Chapter 9 – Chapter 9 – Public Key Public Key Cryptography and RSACryptography and RSA Private-Key CryptographyPrivate-Key Cryptography
traditional traditional private/secret/single keyprivate/secret/single key cryptography uses cryptography uses oneone key key
shared by both sender and receiver shared by both sender and receiver if this key is disclosed communications are if this key is disclosed communications are
compromised compromised also is also is symmetricsymmetric, parties are equal , parties are equal hence does not protect sender from hence does not protect sender from
receiver forging a message & claiming is receiver forging a message & claiming is sent by sender sent by sender
Public-Key CryptographyPublic-Key Cryptography
probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography
uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number
theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private
key cryptokey crypto
Why Public-Key Why Public-Key Cryptography?Cryptography?
developed to address two key issues:developed to address two key issues: key distributionkey distribution – how to have secure – how to have secure
communications in general without having to communications in general without having to trust a KDC with your keytrust a KDC with your key
digital signaturesdigital signatures – how to verify a message – how to verify a message comes intact from the claimed sendercomes intact from the claimed sender
public invention due to Whitfield Diffie & public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976Martin Hellman at Stanford Uni in 1976 known earlier in classified communityknown earlier in classified community
Public-Key CryptographyPublic-Key Cryptography
public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography involves the use of involves the use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and
can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signaturessignatures
a a private-keyprivate-key, known only to the recipient, used to , known only to the recipient, used to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures
is is asymmetricasymmetric because because those who encrypt messages or verify signatures those who encrypt messages or verify signatures
cannotcannot decrypt messages or create signatures decrypt messages or create signatures
Public-Key CryptographyPublic-Key Cryptography
Public-Key CharacteristicsPublic-Key Characteristics
Public-Key algorithms rely on two keys where:Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key
knowing only algorithm & encryption keyknowing only algorithm & encryption key it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is knownwhen the relevant (en/decrypt) key is known either of the two related keys can be used for either of the two related keys can be used for
encryption, with the other used for decryption (for encryption, with the other used for decryption (for some algorithms)some algorithms)
Public-Key CryptosystemsPublic-Key Cryptosystems
Public-Key ApplicationsPublic-Key Applications
can classify uses into 3 categories:can classify uses into 3 categories: encryption/decryptionencryption/decryption (provide secrecy) (provide secrecy) digital signaturesdigital signatures (provide authentication) (provide authentication) key exchangekey exchange (of session keys) (of session keys)
some algorithms are suitable for all uses, some algorithms are suitable for all uses, others are specific to oneothers are specific to one
Security of Public Key SchemesSecurity of Public Key Schemes like private key schemes brute force like private key schemes brute force exhaustive exhaustive
searchsearch attack is always theoretically possible attack is always theoretically possible but keys used are too large (>512bits) but keys used are too large (>512bits) security relies on a security relies on a large enoughlarge enough difference in difference in
difficulty between difficulty between easyeasy (en/decrypt) and (en/decrypt) and hardhard (cryptanalyse) problems(cryptanalyse) problems
more generally the more generally the hardhard problem is known, but problem is known, but is made hard enough to be impractical to break is made hard enough to be impractical to break
requires the use of requires the use of very large numbersvery large numbers hence is hence is slowslow compared to private key schemes compared to private key schemes
Exponentiation CiphersExponentiation Ciphers
We will consider two kinds of exponentiation We will consider two kinds of exponentiation ciphers developed by the following people:ciphers developed by the following people:
Both schemes encipher a message block Both schemes encipher a message block MM [0, [0, nn – 1] by computing the exponential – 1] by computing the exponential
CC = = M M ee mod mod nn, ,
(RSA)Adleman and Shamir, Rivest,
Hellman and Pohlig
where where ee and and nn are the key to the enciphering are the key to the enciphering transformation.transformation.
MM is restored by the same operation, but using a is restored by the same operation, but using a different exponent different exponent dd for the key: for the key:
MM = = C C dd mod mod nn. . Enciphering and deciphering can be Enciphering and deciphering can be
implemented using the fast exponentiation implemented using the fast exponentiation algorithm: algorithm:
CC = = fastfast__expexp((MM, , ee, , nn))
MM = = fastfast__expexp((CC, , dd, , nn) )
Why the Algorithms WorkWhy the Algorithms Work
ThmThm: Given : Given ee, , dd, , MM such that such that ed ed mod mod ((nn) ) = 1,= 1,MM [0, [0, n n -1] ,-1] ,gcdgcd((MM, , nn) = 1,) = 1, Then (Then (M M ee mod mod nn) ) dd mod mod nn = = MM.. ProofProof::
((M M ee mod mod nn) ) dd mod mod nn = = M M eded mod mod nneded mod mod ((nn)) = = 1 1 ed ed = = t t (n(n)) + + 11
M M eded mod mod nn= M = M tt((nn))+1+1 mod mod nn= = M M M M tt((nn)) mod mod nn= = M M ((M M tt((nn)) mod mod nn) mod ) mod nn = = MM
wherewhere
= M = M tt((nn)) mod mod nn
= (= (M M ((nn)) mod mod nn) ) tt mod mod nn
= 1= 1tt mod mod nn = 1 .= 1 .
A Few Words About the Theorem A Few Words About the Theorem
Note that by symmetry, enciphering and Note that by symmetry, enciphering and deciphering are commutative and mutual deciphering are commutative and mutual inverses; thus,inverses; thus,((M M dd mod mod nn) ) ee mod mod nn = = M M dede mod mod nn = = MM
Given Given ((nn), it is easy to generate a pair (), it is easy to generate a pair (ee, , dd) such that ) such that eded mod mod ((nn) = 1. This is done ) = 1. This is done by first choosing by first choosing dd relatively prime to relatively prime to ((nn), ), and then computing and then computing ee as as
ee = = invinv((dd, , ((nn))))
Because Because ee and and dd are symmetric, we could are symmetric, we could also pick also pick ee and compute and compute dd = = invinv((ee, , ((nn)).)).
Given Given ee, it is easy to compute , it is easy to compute dd (or vice (or vice versa) if versa) if ((nn) is known. But if ) is known. But if ee and and nn can can be released without giving away be released without giving away ((nn) or ) or dd, , then the deciphering transformation can then the deciphering transformation can be kept secret, while the enciphering be kept secret, while the enciphering transformation is made public.transformation is made public.
It is the ability to hide It is the ability to hide ((nn) that distinguishes ) that distinguishes the two schemes. the two schemes.
Pohlig-Hellman Scheme Pohlig-Hellman Scheme
The modulus is chosen to be a large prime The modulus is chosen to be a large prime pp..
To encipher:To encipher:
CC = = M M ee mod mod pp
To decipher:To decipher:
MM = = C C dd mod mod pp Because Because pp is prime, is prime, ((pp) = ) = pp – 1. – 1. Thus the scheme can only be used for Thus the scheme can only be used for
conventional encryption, where conventional encryption, where ee and and dd are both are both kept secret.kept secret.
ExEx. Let . Let pp = 11, = 11, ((pp) = 10. Choose ) = 10. Choose dd = 7 = 7 and compute and compute ee = = invinv(7, 10) = 3. Suppose (7, 10) = 3. Suppose MM = 5. Then = 5. Then MM is enciphered as: is enciphered as:
CC = = M M ee mod mod pp = 5 = 533 mod 11 = 4. mod 11 = 4.
Similarly, Similarly, CC is deciphered as: is deciphered as:
C C dd mod mod pp = 4 = 477 mod 11 = 5 = mod 11 = 5 = MM . .
Security Concern Security Concern
The security of the scheme rests on the The security of the scheme rests on the complexity of computing complexity of computing discrete discrete logarithmslogarithms..
A cryptanalyst may deduce A cryptanalyst may deduce pp by observing by observing the sizes of plaintext and ciphertext blocks.the sizes of plaintext and ciphertext blocks.
Under a known-plaintext attack, a Under a known-plaintext attack, a cryptanalyst can compute cryptanalyst can compute ee (and thereby (and thereby dd) given a pair () given a pair (MM, , CC):):
ee = log = log M M CC
Pohlig and Hellman show that if (Pohlig and Hellman show that if (pp – 1) – 1) has only small prime factors, it is possible has only small prime factors, it is possible to compute the logarithm in to compute the logarithm in OO(log2(log2pp) time, ) time, which is unsatisfactory even for large which is unsatisfactory even for large values of values of pp..
They recommend picking They recommend picking pp = 2 = 2pp + 1, + 1, where where pp is also a large prime. is also a large prime.
Discrete Logarithm Discrete Logarithm
The fastest known algorithm for computing The fastest known algorithm for computing the discrete logarithm takes aboutthe discrete logarithm takes about
steps.steps. If If pp is a few hundred decimal digits long, it is a few hundred decimal digits long, it
will take several billion years to compute.will take several billion years to compute.
3/23/1 ))ln(ln)((ln ppe
RSA Scheme RSA Scheme
The modulus is the product of two large The modulus is the product of two large primes primes pp and and qq, i.e., , i.e., nn = = pqpq..
Thus Thus ((nn) = () = (pp – 1) ( – 1) (qq – 1) – 1)
To encipher:To encipher:
CC = = M M ee mod mod nn
To decipher:To decipher:
MM = = C C dd mod mod nn
They recommend picking They recommend picking dd relatively relatively prime to prime to ((nn) in the interval [max() in the interval [max(pp, , qq) + 1, ) + 1, nn – 1] (any prime in this interval will do). – 1] (any prime in this interval will do).
Once Once dd is chosen, is chosen, ee can be computed can be computed using the using the invinv function. If the computed function. If the computed ee is is less than logless than log22nn, then a new value of , then a new value of dd
should be picked.should be picked.
Example Example
ExEx. Let . Let pp = 5 and = 5 and qq = 7, so = 7, so nn = 5 = 57 = 35 7 = 35 and and ((nn) = 4) = 46 = 24. Choose 6 = 24. Choose dd = 11 and = 11 and compute compute ee = 11. Suppose = 11. Suppose MM = 2. Then = 2. Then
CC = = M M ee mod mod nn = 2 = 21111 mod 35 = 18 and mod 35 = 18 and
C C dd mod mod nn = 18 = 181111 mod 35 = 2 = mod 35 = 2 = MM. .
Ex. Let Ex. Let pp = 53 and = 53 and qq = 61, so = 61, so nn = 53 = 53 61 61 = 3233 and = 3233 and ((nn) = 52) = 5260 = 3120. Choose 60 = 3120. Choose dd = 791 and compute = 791 and compute ee = 71. To encipher = 71. To encipher the message RENAISSANCE, we break it the message RENAISSANCE, we break it into blocks of 4 digits each, where A = 00, into blocks of 4 digits each, where A = 00, B = 01, ..., Z = 25, and blank = 26 (in B = 01, ..., Z = 25, and blank = 26 (in practice, characters would be represented practice, characters would be represented by their 8-bit ASCII codes). Thus we have by their 8-bit ASCII codes). Thus we have
The first block is enciphered as 170471 = The first block is enciphered as 170471 = 3106. The entire message is enciphered as3106. The entire message is enciphered as
MM == R ER E N AN A I SI S S AS A N CN C EE
== 17041704 13001300 08180818 18001800 13021302 04260426
CC == 31063106 01000100 09310931 26912691 19841984 2927.2927.
Security ConcernSecurity Concern
Because Because ((nn) cannot be determined ) cannot be determined without knowing the prime factors without knowing the prime factors pp and and qq, , it is possible to keep it is possible to keep dd secret even if secret even if ee and and nn are made public. are made public.
Thus the RSA scheme can be used for Thus the RSA scheme can be used for public-key encryption, where the public-key encryption, where the enciphering transformation is made enciphering transformation is made public and the deciphering public and the deciphering transformation is kept secret.transformation is kept secret.
The security of the system depends on The security of the system depends on the difficulty of factoring the difficulty of factoring nn into into pp and and qq. . The fastest known factoring algorithm The fastest known factoring algorithm takes about the same number of steps takes about the same number of steps required for solving the discrete required for solving the discrete logarithm problem.logarithm problem.
More About Euler's Theorem More About Euler's Theorem
Recall that for Pohlig-Hellman and RSA Recall that for Pohlig-Hellman and RSA schemes to work, we must have schemes to work, we must have MM < < nn and and gcdgcd((MM, , nn) = 1.) = 1.
For Pohlig-Hallman scheme, this is for sure For Pohlig-Hallman scheme, this is for sure since since nn is prime. But how about RSA? Since is prime. But how about RSA? Since nn equals equals ppqq, it is possible that , it is possible that MM is a multiple of is a multiple of pp or a multiple of or a multiple of qq (but not both, of course). (but not both, of course).
We want to show that even if We want to show that even if MM is a multiple of is a multiple of pp or or qq, the RSA scheme still works., the RSA scheme still works.
What Happens When What Happens When gcdgcd((MM, , nn) ) 1 1
Suppose Suppose MM is a multiple of is a multiple of pp, so that , so that MM = = cpcp for some for some cc and and gcdgcd((MM, , qq) = 1.) = 1.
MM((qq)) mod mod qq = 1 = 1
((MM((qq))) ) ((pp)) mod q = 1 mod q = 1
MM((nn)) mod mod qq = 1 = 1 Therefore, there is some Therefore, there is some kk such that such that
MM((nn) = ) = kqkq + 1 + 1
Multiply each side by Multiply each side by MM = = cpcp,,
MM((nn)+1)+1 = = MM + + kqcpkqcp = = MM + + cknckn
ThusThus
MM((nn)+1)+1 mod mod nn = = MM . .
The case when The case when MM is a multiple of is a multiple of qq is is similar. similar.
Summarization (RSA Scheme) Summarization (RSA Scheme) Key GenerationKey Generation
Select Select pp, , qq pp and and qq are both prime are both prime
Calculate Calculate nn = = pp qq
Calculate Calculate ((nn)=()=(pp–1)(–1)(qq– 1)– 1)
Select integer Select integer ee gcdgcd((((nn), ), ee) = 1) = 1
Calculate Calculate dd dd = = invinv((ee, , ((nn))))
Public keyPublic key ee and and nn
Private keyPrivate key dd and and nn
EncryptionEncryption
DecryptionDecryption
Plaintext : Plaintext : MM Ciphertext : Ciphertext : C=C= MMee mod mod nn
Ciphertext : Ciphertext : CC Plaintext : Plaintext : MM == CCdd mod mod nn
Summarization (RSA Scheme) Summarization (RSA Scheme)
Each user Each user AA obtains a modulus obtains a modulus nnAA and and
enciphering and deciphering exponents enciphering and deciphering exponents eeAA
and and ddAA. . AA registers registers eeAA and and nnAA with a public with a public
directory, thus making directory, thus making AA's enciphering 's enciphering transformation transformation EEAA public. public.
AA keeps keeps ddAA and, therefore, the deciphering and, therefore, the deciphering
transformation transformation DDAA secret. secret.
Public-Key Systems Public-Key Systems
In a In a public-key systempublic-key system, each user has , each user has both a public and private key, and two both a public and private key, and two users can communicate knowing only users can communicate knowing only each other's public keys.each other's public keys.
User User AA has a has a public enciphering public enciphering transformationtransformation EEAA, which may be , which may be registered with a public directory, and a registered with a public directory, and a private deciphering transformationprivate deciphering transformation DDAA, , which is known only to user which is known only to user AA..
The private transformation The private transformation DDAA is described is described
by a by a private keyprivate key, and the public , and the public transformation transformation EEAA by a by a public keypublic key derived derived
from the private key by a one-way from the private key by a one-way transformation.transformation.
It must be computationally infeasible to It must be computationally infeasible to determine determine DDAA from from EEAA..
Secrecy And Authenticity Secrecy And Authenticity
In a public-key system, secrecy and In a public-key system, secrecy and authenticity are both provided.authenticity are both provided.
SecrecySecrecy
M C
Mdisallowed
protected
EK MDK
AuthenticityAuthenticity
disallowed
M C
M
C
EK MDK
protected
Secrecy Secrecy
Suppose user Suppose user AA wishes to send a wishes to send a message message MM to another user to another user BB. If . If AA knows knows BB's public transformation 's public transformation EEBB, , AA can can
transmit transmit MM to to BB in secrecy by sending the in secrecy by sending the ciphertext ciphertext CC = = EEBB((MM).).
On receipt, On receipt, BB deciphers deciphers CC using using BB's 's private transformation private transformation DDBB, getting, getting
DDBB((CC) = ) = DDBB((EEBB((MM)) = )) = MM . .
The scheme does not provide The scheme does not provide authenticity because any user with authenticity because any user with access to access to BB's public transformation 's public transformation could substitute another message could substitute another message M'M' for for MM by replacing by replacing CC with with C'C' = = EBEB((M' M' ).).
BE
public
M
A
BD
private
M
B
Authenticity Authenticity
For authenticity, For authenticity, MM must be transformed must be transformed by by AA's own private transformation 's own private transformation DDAA. . AA
sends sends CC = = DDAA((MM) to ) to BB..
On receipt, On receipt, BB uses uses AA's public 's public transformation transformation EAEA to compute to compute
EEAA((CC) = ) = EEAA((DDAA((MM)) = )) = MM . .private
M
A
public
M
B
AD AE
Authenticity is provided because only Authenticity is provided because only AA can apply the transformation can apply the transformation DDAA..
Secrecy is not provided because any user Secrecy is not provided because any user with access to with access to AA's public transformation 's public transformation can recover can recover MM..
Both Secrecy And Both Secrecy And Authenticity Authenticity
To use a public-key system for both To use a public-key system for both secrecy and authenticity:secrecy and authenticity: the ciphertext space must be equivalent to the the ciphertext space must be equivalent to the
plaintext space so that plaintext space so that EEAA and and DDAA can operate can operate
on both plaintext and ciphertext messages.on both plaintext and ciphertext messages. Both Both EEAA and and DDAA must be mutual inverses so must be mutual inverses so
that that EEAA((DDAA((MM)) = )) = DDAA((EEAA((MM)) = )) = MM..
Suppose Suppose AA wishes to send a message wishes to send a message MM to to BB. . AA sends to sends to BB the ciphertext the ciphertext
CC = = EEBB((DDAA((MM)) .)) . On receipt, On receipt, BB deciphers deciphers CC by by
EEAA((DDBB((CC))))
= = EEAA((DDBB((EEBB((DDAA((MM))))))))
= = EEAA((DDAA((MM))))
= = MM . .
Both Secrecy And Both Secrecy And Authenticity Authenticity
RSA scheme can be used for both secrecy RSA scheme can be used for both secrecy and authenticity.and authenticity.
M
A
M
B
private
AD
private
BDB
public
E A
public
E
secrecy
authenticity
Secrecy And Authenticity Secrecy And Authenticity (RSA) (RSA)
User User BB can send a secret message can send a secret message MM to to AA usingusing
which which AA deciphers using deciphers using
Only Only AA can decipher can decipher CC to get to get MM..
Ae
A nMMEC A mod)(
MnMMED Ade
AAAA mod))((
Alternatively, Alternatively, AA can send a signed can send a signed message message MM to to BB using using
which which BB authenticates using authenticates using
Because only Because only AA can apply can apply DDAA , it cannot be , it cannot be
forged, and a judge can settle any dispute forged, and a judge can settle any dispute arising between arising between AA and and BB. .
Ad
A nMMD A mod)(
MnMMDE Aed
AAAA mod))((
Both Secrecy And Both Secrecy And Authenticity Authenticity
A slight difficulty arises when both security A slight difficulty arises when both security and authenticity are desired.and authenticity are desired.For For AA to send a message to to send a message to BB::
CC = = EEBB ((DDAA ((MM))))
If If nnAA > > nnBB , the blocks comprising , the blocks comprising DDAA((MM) might ) might not be in the range [0, not be in the range [0, nnBB – 1]. – 1].
Reducing them modulo Reducing them modulo nnBB does not solve the does not solve the problem, because it would then be problem, because it would then be impossible to recover the original message.impossible to recover the original message.
Possible Solutions Possible Solutions
One solution is to reblock One solution is to reblock DDAA((MM).).
Reblocking can be avoided using a Reblocking can be avoided using a thresholdthreshold value value hh (e.g., (e.g., h h = 10= 109999). Each ). Each user has two sets of transformations:user has two sets of transformations:
( ( EEA1A1 , , DDA1A1 ) for signatures) for signatures
( ( EEA2A2 , , DDA2A2 ) for secrecy) for secrecy
where where nnA1A1 < < hh < < nnA2A2 . .
AA sends a signed message to sends a signed message to BB:: CC = = EEB2B2 ((DDA1A1 ((MM))))
BB recovers recovers MM and checks and checks AA’s signature:’s signature: EEA1A1 ((DDB2B2 ((CC))))
= = EEA1A1 ((DDB2B2 ((EEB2B2 ((DDA1A1 ((MM))))
= = EEA1A1 ((DDA1A1 ((MM))))
= = MM . .
Another SolutionAnother Solution
If If CC = = EB EB ((DA DA ((MM)) is not computable because )) is not computable because nnAA
> > nnBB, then , then C'C' = = DDAA ((EEBB ((M M )) is computable.)) is computable.
User User BB, knowing both , knowing both nnAA and and nnBB (both are public), (both are public),
can recover can recover MM by computing either of the by computing either of the following:following:
Case 1: Case 1: nnAA < < nnBB
EEAA ((DDBB ((CC))= ))= EEAA ((DDBB ((EEBB ((DDAA ((MM))))))))
= = EEAA ((DDAA ((MM))))
= = MM . .
Case 2: Case 2: nnAA > > nnBB
DDBB ((EEAA ((C' C' ))= ))= DDBB ((EEAA ((DDAA ((EEBB ((MM))))))))
= = DDBB ((EEBB ((MM))))
= = MM . .
Dispute Resolution Dispute Resolution
If a dispute arises between If a dispute arises between AA and and BB on the on the authenticity of authenticity of AA's signature, a judge must 's signature, a judge must be able to ascertain that be able to ascertain that MM originated with originated with MM..
If If nnAA < < nnBB, , BB applies applies BB's private 's private transformation to transformation to CC and presents the judge and presents the judge with with XX = = DDBB((CC) and ) and MM. The judge compute . The judge compute M'M' = = EEAA((XX) using ) using AA's public transformation, 's public transformation, and verifies that and verifies that M'M' = = MM. .
If If nnAA > > nnBB, another approach is needed , another approach is needed
because because DDBB must be applied after must be applied after EEAA, and , and BB
may not want to give may not want to give DDBB to the judge. to the judge.
The solution is for The solution is for BB to present the judge to present the judge with with C'C' and and MM. The judge computes. The judge computes
XX = = EEBB((MM))
X'X' = = EEAA((C'C' ) = ) = EEAA((DDAA((EEBB((MM))))))
and verifies that and verifies that XX = = X'X'..
Summarization Summarization
nnAA < < nnBB nnAA > > nnBB
A transmitsA transmits CC = = EEB B ((DDA A ((MM)))) C'C' = = DDA A ((EEB B ((M M ))))
B computesB computes M M = = EEA A ((DDB B ((CC)))) MM = = DDB B ((EEA A ((C' C' ))))
B gives judgeB gives judge MM, , XX = = DDBB((CC)) MM, , C'C'
Judge computesJudge computes M'M' = = EEAA((XX)) XX = = EEBB((MM))
X'X' = = EEAA((C'C' ) )
Judge testsJudge tests M'M' = = MM XX = = X'X'