Overview

Lecture 22: Cryptology

Turing machines. Newtonian mechanics. Computability. Heisenberg uncertainty principle. NP-completeness. Speed of light.

Enigma machine

"Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone." - Phil Zimmermann

This lecture. Exploit hard problems. Apply theory to cryptography. RSA cryptosystem.
! ! !

"It is insufficient to protect ourselves with laws. We need to protect ourselves with mathematics." -- Bruce Schneier

COS126: General Computer Sci ence

http://w w w .cs.Pri nceton.EDU/~cos126

Cryptology
Cryptology: science of secret communication. Cryptography: science of creating secret codes. Cryptanalysis: science of code breaking.

A Better Approach
Security by obscurity. Rely on proprietary, ad hoc cryptographic schemes. Eventually reverse-engineered and cracked. Ex: CSS for DVD encryption, RIAA digital watermarking, GSM cell phones, Windows XP product activation, Adobe eBooks, Diebold AccuVote-TS machines, . . . .
! ! !

Goal: information security in presence of malicious adversaries. Confidentiality: keep communication private. Integrity: detect unauthorized alteration to communication. Authentication: confirm identity of sender. Authorization: establish level of access for trusted parties. Non-repudiation: prove that communication was received.
! ! ! ! !

A better approach. Leverage theory of hard problems. Show that breaking security system is equivalent to solving some of the world's greatest unsolved problems!
! !

Kerckhoffs' principle.

"Il faut qui'l must n'exige pas secret, et qui'l "The system not require secrecy puisse sans inconvenient entre les and can be stolen by the tomber enemy without mains de l'ennemi." causing trouble."

Analog Cryptography

Digital Cryptography
Our goal. Implement all tasks digitally and securely. Implement additional tasks that can't be done with physics!
! !

Task
Protect information Identification Contract Money transfer Public auction Poker Public election Public lottery Anonymous communication

Description
Code book, lock + key Driver's license, fingerprint, DNA Handwritten signature, notary Coin, bill, check, credit card Sealed envelope Cards with concealed backs Anonymous ballot Dice, coins Pseudonym, ransom note

Fundamental questions. Is any of this possible? How?

! !

Today. Give flavor of modern (digital) cryptography. Implement one of these tasks. Sketch a few technical details.
! ! !

Digital Cryptography Axioms

Axiom 1. Players can toss coins. Crypto impossible without randomness.
!

Non-Encryption
Encryption. Most basic problem in cryptography. Alice wants to send Bob a private message m.
! !

Axiom 2. Players are computationally limited (poly-time). Axiom 3. Factoring is hard computationally. Not polynomial-time. "1-way trapdoor function."
! !

credit card number

Multiply = EASY 23, 67 1,541 Message m Factor = HARD

Fact. Primality testing is easy computationally.

Theorem. Digital cryptography exists. Corollary. Can do all tasks on previous slide digitally.

Alice

Bob

Eve the Eavesdropper

9 11

Encryption
Encryption. Most basic problem in cryptography. Alice sends Bob an encrypted message E(m). Easy for Bob to recover original message m. Hard for Eve to learn anything about m.
! ! ! !

Private Key Encryption

Alice sends Bob a message m. Assume message m encoded in binary. Alice and Bob share secret key k.
! !

credit card number

encrypted message E(m)

encrypted message E(m)

Alice

Bob

Alice

encrypt with secret key k

decrypt with same secret key k

Bob

Eve the Eavesdropper

12

Eve the Eavesdropper

13

Private Key Encryption: One Time Pad

Key distribution. Alice and Bob share n-bit secret key k.
!

Private Key Encryption

Advantages. Provably secure if key is random. Simple to implement.
! !

n=6

Alice wants to send n-bit message m to Bob. Alice computes and sends E(m) = m ^ k.
!

0 0

1 0

0 1

1 0

1 1

0 0

m E(m)

bitwise XOR

Bob receives ciphertext c = E(m). Bob computes D(c) = c ^ k.

!

0 0

0 1

1 0

0 1

1 1

0 0

c D(c)

Disadvantages. Not easy to generate uniformly random keys. Need new key for each message. Signature? Rosenbergs sent to electric chair because Russian spy reused a one-time pad Non-repudiation? deal-breaker for e-commerce since Alice and Bob Key distribution?
! ! ! ! !

Russian one-time pad

want to communicate even if they've never met

Why does it work? D(E(m)) = D(m ^ k) = (m ^ k) ^ k = m Why is it secure? If k is uniformly random, so is m ^ k.

Other private key encryption schemes. Data Encryption Standard (DES). Advanced Encryption Standard (AES, Rijndael algorithm). Blowfish.
! ! !

14

15

Public Key Encryption

Alice sends Bob a message m. Bob has public key e and private key d.
!

Public Key Encryption

Key distribution. Bob has public key = published in digital phonebook. Bob has private key = known only by Bob.
! !

VeriSign

locks

unlocks

Alice wants to transmit N-bit private message m to Bob. Alice encrypts message using Bob's public key: E(m).
!

encrypted message E(m)

Bob receives ciphertext c = E(m) from Alice. Bob decrypts message using his private key: D(c).
!

Under what situations does it work? D(E(m)) = m.

absolute and obvious requirement

Alice

encrypt with Bob's public key e Eve the Eavesdropper

decrypt with Bob's private key d

Bob

What are necessary conditions for security? Can encrypt message efficiently with public key. Can decrypt message efficiently with private key. Can not decrypt message efficiently with public key alone.
! ! !

16

17

RSA Public Key Cryptosystem: In the Real World

RSA cryptosystem (1978).
Rivest Shamir Adleman

RSA Public-Key Cryptosystem: Key Generation

RSA key generation. Select two large prime numbers p and q at random. Compute N = pq.
! !

p = 11, q = 29 N = 11 " 29 = 319

Operating systems. Sun, Microsoft, Apple, Novell. Hardware. Cell phones, ATM machines, wireless Ethernet cards, Mondex smart cards, Palm Pilots, Palladium. Secure Internet communication. Browsers, S/MIME, SSL, S/WAN, PGP, Microsoft Outlook, etc.
Alice browses to https://whiteboard.cs.princeton.edu Alice's browser gets Bob's public key. Alice sends programming assignment. Bob's web server decrypts assignment.
Alice submits programming assignment to Bob via secure website
18

Number theory fact. If p and q are prime, there exist efficiently computable integers e and d such that for d all messages m: (me) ! m (mod N).
a ! b (mod N) means (a % N) == (b % N)

(m3)

187

! m (mod 319)

Bob's public key: Bob private key:

(e, N) (d, N)

(3, 319) (187, 319)

19

RSA Public-Key Cryptosystem: Encryption and Decryption

Alice wants to transmit n-bit private message m to Bob. Alice obtains Bob's public key (e, N) from Internet. Alice computes E(m) = me (mod N).
! !

Modular Exponentiation: Brute Force

Modular exponentiation: c = a b (mod N).
200317 (mod 3713) ! 134454746427671370568340195448570911966902998629125654163 (mod 3713)

Bob receives ciphertext c from Alice. Bob uses his secret key (d, N). Bob computes D(c) = cd (mod N).
! !

E(m) =

1003

(mod 319) = 254

! 232

m = 100 D(c) = 254187 (mod 319) = 100

Brute force: multiply a by itself, b times. Analysis of brute force. Suppose a, b, and N are n-bit integers. Problem 1: number of multiplications proportional to 2n. Problem 2: number of digits of intermediate value can be 2n. Exponential time and memory!
! ! ! !

Why does it work? Need to check that D(E(m)) = m.

! !

D(E(m))

! D(me) ! (me)d ! m

(mod N) (mod N) (mod N)

128TB memory if N = 50

bad news since n must be big for RSA to be secure

previous fact

20

21

Modular Exponentiation: Repeated Squaring

Idea 1: can mod out by N after each multiplication. Intermediate numbers stay small.
!

RSA Details
How large should n = pq be? 2,048 bits for long term security. Too small # easy to break. Too large # time consuming to encrypt/decrypt.
! ! !

Idea 2: repeated squaring.

Term 200317 ! 20031 " 200316 ! 2003 " 3157 ! 6,323,471 ! 232 (mod 3713) (mod 3713) (mod 3713) (mod 3713) (mod 3713) 1710 = 100012 20031 20032 20034 20038 200316 Compute 2003 20032 19692 5892 16122 Repeated squaring mod 3713 2003 1969 589 1612 3157

Q. How do I choose a large "random" prime number? A. Guess-and-check. Prime Number Theorem. (Hadamard, Valle Poussin, 1896). Number of primes between 2 and N $ N / ln N. Primes are plentiful: 10151 with % 512 bits. Will never run out, and no two people will pick same ones.
! ! !

Analysis of modular exponentiation. At most 2n multiply and mod operations. Intermediate numbers at most 2n digits long.
! !

Theorem. (Agarwal-Kayal-Saxena, 2002) PRIME: Given n-bit integer N, is N prime? PRIME is in P.

! !

22

23

RSA in Java
Key generation using:
java.math.BigInteger, java.security.SecureRandom.

Cryptanalysis: RSA Attacks

Factoring. Factor N = pq. Use p, q, and e to compute d. Other means? Long-standing open research question. No guarantee that RSA is secure even if factoring is hard.

SecureRandom random = new SecureRandom(); BigInteger BigInteger BigInteger BigInteger ONE p q phi = = = =
random n/2-bit prime new BigInteger("1"); BigInteger.probablePrime(n/2, random); BigInteger.probablePrime(n/2, random); (p.subtract(ONE)).multiply(q.subtract(ONE)); modulus public key private key

BigInteger N = p.multiply(q); BigInteger e = new BigInteger("65537"); BigInteger d = e.modInverse(phi);

(ed ! 1 mod &)

Semantic security. If you know Alice will send ATTACK or RETREAT you can encrypt ATTACK and RETREAT using Bob's public key, and check which one Alice sent. Timing attack. Alice gleans information about Bob's private key by measuring time it takes Bob to exponentiate. Modulus sharing. Bob: (d1, e1, N), Ben: (d2, e2, N). Bob can compute d2 given e2 ; Ben can compute d1 given e1.
! !

RSA function.
BigInteger rsa(BigInteger a, BigInteger b, BigInteger N) { return a.modPow(b, N); } built-in modular exponentiation (repeated squaring)
24

25

RSA Tradeoffs
Advantages. Solves key distribution problem. Extends to digital signatures, etc.
! !

Consequences of Cryptography
Crypto liberates (you = Alice or Bob). Freedom of privacy, speech, press, political association. Benefits both ordinary citizens and terrorists.
! !

Disadvantages. Security relies on decryption being "computationally inefficient." Not semantically secure. Decryption more expensive than private key schemes.
! ! !

no such reliance with one-time pads

Crypto enables e-commerce. confidentiality, integrity, authentication.

Encrypting transactions on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. -- Eugene Spafford

Practical middle-ground hybrid system. Use AES, a private key encryption system. Use RSA to distribute AES keys.
! !

Theoretical high-ground. (Blum-Goldwasser, 1985) Provably as hard a factoring. Semantically secure.

! !

Crypto restricts (you = Eve, your computer = Alice or Bob). Ex: Trustworthy Computing, DRM. Establishes a secure identity and enable secure transactions. Restricts what user can do: play MP3 files, copy DVDs, run software, print documents, forward email.
! ! !

26

27

Announcements
Your Very Last Exam Wed April 27, 7:30 PM, right here Closed book, but You can bring one cheatsheet both sides of one (8.5 by 11) sheet, handwritten by you No calculators, laptops, Palm Pilots, cellphones, etc.
! ! ! !

Helpful review session Tuesday April 26, 7:30 PM, COS 105 Not a canned presentation Driven by your questions (so be sure to bring some)
! ! !

Covers almost entire course Lectures, precepts, assignments, readings But not: TOY or hardware topics
! !

28