Fuw-Yi Yang1 Public Key Cryptography 公開金鑰密碼 Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker:

Fuw-Yi Yang 1

Public Key Cryptography 公開金鑰密碼

Department of Computer Science and Information Engineering, Chaoyang University of Technology朝陽科技大學資工系

Speaker: Fuw-Yi Yang 楊伏夷

伏夷非征番 , 道德經察政章 (Chapter 58) 伏者潛藏也道紀章 (Chapter 14) 道無形象 , 視之不可見者曰夷

Fuw-Yi Yang 2

問題

兩個素不相識、未曾謀面的個體 , 如何經由公開管道秘密通信 ?

Fuw-Yi Yang 3

RSA Public Key Cryptosystem 1/3

RSA 公開金鑰密碼系統

ㄚ蜜的公開金鑰 : n = 77, e = 7 ( 私藏秘密金鑰 d = 43)

任何人寄資料 ( 資料 m = 5) 給ㄚ蜜 : 密文 c = me mod 77 = 5 7 mod 77 = 5 5 5 5 5 5 5 mod 77 = 125 5 125 mod 77 = 48 5 48 mod 77 = 9 48 mod 77 = 47

將密文 c = 47 經由公開網路傳遞給ㄚ蜜

Fuw-Yi Yang 4




當ㄚ蜜收到密文 c 時 , 解密 : 密文 c = 47 資料 m = cd mod 77 = 47 43 mod 77 = 47 47 … 47 mod 77 = 23 53 47 mod 77 = 5 Note: 23 =4710 mod 77, 53 =4732 mod 77

Fuw-Yi Yang 5



破密者知道ㄚ蜜的公開金鑰 : n = 77, e = 7 卻無法解出其私藏秘密金鑰 d = 43, 因為分解因素是待解的數學難題之一 .例如 : n 是兩個大質數的乘積且 n 的值約為 21024 ( 約為 10310 ) 若使用 10 G Hz CPU, 分解因素耗時 10300 秒或 1.157 * 10295 天

Fuw-Yi Yang 6


RSA 公開金鑰密碼系統—簽章


ㄚ蜜簽署資料 ( 資料 m = 5): 簽體 s = md mod 77 = 5 43 mod 77 = 5 ... 5 mod 77 = 23 48 mod 77 = 26 mod 77 (53 = 48 mod 77, 540 = 23 mod 77)

Fuw-Yi Yang 7


RSA 公開金鑰密碼系統—簽章


任何人收到 (s = 26 與 m = 5 ) 皆可驗證之 : 計算 v = se mod 77 = 267 mod 77 = 26 26 26 26 26 26 26 mod 77 = 20 20 26 mod 77 = 5 mod 77 (263 = 20 mod 77)

驗證 m 與 v 是否相等

William Stallings, Fuw-Yi Yang 8

The Finite Field – Groups 1/2

Groups: A group G, denoted by {G, }, is a set of elements with a binary operation such that:(A1) Closure: a, b G implies that a b G (A2) Associative: a, b, c G implies that a (b c) = (a b) c (A3) Identity: For all a in G, there is an element e in G s.t. a = a e = e a(A4) Inverse: For all a in G, there exists an element b (a-1) in G, s.t. e = a b

Abelian group: (A5 Commutative law: a b = b a for all a, b in G


The Finite Field – Groups -2/2

Example: { , }G = {1, 2, 3, 4,5, 6}, is modular multiplication (mod 7) 5 3 mod 7 = 1, (5-1 = 3, 3-1 = 5) 2 6 mod 7 = 5, 6 2 mod 7 = 5, (Abelian group)

*7Z


The Finite Field – Rings 1/5

Rings: A ring G, denoted by {R, +, }, is a set of elements with two binary operations, addition + and multiplication such that:(A1)~(A5): R is an abelian group with respect to addition(M1) Closure under : a,b R implies that a b R (M2) Associative: a,b,c R implies that a (b c) = (a b) c (M3) Distributive: a (b + c) = a b + a c

(a + b) c = a c + b c for all a,b,c in R, (M4) Commutative law: a b = b a for all a, b in R


The Finite Field – Rings (integral domain) 2/5

Integral Domain:

(M5) Multiplicative identity: there is an element 1 in R s.t. a = a 1 = 1 a(M6) No zero divisors: If a, b in R and a b = 0, then either a = 0 or b = 0


The Finite Field – Fields 3/5

Fields: A field F, denoted by {F, +, }, is a set of elements with two binary operations, addition + and multiplication such that:(A1)~(M6): F is an integral domain(M7): Multiplicative inverse: For each a in F, except 0, there is an element a-1 in F s.t. a a-1 = a-1 a = 1Example: Finite field of order pn : Galois field GF(pn)


The Finite Field – GF(7)-addition 4/5

modulo 7

+ 0 1 2 3 4 5 6

0 0 1 2 3 4 5 6

1 1 2 3 4 5 6 0

2 2 3 4 5 6 0 1

3 3 4 5 6 0 1 2

4 4 5 6 0 1 2 3

5 5 6 0 1 2 3 4

6 6 0 1 2 3 4 5


The Finite Field – GF(7)-multiplication 5/5

modulo 7

0 1 2 3 4 5 6

0

1 1 2 3 4 5 6

2 2 4 6 1 3 5

3 3 6 2 5 1 4

4 4 1 5 2 6 3

5 5 3 1 6 4 2

6 6 5 4 3 2 1


The Finite Field – GF(7)-multiplication 5/5

modulo 7

0 1 2 3 4 5 6

0

1 1 2 3 4 5 6

2 2 4 6 1 3 5

3 3 6 2 5 1 4

4 4 1 5 2 6 3

5 5 3 1 6 4 2

6 6 5 4 3 2 1

Fuw-Yi Yang 16

Anonymous User Identification 1/15

1. T. S. Wu and C. L. Hsu, “Efficient user identification scheme with key distribution preserving anonymity for distributed computer networks,” Computers & Security, Vol. 23(2), pp. 120-125, 2004.

2. K. Mangipudi and R. Katti, “A secure identification and key agreement protocol with user anonymity (SIKA) ,” Computers & Security, Vol. 25, pp. 420-425, 2006.

3. W. B. Lee and C. C. Chang, “User identification and key distribution maintaining anonymity for distributed computer network,” Computer Systems Science and Engineering, Vol. 15, No. 4, July 2000, pp. 113-116.

4. Y. Yang, S. Wang, F. Bao, J. Wang and R. H. Deng, “New efficient user identification and key distribution scheme providing enhanced security,” Computers & Security, Vol. 23, pp. 697-704, 2004.

//5. C. C. yang, Y. L. Tang, R. C. wang and H. L. Yang, “A secure and efficient authentication protocol for anonymous channel in wireless communications,” Applied mathematics and computation, Vol. ??, pp. ??, 2005.

Fuw-Yi Yang 17


W. B. Lee and C. C. Chang

1. Key generation: Smart Card Producing Center SCPC chooses large primes p and q, computes N = p q, g ZN

*,

hash function f, and e, d such that e d = 1 mod (N). Public key: N, e, g, f; Secret key: p, q, d (N) denotes the Euler totient function, i.e. the cardinality of

ZN* = {a| a ZN and gcd(a, N) = 1}.

ex. Z15* = {1, 2, 4, 7, 8, 11, 13, 14}.

H is a collision-resistant hash function, H: {0, 1}* {0, 1}l. ex. Given the pre-image, it is easy to find the image of H; given the image it is difficult to find the its image.

Fuw-Yi Yang 18



1. Key generation: SCPC In a secure way, SCPC sends each user Ui or provider Pj

(with identity IDi or IDj) a secret token Si = (IDi)d mod N .

2. Anonymous user identification:

Fuw-Yi Yang 19



Ui Pj

request

z z = gk mod N

x = Si zt1gf(T) t2 mod N

y1 = ge t1 mod N

y2 = ge t2 mod N

x, y1, y2, T

Check T, and whether an existing user’s ID satisfies

IDi = xe/(y1ky2

f(T)) mod N

Fuw-Yi Yang 20



Ui Pj

z = gk mod N


= (IDi)dgk t1gf(T) t2 mod N

y1 = ge t1 mod N

y2 = ge t2 mod N

Kij = ze t1 = ge k t1 mod N

IDi = xe/y1ky2

f(T)

=(IDi)degekt1gef(T)t2 /gekt1gef(T)t2

= (IDi)d e

= IDi mod N

Kij = y1k = ge k t1 mod N

Fuw-Yi Yang 21


Weakness of W. B. Lee and C. C. Chang [1]

Ui Pj

1. No authentication of Pj

2. Assume that compromise of Kij


y1 = ge t1 mod N

y2 = ge t2 mod N

Kij = ze t1 = ge k t1 mod N

IDi = xe/y1ky2

f(T) mod N

Kij = y1k = ge k t1 mod N

Known Kij = y1k , IDi is computed.

Fuw-Yi Yang 22


T. S. Wu and C. L. Hsu




Fuw-Yi Yang 23



Ui Pj

request

z z = Sj gk mod N

a = ze/IDj = ge k mod N

x = Si f(at || T) mod N

y = ge t mod N

x, y, T

Check T, and whether an existing user’s ID satisfies

IDi = (x/f(yk || T)e mod N

Fuw-Yi Yang 24



Ui Pj

z = Sj gk mod N



y = ge t mod N

Kij=atx = gektx mod N

Check T,

IDi = (x/f(yk || T)e

= [(IDi)df(at||T)/f(yk||T)]e

= [(IDi)df(gekt||T)/f(gekt||T)]e

= (IDi)de

= IDi mod N

Kij=ykx = gektx mod N

Fuw-Yi Yang 25


Weakness of T. S. Wu and C. L. Hsu [4]

Ui Pj

Disclosure of user’s token Si



y = ge t mod N

Kij=atx = gektx mod N

Check T,

IDi = (x/f(yk || T)e

= [(IDi)df(at||T)/f(yk||T)]e

= [(IDi)df(gekt||T)/f(gekt||T)]e

= IDi mod N

Si= (x/f(yk || T)

= [(IDi)df(at||T)/f(yk||T)] mod N

Fuw-Yi Yang 26


Y. Yang et al.




Fuw-Yi Yang 27


Y. Yang et al.

Ui Pj

request

z z = gk / Sj mod N

a = zeIDj = ge k mod N

Kij=at = ge k t mod N

x = ge t mod N

s = gt (Si)h(x, T) mod N

y = EKij(IDi)

s, x, y, T Kij=xk = ge k t mod N

IDi = DKij(y)

Check IDi user list and

x (IDi)h(x, T) = se mod N

Fuw-Yi Yang 28


Weakness of Y. Yang et al. [2]

Ui Middle man Pj

My comments: compromise of session key Kij will disclose user’s identity.

[2]’s comments: DOS attack

Shown below

Other attacks: homomorphic attack on secret token. z' z = gk / Sj mod N

a' = (z')eIDj mod N

K'ij=(a')t mod N

x = ge t mod N

s = gt (Si)h(x, T) mod N

y' = EK'ij(IDi)

Ui believes that a valid session key is derived.

s, x, y', T Kij=xk = ge k t mod N

IDi = DKij(y)



It is easy to see, Pj abort.Yangfy: (IDi)h(x, T) = se / x mod N

test whether IDi ‘s participation

Fuw-Yi Yang 29


K. Mangipudi and R. Katti


(with identity IDi or IDj) a secret token Si = (IDi)d mod N.Server’s public key: Ns = ps qs, es, gsZNs

Secret key: ds


Fuw-Yi Yang 30


Y. Yang et al.

Ui Pj

req

z, T, w

z = gk / Sj mod N

w = (gs)H(z, T, IDs)ds mod Ns

Ck wes = (gs)H(z, T, IDs) mod Ns

a = ze IDj = ge k mod N


x = ge t mod N

s = gt (Si)H(x, T) mod N

y = EKij(IDi)

s, x, y, T

Kij=xk = ge k t mod N

IDi = DKij(y)



Fuw-Yi Yang 31

Anonymous User Identification

Weakness of K. Mangipudi and R. Katti By yangfy

Ui Pj

My comments: compromise of session key Kij will disclose user’s identity.

Server’s public key is not required.

req Other attacks: homomorphic attack on secret token.

Check IDi user list is not required.

z, T, w

z = gk / Sj mod N

w = (gs)H(z, T, IDs)ds mod Ns

a = ze IDj = ge k mod N


x = ge t mod N

s = gt (Si)H(x, T) mod N

y = EKij(IDi)

s, x, y, T

Kij=xk = ge k t mod N

IDi = DKij(y)



Fuw-Yi Yang 32

Deniable Authentication protocol 1/15

1. L. Fan, C. X. Xu and J. H. Li, “Deniable authentication protocol based on Diffie-Hellman algorithm,” Electronics Letters, Vol. 38(4), pp. 705-706, 2002.

2. C. Dwork, M. Naor and A. Sahai, “Concurrent zero-knowledge,” Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing STOC’98, pp. 409-418, 1998.

3. Y. Aumann and M. Rabin, “Efficient deniable authentication of long messages,” Int. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum’s 60th birthday, 1998. (http://www.cs.cityu.edu.hk/dept/video.html)

4. Y. Aumann and M. Rabin, “Authentication enhanced security and error correcting codes,” Advances in Cryptology-CRYPTO’98, LNCS 1462, pp. 299-303, 1998.

5. X. Deng, C. H. Lee and H. Zhu, “Deniable authentication protocols,” IEE Proceedings Computers and Digital Techniques, Vol. 148(2), pp. 101-104, 2001.

Fuw-Yi Yang 33


Aumann and Rabin 1/2

Features: 1. receiver is able to authenticate the source of a message received. 2. the receiver cannot prove the source of the message to a third party.PD: public known directory, containing a set of public data and encoding rules. N = pq (no one knows the value of p and q)R: Receiver S: SenderX: x1x2…xn message sent to R by SC(X): y1y2…ym encoding of message X. C is a public encoding rule.I: i1i2…ik k different indices between 1 and m.S select a set of random number: g1

(0) , g1(1) ,…,gm

(0) , gm(1)

S computes square of them: Gj(e) = (gj

(e))2…mod N, j = 1,…,m, e = 0, 1S publishes at Gj

(e), j = 1,…,m, e = 0, 1 at PD.

Fuw-Yi Yang 34

Deniable Authentication protocol 2/15Aumann and Rabin 2/2

S

To deniably authenticate

one bit of encoded

R

message C(X).

A = a2 mod N A i i R I (the ith bit)

i = a gi(e) mod N

e = yi

i Check that

(i)2 = A Gi(e) mod N

R simulate S as follows:

1. Choose i

2. Known yi

3. i R ZN*

4. A = (i)2 /Gi(e) mod N

Fuw-Yi Yang 35


Deng et al. 1/2

Like the scheme of Aumann and Rabin, except that C(.) is replaced by a collision resistant hash function.

PD: public known directory, containing a set of public data and encoding rules. N = pq (no one knows the value of p and q)R: Receiver S: SenderX: x1x2…xn message sent to R by S

H(X): z1z2…zm encoding of message X, |zi| = s (block size ). H is a public hash function.S select a set of random number: g1 , g2 ,…,gm S computes square of them: Gj = (gj)2…mod N, j = 1,…,mS publishes at Gj, j = 1,…,m, at PD.EPKR() denote the public key encryption algorithm, which is secure against CCA.

Fuw-Yi Yang 36

Deniable Authentication protocol 2/15Deng et al. 2/2

S


one block of encoded

R

message H(X).

A = a2 mod N A i i R{1,…,m} (the ith

block)

i = a gimod N

i = H(i )zi

(Apply hash function zi times with input i )

EPKR(i ), i Decrypt the ciphertext to obtain the clear message i , and Check that

i = H(i )zi and

(i)2 = A Gi mod N

Fuw-Yi Yang 37


Deng et al. 1/2

Lemma 1: The protocol described in Section 3.1is deniable. Proof: Simulation can be performed by R as follows:1. Choose i R{1,…,m}2. i R ZN

*

3. EPKR(i )4. A = (i)2 /Gi mod N5. i = H(i )zi

Thus, (A, i, EPKR(i), i ) is a simulation of the message block zi.Note that the simulation is indistinguishable from the actual message authenticator

(EPKR(i), i) computed by S.

Fuw-Yi Yang 38


Deng et al. 1/2

Lemma 2: The protocol described in Section 3.1authenticates the source of the message.

Proof:1. If a simulator is not the receiver R, then the simulation described in Lemma 1 does

not work.2. If someone sends the square root of A Gi mod N to R, then they either know both

square roots of A and Gi or two factors of N.

Fuw-Yi Yang 39


Deng et al. Based on DLP 1/2

PD: public known directory, containing a set of public data and encoding rules. p = 2 q + 1, g Zp

* is of order q.R: Receiver S: SenderX: x1x2…xn message sent to R by S

H(X): z1z2…zm encoding of message X, |zi| = s (block size ). H is a public hash function.S select a set of random number: r1 , r2 ,…,rm Zq

*.S computes : Gj = (g)rj…mod N, j = 1,…,mS publishes at Gj, j = 1,…,m at PD.EPKR() denote the public key encryption algorithm, which is secure against CCA.

Fuw-Yi Yang 40

Deniable Authentication protocol 2/15Deng et al. Based on DLP 2/2

S


one block of encoded

R

message H(X).

A = ga mod p A i i R{1,…,m} (the ith

block)

i = a + ri mod q

i = H(i )zi

(Apply hash function zi times with input i )

EPKR(i ), i Decrypt the ciphertext to obtain the clear message i , and Check that

i = H(i )zi and

gui = AGi mod p.

Fuw-Yi Yang 41


Fan et al.

Documents

Fuw-Yi Yang1 Public Key Cryptography 公開金鑰密碼 Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker: