報告人：呂恩佑

1

Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keystone a public key and one a private key. It is also known as public-key encryption.

Asymmetric encryption transforms plaintext into ciphertext using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the ciphertext.

2

Asymmetric encryption can be used for confidentiality, authentication, or both.

The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on the difficulty of finding the prime factors of a composite number.

3

That public-key encryption is more secure from cryptanalysis than is symmetric encryption.

That public-key encryption is a general-purpose technique that has made symmetric encryption obsolete.

That key distribution is trivial when using public-key encryption, compared to the rather cumbersome handshaking involved with key distribution centers for symmetric encryption.

4

如何能夠確保金鑰的安全？？？

5

Public Key

Private Key

Private Key

Public Key

Public Key

Public Key

Public Key

Private Key

Private Key

Public Key+ +=

6

Public KeyPublic Key今晚８點

橢圓辦公室小文上

Public Key

今晚８點橢圓辦公室小文上

Public Key Privat

e Key

7

Y = E(PUb , X)X = D(PRb , Y)

8

今晚８點橢圓辦公室小文上

Public Key

我想我們該分手吧小文上

Public Key Privat

e Key

我想我們該分手吧小文上

Public Key我想我們該分手吧小文上

Public Key

9

今晚８點橢圓辦公室小文上

Private Key

今晚８點橢圓辦公室小文上

Private Key Publi

c Key

Public Key

10

今晚８點橢圓辦公室小文上

Private Key

今晚８點橢圓辦公室小文上

Private Key

Public Key

我想我們該分手吧小文上

我想我們該分手吧小文上

Private Key

Public Key

11

Y = E(PRa , X)X = D(PUa , Y)

12

Z = E(PUb , E(PRa , X))X = D(PUa , D(PRb , Z))

13

Algorithm Encryption/Decrption

Digital Signature

Key Exchange

RSA Yes Yes Yes

Elliptic Curve Yes Yes Yes

Diffie-Hellman No No Yes

DSS No Yes No

14

1. 金鑰容易產生

2. 知道明文和 Public Key ，容易計算出密文

3. 知道密文和 Private Key ，容易計算出明文

4. 無法由 Public Key 計算出 Private Key

5. 無法只靠密文及 Public Key 來計算出明文

15

One-Way Function

Y = f(X) easy

X = f-1(Y) infeasible

Trap-Door One-Way Function

Y = fk(X) easy, if k and X are known

X = fk-1(Y) easy, if k and Y are known

X = fk-1(Y) infeasible, if Y is known but k is not

known16

Brute-force attack

Find some way to compute the private

key given the public key

Probable-message attack

17

Conventional Encryption Public-Key Encryption

Needed to Work: Needed to Work:

1. The same algorithm with the same key is used for encryption and decryption.

1. One algorithm is used for encryption and decryption with a pair of keys, one for encryption and one for decryption.

2. The sender and receiver must share the algorithm and the key.

2. The sender and receiver must each have one of the matched pair of keys (not the same one).

Needed for Security: Needed for Security:

1. The key must be kept secret. 1. One of the two keys must be kept secret.

2. It must be impossible or at least impractical to decipher a message if no other information is available.

2. It must be impossible or at least impractical to decipher a message if no other information is available.

3. Knowledge of the algorithm plus samples of ciphertext must be insufficient to determine the key.

3. Knowledge of the algorithm plus one of the keys plus samples of ciphertext must be insufficient to determine the other key.

18

It was developed in 1977 by Ron Rivest,

Adi Shamir, and Len Adleman at MIT

and first published in 1978

The RSA scheme is a block cipher in

which the plaintext and ciphertext are

integers between 0 and n-1 for some n

19

The scheme makes use of an

expression with exponentials.

Plaintext is encrypted in blocks, with

each block having a binary value less

than some number n.

20

Keys

PU = { e , n } ， PR = { d , n }

Encryption

C = Me mod n

Decryption

M = Cd mod n = (Me)d mod n = Med mod n

21

It is possible to find values of e, d, n such

that

Med mod n = M for all M < n.

It is relatively easy to calculate Me mod n and

Cd mod n for all values of M < n.

It is infeasible to determine d given e and n.

22

The preceding relationship holds if e

and d are multiplicative inverses

modulo φ(n), where φ(n) is the Euler

totient function.

23

Key Generation

Select p , q p and q are both prime , p ≠ q

Calculate n = p × q

Calculate φ(n) = ( p – 1 ) × ( q – 1 )

Select integer e gcd( φ(n) , e ) = 1; 1 < e < φ(n)

Calculate d ed ≡ 1 ( mod φ(n) )

Public key PU = { e , n }

Private key PR = { d , n }

24

Encryption

Plaintext M < n

Ciphertext C = Me mod n

Decryption

Ciphertext C

Plaintext M = Cd mod n

Select two prime numbers, p = 17 and q = 11.

Calculate n = pq = 17 x 11 = 187.

Calculate φ(n) = (p - 1)(q - 1) = 16 x 10 =

160.

Select e such that e is relatively prime to φ(n)

= 160 and less than φ(n); we choose e = 7.

Determine d such that ed ≡ 1 ( mod φ(n) ) and

d < 160. The correct value is d = 23.25

Public Key ： { 7 , 187 } ; 　 Private key ： { 23 , 187 }

Plaintext ： M = 88

Ciphertext ： C = Me mod n =887 mod 187

887 mod 187 = [(884 mod 187) x (882 mod 187) x (881 mod 187)]

mod 187

881 mod 187 = 88

882 mod 187 = 7744 mod 187 = 77

884 mod 187 = 772 mod 187 = 5929 mod 187 = 132

887 mod 187 = (88 x 77 x 132) mod 187 = 894,432 mod 187 = 11

Ciphertext = 1126

Public Key ： { 7 , 187 } ; 　 Private key ：

{ 23 , 187 }

Ciphertext ： C = 11

Plaintext ： M = Cd mod n =1123 mod 187

1123 mod 187 = 11( 1+2+4+16 ) mod 187

Plaintext ： M = 8827

suppose we wish to find the value ab with a

and b positive integers. If we express b as

a binary number bkbk1 ... b0 then we have

ab = a =

ab mod n = mod n

= （ 　　　　　） mod n

28

0

2ib

i] mod [

0

2 nai

i

b

f ← 1;for i ← k downto 0

do f ← ( f x f ) mod nif bi = 1

do f ← ( f x a ) mod nreturn f

29

Result of the Fast Modular Exponentiation Algorithm for ab mod n, where a = 7, b = 560 = 1000110000(2), n = 561

i 9 8 7 6 5 4 3 2 1 0

bi 1 0 0 0 1 1 0 0 0 0

f 7 49 157 526 160 241 298 166 67 1

To speed up the operation of the RSA

algorithm using the public key, a

specific choice of e is usually made.

The most common choice is 65537 (216

+ 1); two other popular choices are 3

and 17.

30

RSA becomes vulnerable to a simple

attack if we use a very small public key.

31

Determining two prime numbers, p and

q.

Selecting either e or d and calculating

the other.

32

At present, there are no useful

techniques that yield arbitrarily large

primes.

States that the primes near N are

spaced on the average one every

ln(N/2) integers

33

We need to select an e such that

gcd(φ(n) , e) = 1 and then calculate ed

≡ 1 ( mod φ(n) ) .

The probability that two random

numbers are relatively prime is about

0.6

34

Brute force

Mathematical attacks

Timing attacks

Chosen ciphertext attacks

35

Factor n into its two prime factors. This enables

calculation of φ(n) = (p - 1) x (q - 1), which, in

turn, enables determination of ed ≡ 1 ( mod

φ(n) ).

Determine φ(n) directly, without first determining

p and q. Again, this enables determination of d ed

≡ 1 ( mod φ(n) ).

Determine d directly, without first determining

φ(n).36

Number of Decimal Digits

Approximate Number

of Bits

Date Achieved

MIPS-years

Algorithm

100 332 April 1991 7 Quadratic sieve

110 365 April 1992 75 Quadratic sieve

120 398 June 1993 830 Quadratic sieve

129 428 April 1994 5000 Quadratic sieve

130 431 April 1996 1000Generalized number field

sieve

140 465February

19992000

Generalized number field

sieve

155 512 August 1999 8000Generalized number field

sieve

160 530 April 2003 Lattice sieve

174 576December

2003Lattice sieve

200 663 May 2005 Lattice sieve

37

38MIPS-years: a million-instructions-per-second processor running for one year

p and q should differ in length by only a

few digits. Thus, for a 1024-bit key (309

decimal digits), both p and q should be on

the order of magnitude of 1075 to 10100.

Both (p - 1) and (q - 1) should contain a

large prime factor.

gcd(p - 1, q - 1) should be small.

39

Paul Kocher, a cryptographic

consultant, demonstrated that a

snooper can determine a private key by

keeping track of how long a computer

takes to decipher messages.

40

Constant exponentiation time.

Random delay

Blinding

41

The basic RSA algorithm is vulnerable to

a chosen ciphertext attack.

The adversary could select a plaintext,

encrypt it with the target's public key and

then be able to get the plaintext back by

having it decrypted with the private key.

42

E(PU, M1) x E(PU, M2) = E(PU, [M1 x M2])

C = Me mod n

X = ( C x 2e ) mod n

Submit X as a chosen ciphertext and

receive back Y = Xd mod n.

43

X = (C mod n) x (2e mod n)

= (Me mod n) x (2e mod n)

= (2M)e mod n

Therefore, Y = (2M) mod n

44