Cryptology Design Fundamentals Grundlagen des kryptographischen Systementwurfs Module ID: ET-IDA-048 11.12.2018, v29-1 Prof. W. Adi Lecture-10 Public-Key Cryptography RSA Rivest-Shamir-Adelmann Public-Key System

Lecture Outlines Historical Overview ! RSA Public-Key Encryption System RSA Public-Key Signature System RSA Security considerations

The Target of Public Key Cryptography Ciphering Sender De-Ciphering Receiver Y = E (Z,X) X E ( Z,X ) D ( Z,Y ) X Message Channel Message Secret Key = Z Z Secret Key Channel Public-Key system drops out that secret key- agreement completely Secret key exchange is not a part of the secret-key system:

Public-Key Secrecy System RSA 1978 (Rivest Shamir Adelmann) MIT, USA !! K-close K-open Trap-door One Way Function ! RSA secrecy system: Was published 1978 based mainly on Euler theorem and on the claim that Euler function for any integer m is only computable if the factorization of m is known and that factorization is considered as computationally unsolved problem For m = p1 p2 p3 .... pt e1 e2 e3 et (m) = m ( 1 - ) ( 1 - ) …… P2 1 P1

Basic Public Key Secrecy System (RSA system1978) RSA: Rivest-Shamir-Adleman, MIT, USA (Mechanical simulation: user A sends a message to B) All operations in Zm User A User B Public register Close Kc open Ko= Kc-1 ( )Kc (mod m) Kc M MKc.Ko = M (MKc)Ko Ko MKc

Conventional Public-Key Crypto-system (using asymmetric keys) Sender Receiver Y = E (Zp,X) X X E ( Zp,X ) D ( Zs,Y ) Message Channel Message Secret-Key Zs Public-Key Zp Public Directory Z.. Zp Z... Zs

( ) RSA-Lock (Hiding Function) Uses Exponentiation in the Ring Zm Where m = p.q , p and q are two large secret primes Open key E M E (mod m) ENCRYPTION ( ) D M E (mod m) DECRYPTION Secret key ( M E )D mod (m) = M E. D mod (m) = M To get M, the following should hold: E . D = 1 or D = E-1 in the exponent That is E and D should be invertible modulo (m) ! Or gcd (E, (m) ) =1 Security Considerations: m is a large composite (m=p q), p and q are two large secret primes. To break the system (m) is required to compute D =E-1 modulo (m). However (m) can only be computed if p and q are known. Therefore, the system can only be broken if and only if m can be factored or (m) can be found somehow!

RSA Public Key Secrecy System 1978 Design Scheme of RSA Public Key Secrecy System 1978 Open directory USER A: Na = pa . qa open modulus of A pa . qa tow secret large primes (Na) = (pa-1).(qa -1) Ea = open Encryption key of A Da = Ea-1 [mod (Na) ] USER B: Nb = pb . qb open modulus of B pb . qb tow secret large primes (Nb) = (pb-1).(qb -1) Eb = open Encryption key of B Db = Eb-1 [mod (Nb) ] User A Na Ea User B Nb Eb Y= M mod Nb (Encrypt) Eb Condition: gcd [Ea , (Na) ] = 1 Condition: gcd [ Eb , (Nb) ] = 1 Number of possible keys = [(Na)] Number of possible keys = [(Nb)] A sends Message M to B: Db Eb Db = M mod Nb =M (Decrypt) Y

Public-Key Signature Scheme Signing Process Verification Process Message M to be signed Message M Signature Sa of user A Signed Message Public Directory Ea Verification Key for A Message Public-Key encryption Signature Sa Encrypted M by Da Encrypting by secret-key Da Reject Check if decryption by Ea gives M Accept

RSA Public Key Signature System 1978 A signs Document M for B: Design Scheme of RSA Public Key Signature System 1978 User B Nb Eb User A Na Ea USER A: Na = pa . qa open modulus of A pa . qa two secret large primes (Na) = (pa-1).(qa -1) Ea = open Encryption key of A Da = Ea-1 [mod (Na) ] USER B: Nb = pb . qb open modulus of B pb . qb twosecret large primes (Nb) = (pb-1).(qb -1) Eb = open Encryption key of B Db = Eb-1 [mod (Nb) ] Open directory gcd [ Eb , (Nb) ] = 1 gcd [Ea , (Na) ] = 1 Ea Da A signs Document M for B: (M,S) Signed Message Da Ea = M mod Na=M´ (Verify M´=M)? M = S mod Na S If M´= M then the signature is true

Security design considerations of RSA Public-Key Encryption and Signature System Security considerations and RSA system facts: Based on the assumption that Integer Factoring is not efficiently computable Every user should find two large primes p and q and multiply them to get N which the user publishes as his open modulus. Both primes p and q are kept secret by the user. As the user knows p and q, he can compute Euler function (N)= (p.q)= (p-1)(q-1). The then seeks a random integer E, which should be invertible modulo (N) and publishes E as his open encryption key. The inverse of E modulo (N) is D and this is to be kept secret. 4. Caution: There is no evidence that no efficient algorithms can be found to break the system. 5. p-1 and q-1 should have large prime factor to make attacks more infeasible (p and q are “strong primes”).

Security of RSA Public Key System Is Exponentiation y = a x in Zm a One-Way Function ? Theoretically not (no proof that (m) is not computable if we do not know p and q !!) Practically and still yes if : m is a product of two strong primes! RSA system can be broken by: 1. Factoring m = p . q 2. Computing (m) somehow without factoring. (m) = (p -1)(q -1) = m - p - q + 1  s = (p + q) = m - (m) + 1 m = p . q  p or q = ( s   s2 - 4 m ) / 2 But factoring is computationally equivalent to computing Euler function (m) Proof:

Example: Construct RSA secrecy system using the two prime pairs 11, 5 and 3,11. Encrypt the message M=2 sent to user B. Let B signs M and send his signature back to A. Solution: Open directory USER A: Na = 11 x 5 open modulus of A pa . qa two secret large primes (Na) = (pa-1).(qa -1)=40 7= open Encryption key of A Da = 7-1 [mod 40) ] =23 USER B: Nb = 3. 11 open modulus of B pb . qb two secret large primes (Nb) = (pb-1).(qb -1) =20 3 = open Encryption key of B Db = Eb-1 [mod (Nb) ] =7 User A 55 7 User B 33 3 gcd [Ea , (Na) ] = 1 gcd [ Eb , (Nb) ] = 1 A sends Message M=5 to B: 3 Y = 26 Y = 5 mod 33= 26 (A Encrypts M) 7 26 mod 33 = 5 = M (Decrypt) Security Gap: Notice that anybody can decrypt S to disclose M! Any other solution? M’=143 mod 33 = 5 = M (Verify) S = 14 S= 57 mod 33 = 14 (B signes M)