1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security
2 Euler’s Totient function (n) - again ( n ) is the number of positive integers less than n and relatively prime to n. Let p be a prime. Then ( p ) = p – 1 Let n = pq for p and q prime. Then ( n ) = ( pq ) = ( p ) ( q ) Proof outline: look at numbers relatively prime to pq. Must take all the numbers less than pq but eliminate multiples of p and multiples of q. (pq – 1)–(q – 1)–(p – 1) = (p – 1)(q – 1) Example: let n = 15, Then (15) = (5) (3) = 8 Z 15 * = {1,2,4,7,8,11,13,14}
3 Euler’s Theorem - extension Euler’s theorem: for every a and n that are relatively prime, a (n) ≡ 1 mod n Corollary: for every a and n that are relatively prime, a k (n)+1 ≡ a mod n For n a product of two primes p and q, then for all a and k non-negative, a k (n)+1 ≡ a mod n Proof outline: consider case where a is a multiple of p, a = cp. Then gcd(a,q) = 1.
4 Discrete Logarithms Let y = g x mod p x is said to be the (discrete) logarithm of y, with base g. It is easy to compute y, given g,x, and p. It is hard to find x, given g,p, and y. It is believed to be as hard as factoring large primes.
xyxy Table for exponentiation mod 10
6 Looking at the mod 10 table Note that (10) = 4. Also, 10 is the product of distinct primes so Euler’s theorem applies (for any x ) –that is x 1 + k ( n ) = x mod n where n = 10, for all x –thus (10) = 4 means that every 4 th column will be the same (except starting at x 0 ) Note however that although exponentiating by 1, 3, and 4, are a permutation of the set 1-9, exponentiating by 2 does not result in a permutation. –this is because 2 is not a coprime of 4 = (10) –for all coprimes of 4, for example e = 3 we can find a d such that ed = 1 mod 4. –Thus, using mod 10 arithmetic, x ed = x 1+ (10) = x and thus x 3 has an exponentiative inverse in the sense that for all x, ( x 3 ) d = x, for some d.
7 RSA Rivest, Shamir, Adleman, 1978, MIT Variable key size, common to use 1024 bits Generating RSA keys is based on finding multiplicative inverses of large numbers (modulo), which is not hard Generating RSA ciphertext is based on modulo exponentiation, which is not hard RSA's strength is based on difficulty of factoring large numbers and computing discrete logarithms, which is believed to be hard. There may be other trap doors in RSA, but none have been found yet.
8 The RSA Algorithm Choosing public and private keys Let k be the key length then choose two large prime numbers p and q of bit lengths k /2, for example 512 bits each. Let n = pq. Choose e Find multiplicative inverse d of e mod ( n ). The private key is
9 RSA operations encryption / decryption Encryption – for a message m < n, c = m e mod n ( c is the ciphertext) Decryption – given the ciphertext c, compute c d mod n Note that c d mod n = m ed mod n = m since d was chosen so that ed = 1 + k (n) and we are simply using Euler’s (extension) theorem
10 RSA operations signature / verification Signature – for a message m < n, s = m d mod n ( s is the signature) Signature verification – given the signature s, compute s e mod n Note that s e mod n = m ed mod n = m. Also anyone can verify the signature using the public key.
11 RSA Example 1.Select two large primes, 2357 and Multiply them to get n = Select e = , relatively prime to ( n )= d = is the multiplicative inverse of e mod ( n ) 5.Encrypt m = < n as c = m e mod n = mod = Decrypt c as, m = c d mod n = mod =
12 Back to one way functions: an example of encryption / decryption Let n be a large number Let the plaintext be viewed as M < n To get the ciphertext, we do the following: C = M e mod n Example Let ( e,n ) be (7, 187) and M be 88 Then C = 88 7 mod 187 = 11 (d,n)=(23,187)and 187 = 17 11 Then M = mod 187 = 88
13 An Attack on RSA 1.An intruder, X intercepts a message (m) intended for Alice encrypted under Alice's public key (e): (m) e mod n 2.The intruder generates a value x, computes: x e m e mod n = (xm) e mod n and sends it to Alice 3.Alice decrypts the message to attain the value: xm mod n, which appears to be garbage 4.If Alice disposes of the "garbage" carelessly, the intruder can recover it and compute: (xmx -1 ) mod n = m
14 Some aspects of RSA 1.It's strength is based on the difficulty of factoring large numbers and the difficulty of computing discrete logarithms 2.It is much more computationally intensive than DES, IDEA, AES, etc. 3.It has avoidable weaknesses If there are a limited number of plaintext messages used in practice, can compute all the corresponding ciphertext messages and compare Encrypting small messages (say the value of e used is 3. Then can recover using cube root Smooth number threat – product of small primes Need to pad properly
15 Diffie Hellman Oldest public key system in use Allows Alice and Bob to agree on a shared key even though all messages are exchanged in the open Limited functionality – the shared secret can subsequently be used for encrypting / decrypting using other systems Weakness – no authentication as a basic element of DH
16 Diffie Hellman Key Exchange Choose a large prime p and g < p. These are publicly known to all. ( some restrictions on g and p for additional security) 1.Alice and Bob “randomly” choose a and b respectively - these are their individual private keys. 2.Alice computes T A = g a mod p, Bob computes T B = g b mod p 3.Alice and Bob exchange the values T A and T B 4.Alice computes T B a mod p and Bob computes T A b mod p 5.They have both computed the same number, the shared secret key
17 Intro to El Gamal 1.Alice and Bob agree on a large (512 bits) prime p and a generator g < p with some restrictions on g. (Operations are all mod p) 2.Alice chooses a random number a (her private key) and computes and publishes her public key T A = g a 3.To transmit a message M, Bob selects a random number r (private), and computes and sends to Alice: C =(g r,Mg ar ) 4.Alice computes g ar, then g -ar, and finally M = M(g ar )(g -ar )
18 El Gamal Example g a mod p = 3 g r mod p = 3 g ar mod p = 9 Mg ar mod p = 10 g -ar mod p = 5 g = 5 p = 11 a = 2 r = 7 M = 6 Mg ar * g -ar mod p = 6