Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Digital SignaturesCampbell R. Harvey
Duke University and NBER
February 11, 2018
Innovation and Cryptoventures
Campbell R. Harvey 2018 2
DefinitionCryptography is the science of communication in the presence of an adversary. Part of the field of cryptology.
3Campbell R. Harvey 2018
Goals of Adversary• Alice sends message to Bob• Eve is the adversary
4Campbell R. Harvey 2018
Goals of Adversary
Eve’s goals could be:1. Eavesdrop2. Steal secret key so that all future messages can be intercepted3. Change Alice’s message to Bob4. Masquerade as Alice in communicating to Bob
5Campbell R. Harvey 2018
Symmetric Keys
Early algorithms were based on symmetric keys.• This meant a common key encrypted and decrypted the message• You needed to share the common key and this proved difficult
6Campbell R. Harvey 2018
Symmetric Keys
• Early methods relied on a shared key or code• A message would be encrypted and sent but the receiver needed to decode with a key or a special machine
• Example: The “Lektor” in James Bond, From Russia with Love.
7Campbell R. Harvey 2018
Symmetric Keys• However, you needed to securely share the key or decoder.
8Campbell R. Harvey 2018
Symmetric Keys• However, you needed to securely share the key or decoder.
9The “adversary”
Campbell R. Harvey 2018
Symmetric Keys• Nazi Enigma Machine is an earlier version of the “Lektor”
10
https://www.youtube.com/watch?v=G2_Q9FoD‐oQhttps://www.youtube.com/watch?v=V4V2bpZlqx8
Recommended videos!Campbell R. Harvey 2018
Secret Keys
Symmetric key• DES (Data Encryption Standard) was a popular symmetric key method, initially used in SET (first on‐line credit card protocol)
• DES has been replaced by AES (Advanced Encryption Standard)
11Campbell R. Harvey 2018
Diffie‐Hellman Key Exchange
• Breakthrough in 1976 with Diffie‐Hellman‐Merkle key exchange• There is public information that everyone can see. Each person, say Alice and Bob, have secret information.
• The public and secret information is combined in a way to reveal a single secret key that only they know
12https://www.youtube.com/watch?v=YEBfamv‐_do
Campbell R. Harvey 2018
Diffie‐Hellman Key Exchange
• Will use prime numbers and modulo arithmetic• We already encountered one example of modular arithmetic simple ciphers (also the SHA‐256 which uses mod=232 or 4,294,967,296)
13https://www.youtube.com/watch?v=YEBfamv‐_do
Campbell R. Harvey 2018
Key Exchange
Numerical example• “5 mod 2” = 1• Divide 5 by 2 the maximum number of times (2) • 2 is the modulus• The remainder is 1• Remainders never larger than (mod‐1) so for mod 12 (clock) you would never see remainders greater than 11.
• EXCEL function = mod(number, divisor) e.g., mod(329, 17) = 6
14
“mod”
Campbell R. Harvey 2018
Key Exchange
Alice and Bob decide on two public pieces for information• A modulus (say 17)• A generator (or the base for an exponent) (say 3)
• Alice has a private key (15)• Bob has a private key (13)
• Is it possible for them to share a common secret that is unlikely to be intercepted?
15https://www.khanacademy.org/computing/computer‐science/cryptography/modern‐crypt/v/diffie‐hellman‐key‐exchange‐part‐2
Campbell R. Harvey 2018
Key Exchange
Alice: Calculates 315 mod 17 = 6 (i.e., =mod(3^(15), 17))
• Alice send the message “6” to Bob
16Campbell R. Harvey 2018
Key Exchange
Alice: Calculates 315 mod 17 = 6 (i.e., =mod(3^(15), 17))
• Alice send the message “6” to Bob• Eve intercepts the message!
17Campbell R. Harvey 2018
Key Exchange
Bob: Calculates 313 mod 17 = 12 (i.e., =mod(3^(13), 17))
• Bob send the message “12” to Alice
18Campbell R. Harvey 2018
Key Exchange
Bob: Calculates 313 mod 17 = 12 (i.e., =mod(3^(13), 17))
• Bob send the message “12” to Alice• Eve intercepts the message! Now Eve has the 6 and the 12.
19Campbell R. Harvey 2018
Key Exchange
Alice: She takes Bob’s message of 12 and raises it to the power of her private key. Calculates 1215 mod 17 = 10 (i.e., =mod(12^(15), 17))*
• This is their common secret
20*EXCEL only does 15 digits so this will not work Campbell R. Harvey 2018
Key Exchange
Bob: He takes Alice’s message of 6 and raises it to the power of his private key. Calculates 613 mod 17 = 10 (i.e., =mod(6^(13), 17))
• This is their common secret
21Campbell R. Harvey 2018
Key Exchange
Eve She has intercepted their message. However, without the common secret key, there is little chance she can recover the shared secret.
22Campbell R. Harvey 2018
Key Exchange
Common secret• Alice can now encrypt a message with the common secret and Bob can decrypt it with the common secret.
• Notice this is a common secret. • Next we will talk private/public keys. That is, both and Alice have separate public keys and separate private keys.
23Campbell R. Harvey 2018
Key Exchange (Optional slide)Why does this workThey are solving the same problem.
• Alice sent Bob 315 mod 17 = 6. • Bob raises the to power of 13.
This is the same as613 mod 17 = [315]^(13) mod 17 =10
24
Alice’s original calculation
Campbell R. Harvey 2018
Key Exchange (Optional slide)Why does this workThey are solving the same problem.
• Bob sent Alice 313 mod 17 = 12. • Alice raises the to power of 15.
This is the same as1215 mod 17 = [313]^(15) mod 17 =10
25
Bob’s original calculation
Campbell R. Harvey 2018
Key Exchange (Optional slide)
Why does this workThey are solving the same problem. The modular arithmetic is crucial.
• See![313]^(15) = [315]^(13)
26Campbell R. Harvey 2018
Asymmetric keys
Public and private keys• A message needs to go from Sender to Receiver• Receiver gives the Sender a lock• Sender locks the message (ciphertext) and transmits to Receiver• Only the Receiver can decrypt because they have the key
The lock is the public keyThe key to open the lock is the private key
27Campbell R. Harvey 2018
Asymmetric keys
RSA • RSA stands for Rivest, Shamir and Adleman. Note discovered earlier by UK Communications‐Electronics Security Group (CESG) – but kept secret.
• Receiver generates two public pieces of information and a private key• One piece of public information is just the product of two prime numbers, N=p*q (called “max”)
• The other is the public key, e, is just another prime that is greater than 2 and less than the product, N
• The prime numbers, p and q, that are used are huge. The private key is mathematically linked to public keys.
• Sender encrypts with the two public keys• Receiver can easily decrypt
28Campbell R. Harvey 2018
RSA: High Level Overview
See my Cryptography 101 (linked) deck for much more detail.• Two prime numbers are chosen and they are secret (say 7 and 13, p, q).• Multiply them together. The product (N=91) is public but people don’t know the prime numbers used to get it.
• A public key, e, is chosen (say 5).• Given the two prime numbers, 7 and 13, and the public key, we can derive the private key, which is 29.
29Campbell R. Harvey 2018
RSA Issues with RSA• RSA relies on factoring• N is public (our example was 91) as is e• If you can guess the factors, p, q, then you can discover the private key
30Campbell R. Harvey 2018
RSA Issues with RSA• Factoring algorithms have become very efficient• To make things worse, the algorithms become more efficient as the size of the N increases
• Hence, larger and larger numbers are needed for N (moving to 2,048 bits)• This creates issues for mobile and low power devices that lack the computational power
31http://www.slate.com/articles/health_and_science/science/2016/01/the_world_s_largest_prime_number_has_22_338_618_digits_here_s_why_you_should.html
Campbell R. Harvey 2018
Elliptic Curve Cryptography
Mathematics of elliptic curves• Does not rely on factoring• Curve takes the form of
y2 = x3 + ax + b
32
Note: 4a3 + 27b2 ≠ 0
Campbell R. Harvey 2018
Bitcoin uses a=0 and b=7
Note that diagram is “continuous” but wewill be using discrete versions of this arithmetic
Elliptic Curve Cryptography
Properties• Symmetric in x‐axis• Any non‐vertical line intersects in three points• Algebraic representation
33Campbell R. Harvey 2018
Elliptic Curve Cryptography
Properties: Addition
34
P Q
R
P+Q
Define a system of “addition”. To add “P” and“Q” pass a line through and intersect at third point“R”. Drop a vertical line down to symmetric part.This defines P+Q (usually denoted ⊕ )
Denote Elliptic Curveas E Campbell R. Harvey 2018
Elliptic Curve Cryptography Properties: Doubling
35
P
2P
Define a system of “addition”. To add “P” and“P” use a tangent line and intersect at third point.Drop a vertical line down to symmetric part. This definite 2P (usually denoted ⊕ )
Denote Elliptic Curveas E Campbell R. Harvey 2018
Elliptic Curve Cryptography (Optional slide)
Properties: Other
36
(a) P + O = O + P = P for all P ∈ E.(existence of identity)
(b) P + (−P) = O for all P ∈ E.(existence of inverse)
(c) P + (Q + R) = (P + Q) + R for all P, Q, R ∈ E.(associative)
(d) P + Q = Q + P for all P, Q ∈ E(communativity)
Denote Elliptic Curveas E Campbell R. Harvey 2018
Elliptic Curve Cryptography
Why use in cryptography?• Suggested by Koblitz and Miller in 1985• Implemented in 2005• Key insight:
• Adding and doubling on the elliptic curve is easy but undoing the adding is very difficult• 256 bit ECC public key provides about the same security as 3,072 bit RSA public key
• Bitcoin uses a particular type of ECC known as secp256k1
37Campbell R. Harvey 2018http://www.nicolascourtois.com/bitcoin/groups_ECC_7B.pdf
Elliptic Curve Cryptography
Do not confuse ECC in bitcoin with Dual_EC_DRBG (cryptotrojan)• August 2007 paper presented that suggested the possibility of a backdoor in government approved encryption standard
• 2013 New York Times reveals information from Edward Snowden confirming the backdoor via project Bullrun
• NSA paid $10 million to make it the standard
38Campbell R. Harvey 2018https://www.wired.com/images_blogs/threatlevel/2013/09/15‐shumow.pdfhttps://www.wired.com/2013/09/nsa‐backdoor/
Elliptic Curve Cryptography
Modulo arithmetic on EC• Example of modulo 67 (means only points are between 0 and 66
• Notice the symmetry
39Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Elliptic Curve Cryptography
Modulo arithmetic on EC• Notice the symmetry (reflection in the red line)
40Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Elliptic Curve Cryptography
Modulo arithmetic on EC• Example of modulo 67• Addition of (2,22) and (6,25)• Note (2,22) called the “base point”• The dashed blue line wraps around and intersects at (47,39) and the reflection is (47,28)*
41Campbell R. Harvey 2018http://www.coindesk.com/math‐behind‐bitcoin/#
Note: (2,22)+(6,25) ≠ (8,47) because we are adding on elliptic curve. See for review https://www.voltage.com/math‐2/adding‐points‐on‐an‐elliptic‐curve/
Elliptic Curve Cryptography (Optional slide)
Four choices:• Form of elliptic curve• Prime modulo• Base point• Order
42Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Elliptic Curve Cryptography (Optional slide)
Four choices:• Form of elliptic curve: y2 = x3 + 7• Prime modulo: 2256 – 232 – 29 – 28 – 27 – 26 – 24 ‐ 1 = FFFFFFFF FFFFFFFFFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
• Base point: 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
• Order: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
43Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Elliptic Curve Cryptography (Optional slide)
How it works:• Private key is a random number chosen between 1 and the order• Public key = private key*base point• Maximum number of private keys (and bitcoin addresses) is equal to the order.
• It is straightforward to go from private key to a public key – but brutally difficult to go from public key to private key.
44Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Elliptic Curve Cryptography (Optional slide)
How it works:1. Choose private key and derive public key• Let prime modulus = m• Let base point (x,y) = G• Let order = n• Let private key = d (which is just a number)
Public key Q(x,y) = d*G [operations on the elliptic curve with prime modulus m]
45Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Elliptic Curve Cryptography (Optional slide)
How it works:2. Sign• Let data = z (which could be a SHA‐256 of the data you are signing)• Generate a random number k• Calculate k*G which leads to particular coordinates (x,y)*• Calculate r = x mod n [Note n=order]• Calculate s = (z + r*d)/k mod n
Digital Signature (DS) = (r, s) is just a set of coordinates46Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/# *I am not sure what modulus is used for this EC operation.
Private key
Elliptic Curve Cryptography (Optional slide)
How it works:3. Verify• Calculate w = s‐1 mod n• Calculate u = z*w mod n• Calculate v = r*w mod n• Calculate the point (x’, y’) = uG + vQ• Verify that r = x’mod n If yes, verified.
Remember DS = (r, s)47Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
Public key
Base point
Elliptic Curve Cryptography (Optional slide)
How it works:4. Intuition• Anyone can encrypt something with a public key• The digital signature algorithm uses the data, a random number, and both the private and public keys
• Verification shows that only the owner of both the private and public key could have signed. Verification is a “yes” or a “no”.
48Campbell R. Harvey 2018
http://www.coindesk.com/math‐behind‐bitcoin/#
ECDSA
• Private key is a number called “signing key” (SK). It is secret.• Public key is the “verification key” and is mathematically linked to the private key
49Campbell R. Harvey 2018
SK EC VK
Private key:(number)
Elliptic curve operations: Need base point, modulus, order
Public key:coordinate (x, y)
Note: Easy to generate a public key with a private key. Not easy to go the other way.
ECDSA• Digital signature
50Campbell R. Harvey 2018
SK
EC DS
Private key:(number)
Elliptic curve operations: Need base point, modulus, order (n)
Digital signature:coordinate (r, s)
Message
Nonce
Nonce:(random number)
ECDSA• Verification
51Campbell R. Harvey 2018
VK
EC (x’, y’)
Public key:(x, y)
Elliptic curve operations: Need base point, order (n)
Derive new pointon elliptic curve
Message
r
DScoordinates
sr = x’ mod n ?
Yes (verified)
No(rejected)
Check x coordinateof new point and DS
Note r not used until verification step
How DSAs Work
Notice• Proves that the person with the private key (that generated the public key) signed the message.
• Interestingly, digital signature is different from a usual signature in that it depends on the message, i.e., the signature is different for each different message.
• In practice, we do not sign the message, we sign a cryptographic hash of the message. This means that the size of the input is the same no matter how long the message is.
52Campbell R. Harvey 2018
ECDSA in Action
53Campbell R. Harvey 2018https://kjur.github.io/jsrsasign/sample/sample‐ecdsa.html
ECDSA in Action
54Campbell R. Harvey 2018
OP_CHECKSIG uses Public Key + Digital Signature + Hash of Transaction
Verifies whether this transaction has been signed by the owner of the Private Key
https://www.youtube.com/watch?v=ir4dDCJhdB4 (advanced by Matt Thomas)
Application: PGP EmailMy public key for secure email• You can encrypt an email to me with my public key and only I can decrypt with my private key.
55Campbell R. Harvey 2018
Application: PGP Email
Steps1. Message compressed2. Random session key (based on mouse
movements and keystrokes) is generated.3. Message encrypted with session key4. Session key is encrypted with receiver’s public key5. Encrypted message + encrypted session key sent via email6. Recipient uses their private key to decrypt the session key7. Session key is used to decrypt the message8. Message decompressed
56Campbell R. Harvey 2018http://www.pgpi.org/doc/pgpintro/
References
• The Math Behind Bitcoin [recommended]
• Elliptic Curve Digital Signature Algorithm (Bitcoin)
• What does the curve used in Bitcoin, secp256k1, look like?
• Elliptic Curve Digital Signature Algorithm (Wikipedia)
• Elliptic Curve Cryptography (UCSB)
• Elliptic Curve Cryptography and Digital Rights Management (Purdue)
• Zero to ECC in 30 minutes (Entrust)
• The Elliptic Curve Cryptosystem
• Goldwasser, Shaffi and Mihir Bellare, 2008, Lecture Notes on Cryptography
• Dan Boneh, Stanford University, Introduction to Cryptography
• Dan Boneh, Stanford University, Cryptography II
• https://arstechnica.com/security/2013/10/a‐relatively‐easy‐to‐understand‐primer‐on‐elliptic‐curve‐cryptography/
57Campbell R. Harvey 2018