1. David Evans http://www.cs.virginia.edu/~evans
Lecture 7:
Non-secret Key Cryptosystems
Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers.
G. H. Hardy, The Mathematician’s Apology, 1940.
Background
just got here last week
finished degree at MIT week before
Philosophy of advising students
don’t come to grad school to implement someone else’s idea
can get paid more to do that in industry
learn to be a researcher
important part of that is deciding what problems and ideas are worth spending time on
grad students should have their own project
looking for students who can come up with their own ideas for research
will take good students interested in things I’m interested in – systems, programming languages & compilers, security
rest of talk – give you a flavor of the kinds of things I am interested in
meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans

2. Diffie-Hellman Key Agreement
Choose public numbers: q (large prime number),  (generator mod q)
A generates random XA and sends B:
YA = XA mod q.
B generates random XB and sends A:
YB =  XB mod q.
A calculates secret key: K = (YB) XA mod q.
B calculates secret key: K = (YA) XB mod q.
2 January 2019
University of Virginia CS 551

3. Public-Key Cryptography
Same paper introduced concept of Public-Key Cryptography
Private procedure: E
Public procedure: D
Identity: E (D (m)) = D (E (m)) = m
Secure: cannot determine E from D
But didn’t know how to find suitable E and D
2 January 2019
University of Virginia CS 551

4. University of Virginia CS 551
One-way Functions
Like mixing paint – easy to mix, hard to unmix
Simple example:
Middle 100 digits of n2, n random 100 digit number
Given n, easy to calculate.
Given 100 digits, hard to find n.
Application:
Trusted spies, untrustworthy border guards
2 January 2019
University of Virginia CS 551

5. University of Virginia CS 551
Properties of E and D
Trap-door one way function:
D (E (M)) = M
E and D are easy to compute.
Revealing E doesn’t reveal an easy way to compute D
Trap-door one way permutation: also
E (D (M)) = M
2 January 2019
University of Virginia CS 551

6. University of Virginia CS 551
RSA
E(M) = Me mod n
D(C) = Cd mod n (red = secret)
n = p * q p, q are prime
d is relatively prime to (p – 1)(q – 1)
e * d  1 (mod (p – 1)(q – 1))
2 January 2019
University of Virginia CS 551

7. Until 1997 – Illegal to show this slide to non-US citizens!
RSA in Perl
print pack"C*", split/\D+/, `echo [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc`
Until 1997 – Illegal to show this slide to non-US citizens!
Today: can export RSA, but only with 512 bit keys.
(by Adam Back)
2 January 2019
University of Virginia CS 551

8. University of Virginia CS 551
First Amendment
Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment.
Sixth Circuit Court of Appeals, April 4, 2000
Ruling that Peter Junger could post RSA source code on his web site
2 January 2019
University of Virginia CS 551

9. University of Virginia CS 551
Properties of E and D
Trap-door one way function:
D (E (M)) = M.
E and D are easy to compute.
Revealing E doesn’t reveal an easy way to compute D
Trap-door one way permutation: also
E (D (M)) = M
2 January 2019
University of Virginia CS 551

10. University of Virginia CS 551
Property 1: D (E (M)) = M
E(M) = Me mod n
D(E(M)) = (Me mod n)d mod n
= Med mod n (as in D-H proof)
Hmm...can we choose e, d and n so: M  Med mod n
2 January 2019
University of Virginia CS 551

11. University of Virginia CS 551
M  Med mod n
M  Med mod n
1  Med-1 mod n
Euler and Fermat say:
M(n)  1 mod n
where (n) is the Euler totient function.
Proof by higher authority.
(Stallings, p. 219)
2 January 2019
University of Virginia CS 551

12. Euler’s totient function
(n) = number of positive integers < n which are relatively prime to n.
If n is prime, (n) = n – 1.
Proof by contradiction.
2 January 2019
University of Virginia CS 551

13. University of Virginia CS 551
Totient Properties
(p * q) = (p) * (q)
(Idiotic proof from original lecture removed.)
We are trying to find:
1  Med-1 mod n
know: 1  M(n) mod n
ed – 1 =  (n)
2 January 2019
University of Virginia CS 551

14. University of Virginia CS 551
Priming the Pump
Choose n = p * q where p and q are prime.
(n) = (p) * (q)
Since p and q are prime:
(p) = p – 1
(q) = q – 1
(n) = (p - 1) * (q - 1)
= p*q – p – q + 1= n – (p + q) + 1.
2 January 2019
University of Virginia CS 551

15. University of Virginia CS 551
Where’s ED?
So, we need to choose e and d:
ed =  (n) + 1 = n – (p + q)
Pick random d, relatively prime to  (n)
gcd (d,  (n)) = 1
Since d is relatively prime to  (n) it has a multiplicative inverse e:
d * e  1 mod  (n)
2 January 2019
University of Virginia CS 551

16. University of Virginia CS 551
Identity
d * e  1 mod  (n)
So, d * e = (k *  (n)) + 1 for some k.
Hence,
Med-1 mod n = Mk *  (n) mod n
2 January 2019
University of Virginia CS 551

17. University of Virginia CS 551
D (E (M)) = M
Med-1 mod n = Mk *  (n) mod n
Euler says 1  M (n) mod n.
So  Mk *  (n) mod n
1  Med-1 mod n
M  Med mod n
QED.
2 January 2019
University of Virginia CS 551

18. University of Virginia CS 551
Properties of E and D
Trap-door one way function:
D (E (M)) = M
E and D are easy to compute.
Revealing E doesn’t reveal an easy way to compute D
Trap-door one way permutation: also
E (D (M)) = M
2 January 2019
University of Virginia CS 551

19. Property 2: Easy to Compute
E(M) = Me mod n
Easy – every 4th grader can to exponents, every kindergartner can do mod n.
How big are M, e, and n?
M: 2n where n is the number of bits in M
M and n must be big (~10100) for security
2 January 2019
University of Virginia CS 551

20. University of Virginia CS 551
Fast Exponentiation
am + n = am * an
ab = ab/2 * ab/2 (if 2 divides b)
So, can compute Me in about log2e multiplies.
e around 21024, 1024 multiplies is doable (by a computer, not a kindergartner)
Faster bitwise algorithms known
2 January 2019
University of Virginia CS 551

21. Anything else hard to compute?
We need to find large prime numbers p and q
Obvious way:
Pick big number x
for i = 2 to x - 1
if i divides x its not prime,
start over with x + 1
done – x is prime
sqrt (x)
2 January 2019
University of Virginia CS 551

22. University of Virginia CS 551
How many prime numbers?
Infinite (proved by Euclid, 300BC)
Proof by contradiction:
Suppose that there exist only finitely many primes p1 < p2 < ... < pr.
Let N = (p1)(p2)...(pr) > 2.
The integer N-1, being a product of primes, has a prime divisor pi in common with N;
So, pi divides N - (N-1) =1.
2 January 2019
University of Virginia CS 551

23. Density of Primes (x) is the number of primes  x
From
2 January 2019
University of Virginia CS 551

24. University of Virginia CS 551
Approximating (x)
The Prime Number Theorem:
(x) ~ x/ln x
So, to find a prime bigger than x, we need to make about ln x/2 guesses
Each guess requires sqrt(x) work
For 200 digits (worst imaginable case):
230 guesses * 10100
More work than breaking 3DES!
2 January 2019
University of Virginia CS 551

25. Need a faster prime test
There are several fast probabilistic prime tests
Can quickly test a prime with high probability, with a small amount of work
If we pick a non-prime, its not a disaster (exercise for reader, PS3)
2 January 2019
University of Virginia CS 551

26. University of Virginia CS 551
Largest Known Prime
by Chris K. Caldwell
2 January 2019
University of Virginia CS 551

27. University of Virginia CS 551
Properties of E and D
Trap-door one way function:
D (E (M)) = M
E and D are easy to compute.
Revealing E doesn’t reveal an easy way to compute D (next time)
Trap-door one way permutation: also
E (D (M)) = M
2 January 2019
University of Virginia CS 551

28. University of Virginia CS 551
Property 4: E (D (M)) = M
D(M) = Md mod n
E(D(M)) = (Md mod n)e mod n
= Mde mod n
= Med mod n
= M
(from the property 1 proof)
2 January 2019
University of Virginia CS 551

29. University of Virginia CS 551
Applications of RSA
Privacy:
Bob encrypts message to Alice using EA
Only Alice knows DA
Signatures:
Alice encrypts a message to Alice using DA
Bob decrypts using EA
Knows it was from Alice, since only Alice knows DA
2 January 2019
University of Virginia CS 551

30. Two “Questionable” Statements in RSA Paper
“The need for a courier between every pair of users has thus been replaced by the requirement for a single secure meeting between each user and the public file manager when the user joins the system.”
(p. 6)
2 January 2019
University of Virginia CS 551

31. Two “Questionable” Statements in RSA Paper
“(The NBS scheme (DES) is probably somewhat faster if special-purposed hardware encryption devices are used; our scheme may be faster on a general-purpose computer since multiprecision arithmetic operations are simpler to implement than complicated bit manipulations.)”
(p. 4)
2 January 2019
University of Virginia CS 551

32. Who really invented RSA?
General Communications Headquarters, Cheltenham (formed from Bletchley Park after WWII)
1969 – James Ellis asked to work on key distribution problem
Secure telephone conversations by adding “noise” to line
Late 1969 – idea for PK, but function
2 January 2019
University of Virginia CS 551

33. University of Virginia CS 551
RSA & Diffie-Hellman
Asks Clifford Cocks, Cambridge mathematics graduate, for help
He discovers RSA (four years early)
Then (with Malcolm Williamson) discovered Diffie-Hellman
Kept secret until 1997!
NSA claims they had it even earlier
2 January 2019
University of Virginia CS 551

34. University of Virginia CS 551
Charge
Reread the parts of RSA paper you didn’t understand the first time
PS2 Due next Weds
Next time: security of RSA (third property)
2 January 2019
University of Virginia CS 551