Public-key encryption
Jan 23, 2016
Public-key encryption
Symmetric-key encryption
• Invertible function
• Security depends on the shared secret – a particular key.
• Fast, highly secure
• Fine for repeated communication
• Poor fit for one-shot communication, signatures
Asymmetric-key(public key) encryption
• The basic idea:• A user has two keys: a public key and a private
key. • A message can be encrypted with the public key
and decrypted with the private key to provide security.
• A message can be encrypted with the private key and decrypted with the public key to provide signatures.
One-way functions• Most common functions are invertible; for any
F(x) = y, there is an F-1(y) = x.– Multiplication and division– DES
• A function which is easy to compute in one direction, but hard to compute in the other, is known as a one-way function.– Hashing, modular arithmetic.
• A one-way function that can be easily inverted with an additional piece of knowledge is called a trapdoor one-way function.
One-way functions
• Public key encryption is based on the existence of trapdoor one-way functions.– Encryption with the public key is easy.– Decryption is computationally hard.– Knowledge of the private key opens the
trapdoor, making inversion easy.
• Password systems also use one-way functions.
Overview of RSA• RSA is the most common and well-known public
key cryptosystem• Basic notation: a key pair (e,d) contains two keys:
– e is the public key (used to encrypt documents)– d is the private key (used to decrypt documents)
• M is the plaintext message.• Let R be the encryption function.• R(e,M) = C. R(d,C) = M. - encryption • R(d,M) = C’ R(e,C’) = M - signing• R(e,R(d,M)) = M = R(d,R(e,M))
– Same function is used for both operations.
Modular Arithmetic
• RSA’s security is based on modular arithmetic.– a = b (mod n) <-> there is a q such that a-b=qn– b is the remainder after dividing a by n– 23 = 3 (mod 5)
• A set {0,1,…,n-1} is closed under modular addition and multiplication.
• (a(mod n) + b(mod n))(mod n) = (a+b) (mod n) • (ab)(mod n) = (a(mod n) b(mod n))(mod n)
Modular Arithmetic
• Two numbers p and q are said to be relatively prime if their greatest common divisor is 1.– 5 and 17, 8 and 9, 10 and 21
• To compute gcd:– gcd(a,b) = gcd(b, a mod b) (Euclid, 300BC)
Identities and Inverses
• An identity is a number that maps a number to itself under some operation.– 0 in normal addition, 1 in multiplication.
• An inverse is a number (within the input set) and maps a given number to the identity– X * 1/X, X + -X in integer math
• We are particularly interested in multiplicative inverses for modular arithmetic.– (ab) = 1 (mod n)
Multiplicative Inverses
• 3 and 2 are multiplicative inverses mod 5.
• 7 and 6 are multiplicative inverses mod 41.
• 5 and 2 are multiplicative inverses mod 9.
• For n > 1, if a and n are relatively prime, there is a unique x such that– ax = 1 (mod n)
More preliminaries
• Fermat’s Little Theorem:– If p is prime, then for all a:
• ap-1 = 1 (mod p)
• Chinese Remainder Thm (corollary)– If p and q are prime, then for all x and a:
– x = a(mod p) and x = a(mod q) iff x=a mod(pq)
• These are needed to prove RSA’s correctness.
The RSA Algorithm
• Pick two large (100 digit) primes p and q.• Let n = pq• Select a relatively small integer d that is prime to
(p-1)(q-1)• Find e, the multiplicative inverse of d mod (p-1)(q-1)• (d,n) is the public key. To encrypt M, compute
– En(M) = Me(mod n)
• (e,n) is the private key. To decrypt C, compute– De(C) = Cd(mod n)
RSA example• Let p = 11, q = 13• n = pq = 143• (p-1)(q-1) = 120 = 3 x 23 x 5• Possible d: 7, 11, 13, 17, … (let’s use 7)• Find e: e*7 = 1(mod 120) = 103• Public key: (7, 143)• Private key: (103, 143) • En(42) = 427 (mod 143) = 81• De(81) = 81103(mod 143) = 42
Correctness of RSA
• To show RSA is correct, we must show that encryption and decryption are inverse functions: – En(De(M)) = De(En(M)) = M = Med (mod n)– Since d and e are multiplicative inverses, there
is a k such that:• ed=1+ kn = 1 + k(p-1)(q-1)• Med = M1+k(p-1)(q-1) = M*(Mp-1)k(q-1)
• By Fermat: Mp-1=1(mod p)• Med = M(1)k(q-1)(mod p) = M(mod p)
Correctness of RSA
• Med = M(1)k(q-1)(mod p) = M(mod p)• Med = M(1)k(q-1)(mod q) = M(mod q)• By Chinese Remainder Thm, we get:• M^{ed} = M (mod p) M (mod q) =
M (mod pq) = M (mod n)
• Therefore, RSA reproduces the original message and is correct.
Strengths of RSA
• No prior communication needed
• Highly secure (for large enough keys)
• Well-understood
• Allows both encryption and signing
Weaknesses of RSA
• Large keys needed (1024 bits is current standard)
• Relatively slow– Not suitable for very large messages
• Public keys must still be distributed safely.
Security of RSA
• The security of RSA is dependent on the assumption that it’s difficult to generate the private key d from the public key e and the modulus n.
• Equivalent to integer factorization problem.– This is how we got e and d in the first place.
• Factoring is thought to be computationally hard.– No proof, though!
Difficulty of Factoring
• The fastest known factoring algorithm is the generalized number field sieve.– Sub-exponential time– Greater than polynomial space.
• Some statistics:Number Length Machines Memory/Machine
430 1 Trivial
760 215,000 4Gb
1020 342 million 170 Gb
1620 1.6x10^15 120 Tb
Security and Problem Difficulty
• Another way to think about the problem is to ask how long a keylength will be secure, given Moore’s law:
From the RSA labs factoring FAQ
Security and Problem Difficulty
• RSA-155 (512 bit asymmetric-key) broken in 1999.• Estimate: capability grows by ~4.25 digits per year.
(approx.13-14 bits per year)• 1024-bit RSA should be “secure” until 2037.• Using Moore’s Law – 1024-bit is 7 million times
harder than 512-bit– So, we need a 7 millionX speedup to crack 1024-bit
RSA with the same relative computational power.– Also about 34 years.
• Question: How long does your data need to be secure?
Digital Signatures
• Desirable properties of a digital signature:– A receiver must be able to validate the
signature– The signature must not be forgeable– The signer must not be able to repudiate the
signature.
• Encrypt with private key, validate with public key.– For security and authenticity, encrypt the
signed message with the receiver’s public key.
Hash Functions
• A hash function is a one-way function that maps a message M into a (typically smaller) hashed message H.
• Sometimes this is called a fingerprint
• Also sometimes a message digest.– Goals:
• Non-invertible
• fast
• low collision rate
Hash Functions
• To sign a document, I compute its hash, encrypt that with my private key, and send the encrypted hash along with the original document as plaintext.
• The receiver hashes the plaintext and then uses my public key to verify that I was the one who sent the document.
• Can also detect tampering.
Combining Public and Secret Keys
• Public-key encryption is often used to synchronize secret session keys.– SSL uses this.
• A generates a secret key and sends it to B, encrypted with B’s public key.– For handshaking, include a random number.
• B decrypts the message and has the secret key.– For handshaking, B encrypts the random
number with A’s public key and returns it.
Authentication
• A sends “Please authenticate me” to B• B creates a random message and signs it with A’s
public key.• A decrypts the message with its private key,
encrypts it with B’s public key, and returns it.– Only someone with A’s private key can do this.
• Potential attack: B gets to pick a string that A will encrypt– This could yield information about A’s private key.
Zero-knowledge Protocols
• One application of public-key cryptography is zero-knowledge protocols.
• Often, one party might want to prove something to another without revealing any information– Nuclear treaties– Bank balances– Sensitive information
Zero-knowledge protocols
• Alice wants to prove to Bob that she is Alice.– If she sends identification, Bob (or an
eavesdropper) can use it.
• Example: Authority chooses a number N=77, known by all.
• Alice’s public ID: (58, 67)• Alice’s private ID: (9,10)
– These are multiplicative inverses mod 77
Zero-knowledge protocols
• Alice chooses some random numbers and computes their square mod N.– {19, 24, 51} -> 192(mod 77) = 53,
242(mod 77) = 37, 512(mod 77) = 60 – Alice sends {53,37,60} to Bob.– Bob sends back a random 2x3 matrix of 1s and 0s.– 0 1– 1 0– 1 1
Zero-knowledge protocols
• Alice uses this grid, plus her original random numbers and her secret numbers, to compute:
• 19 * 90 * 101 (mod 77) = 36
• 24 * 91 * 100 (mod 77) = 62
• 51 * 91 * 101 (mod 77) = 47
• She sends {36,62,47} to Bob.
Zero-knowledge protocols
• Bob verifies Alice’s identity by computing:– {58,67} are Alice’s public numbers
• 36^2 *58^0 *67^1 (mod 77)= 53• 62^2 *58^1 * 67^0 (mod 77) = 37• 47^2 * 58^1 * 67^1 (mod 77) = 60
• Alice’s original numbers reappear!– (Actually, an attacker would have a 1 in 64
chance of guessing correctly …)
Zero-knowledge protocols
• In a real system, N would be very large– 160 digits.
• Many more numbers would be generated.
• This works because Alice’s secret numbers are multiplicative inverses of her public numbers mod N.
• Also, Bob learns nothing that he didn’t know before.
Summary
• Public key encryption provides a flexible system for secure communication in open environments.
• Based on one-way functions
• Allows for both authentication and signing
• Secure public key distribution remains a problem.