Chapter 9 – Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both.

Chapter 9 – Chapter 9 – Public Key Public Key Cryptography and RSACryptography and RSA Private-Key CryptographyPrivate-Key Cryptography

traditional traditional private/secret/single keyprivate/secret/single key cryptography uses cryptography uses oneone key key

shared by both sender and receiver shared by both sender and receiver if this key is disclosed communications are if this key is disclosed communications are

compromised compromised also is also is symmetricsymmetric, parties are equal , parties are equal hence does not protect sender from hence does not protect sender from

receiver forging a message & claiming is receiver forging a message & claiming is sent by sender sent by sender

Public-Key CryptographyPublic-Key Cryptography

probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography

uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number

theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private

key cryptokey crypto

Why Public-Key Why Public-Key Cryptography?Cryptography?

developed to address two key issues:developed to address two key issues: key distributionkey distribution – how to have secure – how to have secure

communications in general without having to communications in general without having to trust a KDC with your keytrust a KDC with your key

digital signaturesdigital signatures – how to verify a message – how to verify a message comes intact from the claimed sendercomes intact from the claimed sender

public invention due to Whitfield Diffie & public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976Martin Hellman at Stanford Uni in 1976 known earlier in classified communityknown earlier in classified community

Public-Key CryptographyPublic-Key Cryptography

public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography involves the use of involves the use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and

can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signaturessignatures

a a private-keyprivate-key, known only to the recipient, used to , known only to the recipient, used to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures

is is asymmetricasymmetric because because those who encrypt messages or verify signatures those who encrypt messages or verify signatures

cannotcannot decrypt messages or create signatures decrypt messages or create signatures

Public-Key CryptographyPublic-Key Cryptography

Public-Key CharacteristicsPublic-Key Characteristics

Public-Key algorithms rely on two keys where:Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key

knowing only algorithm & encryption keyknowing only algorithm & encryption key it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is knownwhen the relevant (en/decrypt) key is known either of the two related keys can be used for either of the two related keys can be used for

encryption, with the other used for decryption (for encryption, with the other used for decryption (for some algorithms)some algorithms)

Public-Key CryptosystemsPublic-Key Cryptosystems

Public-Key ApplicationsPublic-Key Applications

can classify uses into 3 categories:can classify uses into 3 categories: encryption/decryptionencryption/decryption (provide secrecy) (provide secrecy) digital signaturesdigital signatures (provide authentication) (provide authentication) key exchangekey exchange (of session keys) (of session keys)

some algorithms are suitable for all uses, some algorithms are suitable for all uses, others are specific to oneothers are specific to one

Security of Public Key SchemesSecurity of Public Key Schemes like private key schemes brute force like private key schemes brute force exhaustive exhaustive

searchsearch attack is always theoretically possible attack is always theoretically possible but keys used are too large (>512bits) but keys used are too large (>512bits) security relies on a security relies on a large enoughlarge enough difference in difference in

difficulty between difficulty between easyeasy (en/decrypt) and (en/decrypt) and hardhard (cryptanalyse) problems(cryptanalyse) problems

more generally the more generally the hardhard problem is known, but problem is known, but is made hard enough to be impractical to break is made hard enough to be impractical to break

requires the use of requires the use of very large numbersvery large numbers hence is hence is slowslow compared to private key schemes compared to private key schemes

Exponentiation CiphersExponentiation Ciphers

We will consider two kinds of exponentiation We will consider two kinds of exponentiation ciphers developed by the following people:ciphers developed by the following people:

Both schemes encipher a message block Both schemes encipher a message block MM [0, [0, nn – 1] by computing the exponential – 1] by computing the exponential

CC = = M M ee mod mod nn, ,

(RSA)Adleman and Shamir, Rivest,

Hellman and Pohlig

where where ee and and nn are the key to the enciphering are the key to the enciphering transformation.transformation.

MM is restored by the same operation, but using a is restored by the same operation, but using a different exponent different exponent dd for the key: for the key:

MM = = C C dd mod mod nn. . Enciphering and deciphering can be Enciphering and deciphering can be

implemented using the fast exponentiation implemented using the fast exponentiation algorithm: algorithm:

CC = = fastfast__expexp((MM, , ee, , nn))

MM = = fastfast__expexp((CC, , dd, , nn) )

Why the Algorithms WorkWhy the Algorithms Work

ThmThm: Given : Given ee, , dd, , MM such that such that ed ed mod mod ((nn) ) = 1,= 1,MM [0, [0, n n -1] ,-1] ,gcdgcd((MM, , nn) = 1,) = 1, Then (Then (M M ee mod mod nn) ) dd mod mod nn = = MM.. ProofProof::

((M M ee mod mod nn) ) dd mod mod nn = = M M eded mod mod nneded mod mod ((nn)) = = 1 1 ed ed = = t t (n(n)) + + 11

M M eded mod mod nn= M = M tt((nn))+1+1 mod mod nn= = M M M M tt((nn)) mod mod nn= = M M ((M M tt((nn)) mod mod nn) mod ) mod nn = = MM

wherewhere

= M = M tt((nn)) mod mod nn

= (= (M M ((nn)) mod mod nn) ) tt mod mod nn

= 1= 1tt mod mod nn = 1 .= 1 .

A Few Words About the Theorem A Few Words About the Theorem

Note that by symmetry, enciphering and Note that by symmetry, enciphering and deciphering are commutative and mutual deciphering are commutative and mutual inverses; thus,inverses; thus,((M M dd mod mod nn) ) ee mod mod nn = = M M dede mod mod nn = = MM

Given Given ((nn), it is easy to generate a pair (), it is easy to generate a pair (ee, , dd) such that ) such that eded mod mod ((nn) = 1. This is done ) = 1. This is done by first choosing by first choosing dd relatively prime to relatively prime to ((nn), ), and then computing and then computing ee as as

ee = = invinv((dd, , ((nn))))

Because Because ee and and dd are symmetric, we could are symmetric, we could also pick also pick ee and compute and compute dd = = invinv((ee, , ((nn)).)).

Given Given ee, it is easy to compute , it is easy to compute dd (or vice (or vice versa) if versa) if ((nn) is known. But if ) is known. But if ee and and nn can can be released without giving away be released without giving away ((nn) or ) or dd, , then the deciphering transformation can then the deciphering transformation can be kept secret, while the enciphering be kept secret, while the enciphering transformation is made public.transformation is made public.

It is the ability to hide It is the ability to hide ((nn) that distinguishes ) that distinguishes the two schemes. the two schemes.

Pohlig-Hellman Scheme Pohlig-Hellman Scheme

The modulus is chosen to be a large prime The modulus is chosen to be a large prime pp..

To encipher:To encipher:

CC = = M M ee mod mod pp

To decipher:To decipher:

MM = = C C dd mod mod pp Because Because pp is prime, is prime, ((pp) = ) = pp – 1. – 1. Thus the scheme can only be used for Thus the scheme can only be used for

conventional encryption, where conventional encryption, where ee and and dd are both are both kept secret.kept secret.

ExEx. Let . Let pp = 11, = 11, ((pp) = 10. Choose ) = 10. Choose dd = 7 = 7 and compute and compute ee = = invinv(7, 10) = 3. Suppose (7, 10) = 3. Suppose MM = 5. Then = 5. Then MM is enciphered as: is enciphered as:

CC = = M M ee mod mod pp = 5 = 533 mod 11 = 4. mod 11 = 4.

Similarly, Similarly, CC is deciphered as: is deciphered as:

C C dd mod mod pp = 4 = 477 mod 11 = 5 = mod 11 = 5 = MM . .

Security Concern Security Concern

The security of the scheme rests on the The security of the scheme rests on the complexity of computing complexity of computing discrete discrete logarithmslogarithms..

A cryptanalyst may deduce A cryptanalyst may deduce pp by observing by observing the sizes of plaintext and ciphertext blocks.the sizes of plaintext and ciphertext blocks.

Under a known-plaintext attack, a Under a known-plaintext attack, a cryptanalyst can compute cryptanalyst can compute ee (and thereby (and thereby dd) given a pair () given a pair (MM, , CC):):

ee = log = log M M CC

Pohlig and Hellman show that if (Pohlig and Hellman show that if (pp – 1) – 1) has only small prime factors, it is possible has only small prime factors, it is possible to compute the logarithm in to compute the logarithm in OO(log2(log2pp) time, ) time, which is unsatisfactory even for large which is unsatisfactory even for large values of values of pp..

They recommend picking They recommend picking pp = 2 = 2pp + 1, + 1, where where pp is also a large prime. is also a large prime.

Discrete Logarithm Discrete Logarithm

The fastest known algorithm for computing The fastest known algorithm for computing the discrete logarithm takes aboutthe discrete logarithm takes about

steps.steps. If If pp is a few hundred decimal digits long, it is a few hundred decimal digits long, it

will take several billion years to compute.will take several billion years to compute.

3/23/1 ))ln(ln)((ln ppe

RSA Scheme RSA Scheme

The modulus is the product of two large The modulus is the product of two large primes primes pp and and qq, i.e., , i.e., nn = = pqpq..

Thus Thus ((nn) = () = (pp – 1) ( – 1) (qq – 1) – 1)

To encipher:To encipher:

CC = = M M ee mod mod nn

To decipher:To decipher:

MM = = C C dd mod mod nn

They recommend picking They recommend picking dd relatively relatively prime to prime to ((nn) in the interval [max() in the interval [max(pp, , qq) + 1, ) + 1, nn – 1] (any prime in this interval will do). – 1] (any prime in this interval will do).

Once Once dd is chosen, is chosen, ee can be computed can be computed using the using the invinv function. If the computed function. If the computed ee is is less than logless than log22nn, then a new value of , then a new value of dd

should be picked.should be picked.

Example Example

ExEx. Let . Let pp = 5 and = 5 and qq = 7, so = 7, so nn = 5 = 57 = 35 7 = 35 and and ((nn) = 4) = 46 = 24. Choose 6 = 24. Choose dd = 11 and = 11 and compute compute ee = 11. Suppose = 11. Suppose MM = 2. Then = 2. Then

CC = = M M ee mod mod nn = 2 = 21111 mod 35 = 18 and mod 35 = 18 and

C C dd mod mod nn = 18 = 181111 mod 35 = 2 = mod 35 = 2 = MM. .

Ex. Let Ex. Let pp = 53 and = 53 and qq = 61, so = 61, so nn = 53 = 53 61 61 = 3233 and = 3233 and ((nn) = 52) = 5260 = 3120. Choose 60 = 3120. Choose dd = 791 and compute = 791 and compute ee = 71. To encipher = 71. To encipher the message RENAISSANCE, we break it the message RENAISSANCE, we break it into blocks of 4 digits each, where A = 00, into blocks of 4 digits each, where A = 00, B = 01, ..., Z = 25, and blank = 26 (in B = 01, ..., Z = 25, and blank = 26 (in practice, characters would be represented practice, characters would be represented by their 8-bit ASCII codes). Thus we have by their 8-bit ASCII codes). Thus we have

The first block is enciphered as 170471 = The first block is enciphered as 170471 = 3106. The entire message is enciphered as3106. The entire message is enciphered as

MM == R ER E N AN A I SI S S AS A N CN C EE

== 17041704 13001300 08180818 18001800 13021302 04260426

CC == 31063106 01000100 09310931 26912691 19841984 2927.2927.

Security ConcernSecurity Concern

Because Because ((nn) cannot be determined ) cannot be determined without knowing the prime factors without knowing the prime factors pp and and qq, , it is possible to keep it is possible to keep dd secret even if secret even if ee and and nn are made public. are made public.

Thus the RSA scheme can be used for Thus the RSA scheme can be used for public-key encryption, where the public-key encryption, where the enciphering transformation is made enciphering transformation is made public and the deciphering public and the deciphering transformation is kept secret.transformation is kept secret.

The security of the system depends on The security of the system depends on the difficulty of factoring the difficulty of factoring nn into into pp and and qq. . The fastest known factoring algorithm The fastest known factoring algorithm takes about the same number of steps takes about the same number of steps required for solving the discrete required for solving the discrete logarithm problem.logarithm problem.

More About Euler's Theorem More About Euler's Theorem

Recall that for Pohlig-Hellman and RSA Recall that for Pohlig-Hellman and RSA schemes to work, we must have schemes to work, we must have MM < < nn and and gcdgcd((MM, , nn) = 1.) = 1.

For Pohlig-Hallman scheme, this is for sure For Pohlig-Hallman scheme, this is for sure since since nn is prime. But how about RSA? Since is prime. But how about RSA? Since nn equals equals ppqq, it is possible that , it is possible that MM is a multiple of is a multiple of pp or a multiple of or a multiple of qq (but not both, of course). (but not both, of course).

We want to show that even if We want to show that even if MM is a multiple of is a multiple of pp or or qq, the RSA scheme still works., the RSA scheme still works.

What Happens When What Happens When gcdgcd((MM, , nn) ) 1 1

Suppose Suppose MM is a multiple of is a multiple of pp, so that , so that MM = = cpcp for some for some cc and and gcdgcd((MM, , qq) = 1.) = 1.

MM((qq)) mod mod qq = 1 = 1

((MM((qq))) ) ((pp)) mod q = 1 mod q = 1

MM((nn)) mod mod qq = 1 = 1 Therefore, there is some Therefore, there is some kk such that such that

MM((nn) = ) = kqkq + 1 + 1

Multiply each side by Multiply each side by MM = = cpcp,,

MM((nn)+1)+1 = = MM + + kqcpkqcp = = MM + + cknckn

ThusThus

MM((nn)+1)+1 mod mod nn = = MM . .

The case when The case when MM is a multiple of is a multiple of qq is is similar. similar.

Summarization (RSA Scheme) Summarization (RSA Scheme) Key GenerationKey Generation

Select Select pp, , qq pp and and qq are both prime are both prime

Calculate Calculate nn = = pp qq

Calculate Calculate ((nn)=()=(pp–1)(–1)(qq– 1)– 1)

Select integer Select integer ee gcdgcd((((nn), ), ee) = 1) = 1

Calculate Calculate dd dd = = invinv((ee, , ((nn))))

Public keyPublic key ee and and nn

Private keyPrivate key dd and and nn

EncryptionEncryption

DecryptionDecryption

Plaintext : Plaintext : MM Ciphertext : Ciphertext : C=C= MMee mod mod nn

Ciphertext : Ciphertext : CC Plaintext : Plaintext : MM == CCdd mod mod nn

Summarization (RSA Scheme) Summarization (RSA Scheme)

Each user Each user AA obtains a modulus obtains a modulus nnAA and and

enciphering and deciphering exponents enciphering and deciphering exponents eeAA

and and ddAA. . AA registers registers eeAA and and nnAA with a public with a public

directory, thus making directory, thus making AA's enciphering 's enciphering transformation transformation EEAA public. public.

AA keeps keeps ddAA and, therefore, the deciphering and, therefore, the deciphering

transformation transformation DDAA secret. secret.

Public-Key Systems Public-Key Systems

In a In a public-key systempublic-key system, each user has , each user has both a public and private key, and two both a public and private key, and two users can communicate knowing only users can communicate knowing only each other's public keys.each other's public keys.

User User AA has a has a public enciphering public enciphering transformationtransformation EEAA, which may be , which may be registered with a public directory, and a registered with a public directory, and a private deciphering transformationprivate deciphering transformation DDAA, , which is known only to user which is known only to user AA..

The private transformation The private transformation DDAA is described is described

by a by a private keyprivate key, and the public , and the public transformation transformation EEAA by a by a public keypublic key derived derived

from the private key by a one-way from the private key by a one-way transformation.transformation.

It must be computationally infeasible to It must be computationally infeasible to determine determine DDAA from from EEAA..

Secrecy And Authenticity Secrecy And Authenticity

In a public-key system, secrecy and In a public-key system, secrecy and authenticity are both provided.authenticity are both provided.

SecrecySecrecy

M C

Mdisallowed

protected

EK MDK

AuthenticityAuthenticity

disallowed

M C

M

C

EK MDK

protected

Secrecy Secrecy

Suppose user Suppose user AA wishes to send a wishes to send a message message MM to another user to another user BB. If . If AA knows knows BB's public transformation 's public transformation EEBB, , AA can can

transmit transmit MM to to BB in secrecy by sending the in secrecy by sending the ciphertext ciphertext CC = = EEBB((MM).).

On receipt, On receipt, BB deciphers deciphers CC using using BB's 's private transformation private transformation DDBB, getting, getting

DDBB((CC) = ) = DDBB((EEBB((MM)) = )) = MM . .

The scheme does not provide The scheme does not provide authenticity because any user with authenticity because any user with access to access to BB's public transformation 's public transformation could substitute another message could substitute another message M'M' for for MM by replacing by replacing CC with with C'C' = = EBEB((M' M' ).).

BE

public

M

A

BD

private

M

B

Authenticity Authenticity

For authenticity, For authenticity, MM must be transformed must be transformed by by AA's own private transformation 's own private transformation DDAA. . AA

sends sends CC = = DDAA((MM) to ) to BB..

On receipt, On receipt, BB uses uses AA's public 's public transformation transformation EAEA to compute to compute

EEAA((CC) = ) = EEAA((DDAA((MM)) = )) = MM . .private

M

A

public

M

B

AD AE

Authenticity is provided because only Authenticity is provided because only AA can apply the transformation can apply the transformation DDAA..

Secrecy is not provided because any user Secrecy is not provided because any user with access to with access to AA's public transformation 's public transformation can recover can recover MM..

Both Secrecy And Both Secrecy And Authenticity Authenticity

To use a public-key system for both To use a public-key system for both secrecy and authenticity:secrecy and authenticity: the ciphertext space must be equivalent to the the ciphertext space must be equivalent to the

plaintext space so that plaintext space so that EEAA and and DDAA can operate can operate

on both plaintext and ciphertext messages.on both plaintext and ciphertext messages. Both Both EEAA and and DDAA must be mutual inverses so must be mutual inverses so

that that EEAA((DDAA((MM)) = )) = DDAA((EEAA((MM)) = )) = MM..

Suppose Suppose AA wishes to send a message wishes to send a message MM to to BB. . AA sends to sends to BB the ciphertext the ciphertext

CC = = EEBB((DDAA((MM)) .)) . On receipt, On receipt, BB deciphers deciphers CC by by

EEAA((DDBB((CC))))

= = EEAA((DDBB((EEBB((DDAA((MM))))))))

= = EEAA((DDAA((MM))))

= = MM . .

Both Secrecy And Both Secrecy And Authenticity Authenticity

RSA scheme can be used for both secrecy RSA scheme can be used for both secrecy and authenticity.and authenticity.

M

A

M

B

private

AD

private

BDB

public

E A

public

E

secrecy

authenticity

Secrecy And Authenticity Secrecy And Authenticity (RSA) (RSA)

User User BB can send a secret message can send a secret message MM to to AA usingusing

which which AA deciphers using deciphers using

Only Only AA can decipher can decipher CC to get to get MM..

Ae

A nMMEC A mod)(

MnMMED Ade

AAAA mod))((

Alternatively, Alternatively, AA can send a signed can send a signed message message MM to to BB using using

which which BB authenticates using authenticates using

Because only Because only AA can apply can apply DDAA , it cannot be , it cannot be

forged, and a judge can settle any dispute forged, and a judge can settle any dispute arising between arising between AA and and BB. .

Ad

A nMMD A mod)(

MnMMDE Aed

AAAA mod))((

Both Secrecy And Both Secrecy And Authenticity Authenticity

A slight difficulty arises when both security A slight difficulty arises when both security and authenticity are desired.and authenticity are desired.For For AA to send a message to to send a message to BB::

CC = = EEBB ((DDAA ((MM))))

If If nnAA > > nnBB , the blocks comprising , the blocks comprising DDAA((MM) might ) might not be in the range [0, not be in the range [0, nnBB – 1]. – 1].

Reducing them modulo Reducing them modulo nnBB does not solve the does not solve the problem, because it would then be problem, because it would then be impossible to recover the original message.impossible to recover the original message.

Possible Solutions Possible Solutions

One solution is to reblock One solution is to reblock DDAA((MM).).

Reblocking can be avoided using a Reblocking can be avoided using a thresholdthreshold value value hh (e.g., (e.g., h h = 10= 109999). Each ). Each user has two sets of transformations:user has two sets of transformations:

( ( EEA1A1 , , DDA1A1 ) for signatures) for signatures

( ( EEA2A2 , , DDA2A2 ) for secrecy) for secrecy

where where nnA1A1 < < hh < < nnA2A2 . .

AA sends a signed message to sends a signed message to BB:: CC = = EEB2B2 ((DDA1A1 ((MM))))

BB recovers recovers MM and checks and checks AA’s signature:’s signature: EEA1A1 ((DDB2B2 ((CC))))

= = EEA1A1 ((DDB2B2 ((EEB2B2 ((DDA1A1 ((MM))))

= = EEA1A1 ((DDA1A1 ((MM))))

= = MM . .

Another SolutionAnother Solution

If If CC = = EB EB ((DA DA ((MM)) is not computable because )) is not computable because nnAA

> > nnBB, then , then C'C' = = DDAA ((EEBB ((M M )) is computable.)) is computable.

User User BB, knowing both , knowing both nnAA and and nnBB (both are public), (both are public),

can recover can recover MM by computing either of the by computing either of the following:following:

Case 1: Case 1: nnAA < < nnBB

EEAA ((DDBB ((CC))= ))= EEAA ((DDBB ((EEBB ((DDAA ((MM))))))))

= = EEAA ((DDAA ((MM))))

= = MM . .

Case 2: Case 2: nnAA > > nnBB

DDBB ((EEAA ((C' C' ))= ))= DDBB ((EEAA ((DDAA ((EEBB ((MM))))))))

= = DDBB ((EEBB ((MM))))

= = MM . .

Dispute Resolution Dispute Resolution

If a dispute arises between If a dispute arises between AA and and BB on the on the authenticity of authenticity of AA's signature, a judge must 's signature, a judge must be able to ascertain that be able to ascertain that MM originated with originated with MM..

If If nnAA < < nnBB, , BB applies applies BB's private 's private transformation to transformation to CC and presents the judge and presents the judge with with XX = = DDBB((CC) and ) and MM. The judge compute . The judge compute M'M' = = EEAA((XX) using ) using AA's public transformation, 's public transformation, and verifies that and verifies that M'M' = = MM. .

If If nnAA > > nnBB, another approach is needed , another approach is needed

because because DDBB must be applied after must be applied after EEAA, and , and BB

may not want to give may not want to give DDBB to the judge. to the judge.

The solution is for The solution is for BB to present the judge to present the judge with with C'C' and and MM. The judge computes. The judge computes

XX = = EEBB((MM))

X'X' = = EEAA((C'C' ) = ) = EEAA((DDAA((EEBB((MM))))))

and verifies that and verifies that XX = = X'X'..

Summarization Summarization

nnAA < < nnBB nnAA > > nnBB

A transmitsA transmits CC = = EEB B ((DDA A ((MM)))) C'C' = = DDA A ((EEB B ((M M ))))

B computesB computes M M = = EEA A ((DDB B ((CC)))) MM = = DDB B ((EEA A ((C' C' ))))

B gives judgeB gives judge MM, , XX = = DDBB((CC)) MM, , C'C'

Judge computesJudge computes M'M' = = EEAA((XX)) XX = = EEBB((MM))

X'X' = = EEAA((C'C' ) )

Judge testsJudge tests M'M' = = MM XX = = X'X'