e Trivial to decrypt!
2. If m is chosen from a small set, easy to confirm a ciphertext is a given message (anyone can encrypt!)
Chosen plaintext attack