Cryptography Modern version

advertisement
Modern Cryptography
New Directions in Cryptography
W.Diffie & M.E.Hellman
Probabilistic Encryption
S.Goldwasser & S.Micali
By 1976...
Practically –
Computers and “Private key security” exist (DES),
and are becoming more and more applicable.
Theoretically –
Perfect secrecy [Shannon]. NOT MUCH BESIDES…
The notion of a function easy to compute but hard to
“inverse” arose... [Purdy]
Complexity: NP (completeness) vs. P [Cook, Karp].
By 1976... (hush hush!)
In fact, computers and cryptography go hand in
hand from the first computers. (WWII)
In fact, there were confidential papers in
cryptography (in CESG):
Non-secret-encryption [J.H.Ellis ‘70] (with a
proof!)
¼RSA [C.C.Cocks ’73]
By 1976... (biographical details)
In 1972, Whitfiled Diffie, an AI graduate student, developes more
than an interest in cryptography.
In 1974, at the age of 30, he phones Martin Hellman, assistant
professor in Stanford, to discuss issues in crypto. They begin
collaborating.
In 1975, Diffie thinks of quitting altogether.
"I was worried that I wasn't particularly remarkable as a programmer and
that my lot in life would get progressively worse if things continued going
as they were."
Also In 1975, he bares success.
"The thing I remember distinctly is that I was sitting in the living room when I
thought of it the first time and then I went downstairs to get a Coke and I
almost lost it," he says. "I mean, there was this moment when - I was thinking
about something. What was it? And then I got it back and didn't forget it."
New Directions in Cryptography
W.Diffie & M.E.Hellman
Hellman
Diffie
“We stand today on the brink of a
revolution in cryptography”
Emphasis
This is an invited paper, so:
1. NO definitions,
notations, claims,
proofs etc.
2. HOWEVER: clever ideas, clever insights!
3. Practicality. Historical survey.
So, what do we have in “conventional
cryptographic system” (block or stream)?
Sk:{P}!{C}
“Conventional Cryptographic System”
Goal:
Enciphering and deciphering – “inexpensive”, but any
“cryptananlytic operation” is “too complex to be
economical”.
“We call a task computationally infeasible, if its cost... is
finite but impossibly large.”
Important desired propertyError propagation: “A small change in the input block
produces a major change in the resulting output”.
“Conventional Cryptographic System”
Threats: ({Sk} is known)
Eavesdropping – “Ciphertext only”, “Known plaintext”, “Chosen plaintext”.
Injecting – new messages, or combining/repeating.
Problems:
1. Where does the secure channel comes from?
2. Authentication & Signature.
3. n users ) (n2) keys.
Introducing:
THE PUBLIC KEY CRYPTOSYSTEM!
THE PUBLIC KEY CRYPTOSYSTEM!
Two families {Ek}k, {Dk}k of invertible transformations,
Ek, Dk:{M}!{M}, s.t. the following holds:
1. 8 k, Ek is the inverse of Dk.
2. 8 k, 8 m2{M}, Ek(m), Dk(m), are “easy to compute”.
3. For almost every k, each easily computed
algorithm equivalent Dk to is computationally
infeasible to derive given Ek.
4. 8 k, it easy to come
up with the pair h Dk, Ek i.
RANDOMIZED!
Publicize Ek, but keep Dk to yourself!
Suggestions
1. (useless) An invertible matrix E, D = E-1.
(n2 vs. n3, at the time)
2. “One way compiler”.
Public Key Distribution System:
“Securely exchange a key over an insecure channel”.
3. Merkle.
4. The Diffie-Hellman key exchange.
The DH Key Exchange
Everybody knows:
q – a prime, g – a generator for Z*q
A
B
Selects xA2r Z*q.
Sends mA = gxA mod q.
Computes K = mBxA mod q.
Selects xB2r Z*q.
Sends mB = gxB mod q.
Computes K = mAxB mod q.
K = gxAxB mod q.
Secure, if discrete log takes (q1/2)
Signature
By public key cryptosystem!
Just send - h m, Dk(m)i.
One Way
A function f is a one-way function if it is easy to
compute f(x), but for almost every y it is
“computationally infeasible to solve the equation
y=f(x).”
(“Polynomials offer an elementary example of one-way
functions.” “One way functions are easy to devise.”)
One Way Authentication
Techniques:
1. Login: user picks PW, but sends f(PW).
2. Login revised: user picks PW, send fT(PW). At
time t, user authenticates by sending fT-t(PW)
(requires fast enumerations of f).
3. Select x01,x11,x02,x12,…,x0N,x1N.
Compute their images under f: y01, y11, y02,
y12,…,y0N,y1N. Publicize these 2N images.
Send the message m = m1,m2,…mN and
x1m1,x2m2,…,xNmN
Insights
“A cryptosystem which is secure against a known
plaintext attack, can be used to produce a OWF”.
Choose P0 arbitrarily.
Define: f(x) = Sx(P0)
Insights (cont.)
Trap-door OWF: a simply computed inverse exists, but
given only f it is infeasible to find an inverse. Only possession
of a trap-door information allows computing an inverse easily.
(e.g. The random string used to produce E,D.)
(A quasi-OWF: same definition, without the trap-door information.)
Trap-door cipher: resists any cryptanalysis by anyone not
in possession of a trap-door information.
“A trap-door cryptosystem can be used to produce a
public key distribution system”.
A enciphers and publicize m, Ek(m), B breaks the encryption.
Insights (cont.)
Public Key Cryptosystem ) OW authentication.
“The converse does not appear to hold”.
Public Key Cryptosystem ) Public Key Distribution
System.
“Not conversly”.
Public Key Cryptosystem ) Trap-door OWF.
The converse – the function “must be invertible”
Connection to Complexity
“The cryptanalytic difficulty of a system whose
encryption and decryption operations can be
done in P time cannot be greater than NP”.
Nondeterministically, choose the key (maybe also the
message). Verify by encryption / decryption in polytime.
“The general cryptanalytic problem is NP-complete.”
By Constructing a OWF from the Knapsack Problem.
The Knapsack Problem
Given {a1, a2, …, an}, and x2{0,1}n, computing
y=f(x)=iaixi is easy, yet finding a subset of {ai}i
that sums up to a given y is NP-complete.
Problems:
1. f cannot be degenerate.
2. f cannot be super-increasing.
Is f hard on average?
…Probably not.
Knapsack based encryption – given `77 [Merkle,
Hellman], broken `82 [Shamir] and later others.
Historical Note
From Caesar cipher to WWII.
References – a book [~ 1200 pages]:
D. Kahn, The Codebreakers, The Story of Secret Writing.
Emphasize the following point:
“innovation has come primarily from the amateurs”.
“We hope this will inspire others to work in this facinating
area in which participation has been discouraged in the
recent past by a nearly total government monopoly.”
And what happened to Diffie & Hellman?
Diffie didn't finish his degree, left to work in
cryptography oriented companies. Works till today.
Was awarded doctorate in 1992 (!) by the Swiss
Federal IT.
Hellman became a prof. in `79 and is currently
retired.
Both – highly respected, highly awarded.
After DH:
Practical Public Keys
Several suggestions, including the knapsack, and
McEliece (ECC of invertible matrix and permutation + a random
small mistake).
1978 – RSA!
1979 – Rabin (RSA with squaring)
Mathematical proofs of security:
1982-4 – Blum; Goldwasser & Micali.
Download