Public-key encryption

Symmetric-key encryption Invertible function Security depends on the shared secret – a particular key. Fast, highly secure Fine for repeated communication Poor fit for one-shot communication, signatures

Asymmetric-key (public key) encryption The basic idea: A user has two keys: a public key and a private key. A message can be encrypted with the public key and decrypted with the private key to provide security. A message can be encrypted with the private key and decrypted with the public key to provide signatures.

One-way functions Most common functions are invertible; for any F(x) = y, there is an F -1 (y) = x. –Multiplication and division –DES A function which is easy to compute in one direction, but hard to compute in the other, is known as a one-way function. –Hashing, modular arithmetic. A one-way function that can be easily inverted with an additional piece of knowledge is called a trapdoor one-way function.

One-way functions Public key encryption is based on the existence of trapdoor one-way functions. –Encryption with the public key is easy. –Decryption is computationally hard. –Knowledge of the private key opens the trapdoor, making inversion easy. Password systems also use one-way functions.

Overview of RSA RSA is the most common and well-known public key cryptosystem Basic notation: a key pair (e,d) contains two keys: –e is the public key (used to encrypt documents) –d is the private key (used to decrypt documents) M is the plaintext message. Let R be the encryption function. R(e,M) = C. R(d,C) = M. - encryption R(d,M) = C’ R(e,C’) = M - signing R(e,R(d,M)) = M = R(d,R(e,M)) –Same function is used for both operations.

Modular Arithmetic RSA’s security is based on modular arithmetic. –a = b (mod n) there is a q such that a-b=qn –b is the remainder after dividing a by n –23 = 3 (mod 5) A set {0,1,…,n-1} is closed under modular addition and multiplication. (a(mod n) + b(mod n))(mod n) = (a+b) (mod n) (ab)(mod n) = (a(mod n) b(mod n))(mod n)

Modular Arithmetic Two numbers p and q are said to be relatively prime if their greatest common divisor is 1. –5 and 17, 8 and 9, 10 and 21 To compute gcd: –gcd(a,b) = gcd(b, a mod b) (Euclid, 300BC)

Identities and Inverses An identity is a number that maps a number to itself under some operation. –0 in normal addition, 1 in multiplication. An inverse is a number (within the input set) and maps a given number to the identity –X * 1/X, X + -X in integer math We are particularly interested in multiplicative inverses for modular arithmetic. –(ab) = 1 (mod n)

Multiplicative Inverses 3 and 2 are multiplicative inverses mod 5. 7 and 6 are multiplicative inverses mod and 2 are multiplicative inverses mod 9. For n > 1, if a and n are relatively prime, there is a unique x such that –ax = 1 (mod n)

More preliminaries Fermat’s Little Theorem: –If p is prime, then for all a: a p-1 = 1 (mod p) Chinese Remainder Thm (corollary) –If p and q are prime, then for all x and a: –x = a(mod p) and x = a(mod q) iff x=a mod(pq) These are needed to prove RSA’s correctness.

The RSA Algorithm Pick two large (100 digit) primes p and q. Let n = pq Select a relatively small integer d that is prime to (p-1)(q-1) Find e, the multiplicative inverse of d mod (p-1)(q-1) (d,n) is the public key. To encrypt M, compute –En(M) = M e (mod n) (e,n) is the private key. To decrypt C, compute –De(C) = C d (mod n)

RSA example Let p = 11, q = 13 n = pq = 143 (p-1)(q-1) = 120 = 3 x 2 3 x 5 Possible d: 7, 11, 13, 17, … (let’s use 7) Find e: e*7 = 1(mod 120) = 103 Public key: (7, 143) Private key: (103, 143) En(42) = 42 7 (mod 143) = 81 De(81) = (mod 143) = 42

Correctness of RSA To show RSA is correct, we must show that encryption and decryption are inverse functions: –En(De(M)) = De(En(M)) = M = M ed (mod n) –Since d and e are multiplicative inverses, there is a k such that: ed=1+ kn = 1 + k(p-1)(q-1) M ed = M 1+k(p-1)(q-1) = M*(M p-1 ) k(q-1) By Fermat: M p-1 =1(mod p) M ed = M(1) k(q-1) (mod p) = M(mod p)

Correctness of RSA M ed = M(1) k(q-1) (mod p) = M(mod p) M ed = M(1) k(q-1) (mod q) = M(mod q) By Chinese Remainder Thm, we get: M^{ed} = M (mod p) M (mod q) = M (mod pq) = M (mod n) Therefore, RSA reproduces the original message and is correct.

Strengths of RSA No prior communication needed Highly secure (for large enough keys) Well-understood Allows both encryption and signing

Weaknesses of RSA Large keys needed (1024 bits is current standard) Relatively slow –Not suitable for very large messages Public keys must still be distributed safely.

Security of RSA The security of RSA is dependent on the assumption that it’s difficult to generate the private key d from the public key e and the modulus n. Equivalent to integer factorization problem. –This is how we got e and d in the first place. Factoring is thought to be computationally hard. –No proof, though!

Difficulty of Factoring The fastest known factoring algorithm is the generalized number field sieve. –Sub-exponential time –Greater than polynomial space. Some statistics: Number LengthMachinesMemory/Machine 4301Trivial ,0004Gb million170 Gb x10^15120 Tb

Security and Problem Difficulty Another way to think about the problem is to ask how long a keylength will be secure, given Moore’s law: From the RSA labs factoring FAQ

Security and Problem Difficulty RSA-155 (512 bit asymmetric-key) broken in Estimate: capability grows by ~4.25 digits per year. (approx bits per year) 1024-bit RSA should be “secure” until Using Moore’s Law – 1024-bit is 7 million times harder than 512-bit –So, we need a 7 millionX speedup to crack 1024-bit RSA with the same relative computational power. –Also about 34 years. Question: How long does your data need to be secure?

Digital Signatures Desirable properties of a digital signature: –A receiver must be able to validate the signature –The signature must not be forgeable –The signer must not be able to repudiate the signature. Encrypt with private key, validate with public key. –For security and authenticity, encrypt the signed message with the receiver’s public key.

Hash Functions A hash function is a one-way function that maps a message M into a (typically smaller) hashed message H. Sometimes this is called a fingerprint Also sometimes a message digest. –Goals: Non-invertible fast low collision rate

Hash Functions To sign a document, I compute its hash, encrypt that with my private key, and send the encrypted hash along with the original document as plaintext. The receiver hashes the plaintext and then uses my public key to verify that I was the one who sent the document. Can also detect tampering.

Combining Public and Secret Keys Public-key encryption is often used to synchronize secret session keys. –SSL uses this. A generates a secret key and sends it to B, encrypted with B’s public key. –For handshaking, include a random number. B decrypts the message and has the secret key. –For handshaking, B encrypts the random number with A’s public key and returns it.

Authentication A sends “Please authenticate me” to B B creates a random message and signs it with A’s public key. A decrypts the message with its private key, encrypts it with B’s public key, and returns it. –Only someone with A’s private key can do this. Potential attack: B gets to pick a string that A will encrypt –This could yield information about A’s private key.

Zero-knowledge Protocols One application of public-key cryptography is zero-knowledge protocols. Often, one party might want to prove something to another without revealing any information –Nuclear treaties –Bank balances –Sensitive information

Zero-knowledge protocols Alice wants to prove to Bob that she is Alice. –If she sends identification, Bob (or an eavesdropper) can use it. Example: Authority chooses a number N=77, known by all. Alice’s public ID: (58, 67) Alice’s private ID: (9,10) –These are multiplicative inverses mod 77

Zero-knowledge protocols Alice chooses some random numbers and computes their square mod N. –{19, 24, 51} -> 19 2 (mod 77) = 53, 24 2 (mod 77) = 37, 51 2 (mod 77) = 60 –Alice sends {53,37,60} to Bob. –Bob sends back a random 2x3 matrix of 1s and 0s. –0 1 –1 0 –1 1

Zero-knowledge protocols Alice uses this grid, plus her original random numbers and her secret numbers, to compute: 19 * 9 0 * 10 1 (mod 77) = * 9 1 * 10 0 (mod 77) = * 9 1 * 10 1 (mod 77) = 47 She sends {36,62,47} to Bob.

Zero-knowledge protocols Bob verifies Alice’s identity by computing: –{58,67} are Alice’s public numbers 36^2 *58^0 *67^1 (mod 77)= 53 62^2 *58^1 * 67^0 (mod 77) = 37 47^2 * 58^1 * 67^1 (mod 77) = 60 Alice’s original numbers reappear! –(Actually, an attacker would have a 1 in 64 chance of guessing correctly …)

Zero-knowledge protocols In a real system, N would be very large –160 digits. Many more numbers would be generated. This works because Alice’s secret numbers are multiplicative inverses of her public numbers mod N. Also, Bob learns nothing that he didn’t know before.

Summary Public key encryption provides a flexible system for secure communication in open environments. Based on one-way functions Allows for both authentication and signing Secure public key distribution remains a problem.