1. Public-Key (Asymmetric) Ciphers Part 2
Slides Original Source:
M. Stamp, “Information Security: Principles and Practice,” John Wiley
C. Paar and J. Pelzl, “Understanding Cryptography – A Textbook for Students and Practitioners,” Springer (
B. Forouzan, ” Cryptography and Network Security,” McGraw-Hill

2. Outline Public-key Crypto Examples Knapsack RSA Diffie-Hellman (DH)
ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

3. Outline Public-key Examples Knapsack RSA Diffie-Hellman (DH) ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

4. Knapsack 4

5. Knapsack Problem
Given a set of n weights W0,W1,...,Wn-1 and a sum S, is it possible to find ai  {0,1} so that
S = a0W0+a1W an-1Wn-1
(technically, this is “subset sum” problem)
Example
Weights (62,93,26,52,166,48,91,141)
Problem: Find subset that sums to S=302
Answer: =302
The general knapsack (GK) is NP-complete 5

6. Knapsack Problem General knapsack (GK) is hard to solve
But superincreasing knapsack (SIK) is easy
SIK: each weight greater than the sum of all previous weights
Example
Weights (2,3,7,14,30,57,120,251)
Problem: Find subset that sums to S=186
Work from largest to smallest weight
Answer: =186 6

7. Knapsack Cryptosystem
Generate superincreasing knapsack (SIK)
Convert SIK into “general” knapsack (GK)
Public Key: GK
Private Key: SIK plus conversion factor
Ideally…
Easy to encrypt with GK
With private key, easy to decrypt
convert ciphertext to SIK problem
Without private key, must solve GK 7

8. Knapsack Keys Start with (2,3,7,14,30,57,120,251) as the SIK
Choose m = 41 and n = 491 (m, n relatively prime, n exceeds sum of elements in SIK)
Compute “general” knapsack
2  41 mod 491 = 82
3  41 mod 491 = 123
7  41 mod 491 = 287
14  41 mod 491 = 83
30  41 mod 491 = 248
57  41 mod 491 = 373
120  41 mod 491 = 10
251  41 mod 491 = 471
“General” knapsack: (82,123,287,83,248,373,10,471) 8

9. Knapsack Cryptosystem
Private key: (2,3,7,14,30,57,120,251)
m1 mod n = 411 mod 491 = 12
Public key: (82,123,287,83,248,373,10,471)
Example: Encrypt
= 548
To decrypt,
548 · 12 = 193 mod 491
Solve (easy) SIK with S = 193
Obtain plaintext 9

10. Knapsack Weakness
Trapdoor: Convert SIK into “general” knapsack using modular arithmetic
One-way: General knapsack easy to encrypt, hard to solve; SIK easy to solve
This knapsack cryptosystem is insecure
Broken in 1983 with Apple II computer
The attack uses lattice reduction (see backup slides)
“General knapsack” is not general enough!
This special knapsack is easy to solve! 10

11. Outline Public-key Examples Knapsack RSA Diffie-Hellman (DH) ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

12. RSA 12

13. RSA
By Clifford Cocks (GCHQ), independently, Rivest, Shamir, and Adleman (MIT)
RSA is the gold standard in public key crypto
Let p and q be two large prime numbers
Let N = pq be the modulus
Choose e relatively prime to (p1)(q1) (why?)
Find d such that ed = 1 mod (p1)(q1)
i.e., d = e-1 mod (p1)(q1)
Public key is (N,e)
Private key is d
In practice, N & d should be large (≥ 1024 bits) 13

14. RSA Message M (i.e., plaintext) is treated as a number
To encrypt plaintext M  C = Me mod N
To decrypt ciphertext C  M = Cd mod N
Recall that e and N are public
If Trudy can factor N=pq, she can use e to easily find d since ed = 1 mod (p1)(q1)
Factoring the modulus breaks RSA
Is factoring the only way to break RSA? 14

15. Does RSA Really Work? Given C  Me mod N, we must show Facts:
M  Cd  Med mod N
Facts:
(N) = (p  1)(q  1)
ed  1 mod (p  1)(q  1)  1 mod (N)
By definition of “mod”:
ed = t(N) + 1, where t is an integer
 Must show M  Cd  Med  Mt(N)+1  Mt(N) M  (M(N))t M mod N 15

16. Does RSA Really Work? Must show (M(N))t M  M mod N
Case 1: gcd(M, N)  1
Use Euler’s Theorem   if gcd(M, N)  1, then 1  M(N) mod N
 Cd  Med  (M(N))t M  (1)t M  M mod N
Case 2: gcd(M, N)  gcd(M, p  q)  1
Can’t use Euler’s Theorem directly 
p and q are primes  M = (r  p) or M = (s  q), where r < q and s < p
Note that M  (x  p  q) (i.e., isn’t factor of both p & q)
Assume M = (r  p) –– will also work if M = (s  q)  gcd(M, q)  1
Using Euler’s Theorem  1t  (M(q))t mod q
Consider again (M(N))t  (M(p-1)(q-1))t  ((M(q))t)(p-1)  1(p-1)  1 mod q
But by definition of “mod”  (M(N))t = u q + 1, where u is an integer
 M(M(N))t = M(u q + 1) = M u q + M = (r p) u q + M = (r u) N + M  M mod N
 Cd  Med  (M(N))t M  M mod N
otherwise C  Me mod N  0 16

17. Simple RSA Example Example of RSA Public key: (N, e) = (33, 3)
Select “large” primes p = 11, q = 3
Then N = pq = 33 and (p − 1)(q − 1) = 20
Choose e = 3 (relatively prime to 20)
Find d such that ed  1 mod 20
We find that d = 7 works
Public key: (N, e) = (33, 3)
Private key: d = 7 17

18. Simple RSA Example Public key: (N, e) = (33, 3) Private key: d = 7
Suppose message M = 8
Ciphertext C is computed as
C = Me mod N = 83 = 512  17 mod 33
Decrypt C to recover the message M by
M  Cd mod N = 177 = 410,338, = 12,434,505   8 mod 33 18

19. Understanding Cryptography by Christof Paar and Jan Pelzl
Key Generation
Like all asymmetric schemes, RSA has set-up phase during which the private and public keys are computed
Key generation: choose two large, distinct primes p and q –– not-trivial!
So, how to find p and q?
Understanding Cryptography by Christof Paar and Jan Pelzl

20. Understanding Cryptography by Christof Paar and Jan Pelzl
Finding Large Primes 1/2
Generating keys for RSA requires finding two large primes p and q such that n = p * q is sufficiently large
The size of p and q is typically half the size of the desired size of n
To find primes, random integers are generated and tested for primality:
For this approach to work, we have to answer two questions:
How many random integers do we have to test before we have a prime?
If the likelihood of a prime is too small, it might take too long
How fast can we check whether a random integer is prime?
Again, if the test is too slow, the approach is impractical
It turns out that both steps are reasonably fast!!!
p' is prime OR
p' is composite p'
Secure
RNG
Primality Test
candidate
prime a
Understanding Cryptography by Christof Paar and Jan Pelzl

21. How many primes are there?
By looking at the first few positive integers that primes become less dense as the value increases: 2,3,5,7,11,13,17,19,23,29,31,37, . . .
What is the chance that a random number (e.g., 512 bits) is a prime?
The chance that a randomly picked integer 𝑝 is a prime is approximately 1/ln( 𝑝 ) (based on “prime number theorem”)
In practice, test only odd numbers so that the likelihood doubles  probability for a random odd number 𝑝 to be prime is
Example: RSA with a 1024-bit N, each of p and q ≈ 2512  P( 𝑝 is prime) ≈ 2/ln(2512) = 2/(512 ln(2)) ≈ 1/177  Expect to test 177 random numbers before finding a prime
Likelihood of integers being primes decreases slowly, proportional to integer bit length  For very long RSA parameters (e.g., 4096 bit), the density of primes is still sufficiently high
Understanding Cryptography by Christof Paar and Jan Pelzl

22. How long to check if integer is prime? – Primality Tests
Factoring p and q to test for primality is typically not feasible
However, we are not interested in the factorization, we only want to know whether p and q are composite or prime
Typical primality tests are probabilistic, i.e., they are not 100% accurate but their output is correct with very high probability
A probabilistic test has two outputs:
p' is composite – always true
p' is a prime – only true with a certain probability
Among the well-known primality tests are the following
Fermat Primality-Test
Miller-Rabin Primality-Test
Understanding Cryptography by Christof Paar and Jan Pelzl

23. Fermat Primality-Test
Basic idea: Fermat‘s Little Theorem holds for all primes, i.e., if a number p' is found for which ap'-1 ≡ 1 mod p', then p' is not a prime
For certain numbers (“Carmichael numbers”) this test returns (p' is likely a prime) often even though these numbers are composite!!!
Therefore, the Miller-Rabin Test is preferred
Algorithm: Fermat Primality-Test
Input: Prime candidate p', security parameter s
Output: (p' is composite) or (p' is likely a prime)
FOR i = 1 TO s
choose random a  {2,3, ..., p'-2}
IF ap'-1 ≡ 1 mod p' THEN
RETURN (p' is composite)
RETURN (p' is likely a prime)
Understanding Cryptography by Christof Paar and Jan Pelzl

24. Theorem for Miller-Rabinʹs test
The more powerful Miller-Rabin Test is based on the following theorem
This theorem can be turned into an algorithm
Theorem
Given the decomposition of an odd prime candidate p'
p' – 1 = 2u . r
where r is odd. If we can find an integer a such that
ar ≡ 1 mod p' and a2jr ≡ p' - 1 mod p'
For all j = {0,1, ..., u-1}, then p' is composite.
Otherwise it is probably a prime.
Understanding Cryptography by Christof Paar and Jan Pelzl

25. Miller-Rabin Primality-Test 1/3
Algorithm: Miller-Rabin Primality-Test
Input: Prime candidate p' with p'-1 = (2u . r) security parameter s
Output: (p' is composite) or (p' is likely a prime)
FOR i = 1 TO s
choose random a  {2,3, ..., p'-2}
z ≡ ar mod p'
IF z ≠ 1 AND z ≠ p'-1 THEN
FOR j = 1 TO u-1
z ≡ z2 mod p'
IF z = 1 THEN
RETURN (p' is composite)
IF z ≠ p'-1 THEN
RETURN (p' is likely a prime)
Understanding Cryptography by Christof Paar and Jan Pelzl

26. Miller-Rabin Primality-Test 2/3
Possible that a composite number 𝑝 gives the incorrect statement “prime”
However, the likelihood of this rapidly decreases as we run the test with several different random base elements a
Number of runs is given by security parameter s in the Miller–Rabin test
Following table shows how many different values a must be chosen in order to have a probability  2−80 that a composite is incorrectly detected as a prime
Understanding Cryptography by Christof Paar and Jan Pelzl

27. Miller-Rabin Primality-Test 3/3
Example: Let 𝑝 = 91  𝑝 −1 = 21 · 45. Select a security parameter of s = 4  Choose s times a random value a:
Let a = 12  z = 1245 ≡ 90 mod 91, hence, 𝑝 is likely prime.
Let a = 17  z = 1745 ≡ 90 mod 91, hence, 𝑝 is likely prime.
Let a = 38  z = 3845 ≡ 90 mod 91, hence, 𝑝 is likely prime.
Let a = 39  z = 3945 ≡ 78 mod 91, hence, 𝑝 is composite.
Since the numbers 12, 17 and 38 give incorrect statements for the prime candidate 𝑝 = 91, they are called “liars for 91”
Understanding Cryptography by Christof Paar and Jan Pelzl

28. More Efficient RSA (1) “Textbook” RSA suffers from the following:
RSA encryption is deterministic (i.e., for a specific key, a particular plaintext is always mapped to a particular ciphertext)  Attacker can derive statistical properties of the plaintext from the ciphertext
Plaintexts x = 0, x = 1, or x = −1 produce ciphertexts equal to 0, 1, or −1
Small public exponents e and small plaintexts x might be subject to attacks (more later!)
Above problems solved using Padding
Optimal Asymmetric Encryption Padding (OAEP) scheme in Public Key Cryptography Standard #1 (PKCS #1) 28

29. More Efficient RSA (2) Modular exponentiation example
A better way: repeated squaring
20 = (10100)2
(1, 10, 101, 1010, 10100) = (1, 2, 5, 10, 20)
Note that 2 = 1 2, 5 = 2  2 + 1, 10 = 2  5, 20 = 2  10
51  5 mod 35
52 = (51)2 = 52  25 mod 35
55 = (52)2  51 = 252  5 = 3125  10 mod 35
510 = (55)2 = 102 = 100  30 mod 35
520 = (510)2 = 302 = 900  25 mod 35
No huge numbers and it’s efficient! 29

30. More Efficient RSA (3) Use e = 3 for all users (but not same N or d)
Public key operations only require 2 multiplies
Private key operations remain expensive
If M < N1/3 then C = Me = M3 and cube root attack
For any M, if C1, C2, C3 sent to 3 users, cube root attack works (uses Chinese Remainder Theorem)
Can prevent cube root attack by
padding message with random bits
choosing length of private key d  0.3t bits, where t is the bit length of the modulus N
Note: e = also used (“better” than e = 3) 30

31. Attacks and Countermeasures 1/3
There are two distinct types of attacks on cryptosystems
Analytical attacks
try to break the mathematical structure of the underlying problem of RSA
Implementation attacks
attack a real-world implementation by exploiting inherent weaknesses in the way RSA is realized in software or hardware
Understanding Cryptography by Christof Paar and Jan Pelzl

32. Attacks and Countermeasures 2/3
RSA is typically exposed to these analytical attack vectors
Mathematical attacks
The best known attack is factoring of n in order to obtain (N)
Can be prevented using a sufficiently large modulus N
The current factoring record is 664 bits. Thus, it is recommended that N should have a bit length between 1024 and 3072 bits
Protocol attacks
Exploit the malleability of RSA, i.e., the property that a ciphertext can be transformed into another ciphertext which decrypts to a related plaintext – without knowing the private key
Can be prevented by proper padding
Understanding Cryptography by Christof Paar and Jan Pelzl

33. Attacks and Countermeasures 3/3
Implementation attacks can be one of the following
Side-channel analysis
Exploit physical leakage of RSA implementation (e.g., power consumption, EM emanation, etc.)
Fault-injection attacks
Inducing faults in the device while Chinese Remainder Theorem (CRT) is executed can lead to a complete leakage of the private key
Understanding Cryptography by Christof Paar and Jan Pelzl

34. Outline Public-key Examples Knapsack RSA Diffie-Hellman (DH) ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

35. Diffie-Hellman 35

36. Diffie-Hellman Key Exchange
Invented by Williamson (GCHQ) and, independently, by D and H (Stanford)
A “key exchange” algorithm
Used to establish a shared symmetric key
Not for encrypting or signing
Based on discrete log problem:
Given: g, p, and gk mod p
Find: exponent k 36

37. Diffie-Hellman Let p be a large prime, choose g  {2,…,p-2}
Alice selects her private value a
Bob selects his private value b
Alice sends ga mod p to Bob
Bob sends gb mod p to Alice
Both compute shared secret K  gab mod p
Shared secret K can be used as symmetric key 37

38. Diffie-Hellman
Suppose Alice and Bob use Diffie-Hellman to determine symmetric key K = gab mod p
Trudy can see (ga mod p) and (gb mod p)
But… ga gb mod p = ga+b mod p  gab mod p
If Trudy can find a or b, she gets key K
If Trudy can solve discrete log problem (DLP), she can find a or b 38

39. Attacks against the DLP
Summary of records for computing discrete logarithms
Decimal Digits
Bit Length
Date 58
193
1991 68
216
1996 85
282
1998
100
332
1999
120
399
2001
135
448
2006
160
532
2007
Use primes  1024 bits to prevent attacks that compute the DLP
Understanding Cryptography by Christof Paar and Jan Pelzl

40. Diffie-Hellman Public: g and p
Private: Alice’s exponent a, Bob’s exponent b
ga mod p
gb mod p
Alice, a
Bob, b
Alice computes (gb)a = gba mod p
Bob computes (ga)b = gab mod p
Use K = gab mod p as symmetric key 40

41. Diffie-Hellman Problem! 1/2
Subject to man-in-the-middle (MiM) attack
Not unique to DH only!!
ga mod p
gt mod p
gt mod p
gb mod p
Alice, a
Trudy, t
Bob, b
Trudy shares secret gat mod p with Alice
Trudy shares secret gbt mod p with Bob
Alice and Bob don’t know Trudy exists! 41

42. Diffie-Hellman Problem! 2/2
How to prevent MiM attack?
Encrypt DH exchange with symmetric key
Encrypt DH exchange with public key
Sign DH values with private key …
More later!!! 42

43. Outline Public-key Examples Knapsack RSA Diffie-Hellman (DH) ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

44. ElGamal Public-key Cryptosystem
ElGamal is a public-key cryptosystem that was developed by Dr. Taher Elgamal in 1985
based on the Diffie–Hellman key exchange
Encryption requires two modular exponentiations that are independent of the plaintext
Can be computed ahead of time if need be
Decryption only requires one exponentiation
Ciphertext is twice as long as the corresponding plaintext (disadvantage) 44

45. Key Generation Bob (receiver) must do the following:
Generate a large random prime number p
Choose a generator number a (see next slides)
Choose secret number x less than (p-1)
Compute d = ax mod p
Public key: p, a, d
Private key: x
Note: p must be > 300 digits (i.e., > 997 bits) 45

46. Generator Number Testing if a is generator number:
a must  {1, 2, …, p-1}
Find (p) = p-1
Find the all factors of (p), {f1, f2, …, fn} – { 1 }
Find {q1, q2, …, qn} where qi = fi
for redundant factors qi = fih, where h = 1, 2, …, freq(fi)
a is generator iff wi  (a)(p)/qi mod p  1, for all qi 46

47. Generator Number (Example 1)
Let p = 11, a = 2, test if a is generator number
(p) = 10, factors of 10 = {2, 5}  q1 = 2, q2 = 5
w1 = 210/2 mod 11 = 10  1
w2 = 210/5 mod 11 = 4  1
 a is a generator number 47

48. Generator Number (Example 2)
Let p = 11, a = 3, test if a is generator number
(p) = 10, factors of 10 = {2, 5}  q1 = 2, q2 = 5
w1 = 310/2 mod 11 = 1
w2 = 310/5 mod 11 = 9  1
 a is NOT a generator number 48

49. Generator Number (Example 3)
Let p = 37, a = 2, test if a is generator number
(p) = 36, factors of 36 = {2, 2, 3, 3}
 q1 = 21 = 2, q2 = 22 = 4, q3 = 31 = 3, q4 = 32 = 9
w1 = 236/2 mod 37 = 36  1
w2 = 236/4 mod 37 = 31  1
w3 = 236/3 mod 37 = 26  1
w4 = 236/9 mod 37 = 16  1
 a is a generator number 49

50. Key Generation Example
Let p = 11, a = 2, and x = 5
 Calculate d = ax mod p = 25 mod 11 = 10
Public key: p, a, d = (11, 2, 10)
Private key: x = (5) 50

51. Encryption Alice (sender) must do the following:
Obtain public key (p, a , d) from Bob (receiver)
Choose an integer k such that 1 < k < p-1
Represent plaintext as an integer m
Compute y = ak mod p
Compute z = (dk * m) mod p
Ciphertext C = (y, z)
Note: k must be new for each encryption 51

52. Decryption Bob (receiver) does the following:
Obtain ciphertext C = (y, z) from Alice (sender)
Compute r = yp-1-x mod p
Recover plaintext m = (r * z) mod p 52

53. Encryption/Decryption Example 1/3
Let p = 11, a = 2, and x = 5
 Calculate d = ax mod p = 25 mod 11 = 10
Public key: p, a, d = (11, 2, 10)
Private key: x = (5)
Let plaintext m = (1, 7, 5) 53

54. Encryption/Decryption Example 2/3
Encryption: y = ak mod p and z = (dk * m) mod p
Choose a random integer k = 6
 y1 = 26 mod 11 = 9 and z1 = (106*1) mod 11 = 1
Choose a random integer k = 4
 y7 = 24 mod 11 = 5 and z7 = (104*7) mod 11 = 7
Choose a random integer k = 7
 y5 = 27 mod 11 = 7 and z5 = (107*5) mod 11 = 6
Ciphertext C = (9,1)(5,7)(7,6) 54

55. Encryption/Decryption Example 3/3
Decryption: r = yp-1-x mod p and m = (r * z) mod p
 r9 = mod 11 = 1  m9 = (1 * 1) mod 11 = 1
 r5 = mod 11 = 1  m5 = (1 * 7) mod 11 = 7
 r7 = mod 11 = 10  m7 = (10 * 6) mod 11 = 5
Plaintext m = (1, 7, 5) 55

56. Outline Public-key Examples Knapsack RSA Diffie-Hellman (DH) ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

57. Uses for Public Key Crypto
Confidentiality
Transmitting data over insecure channel
Secure storage on insecure media
Authentication (later)
Digital signature provides integrity and non-repudiation
No non-repudiation with symmetric keys 57

58. Non-non-repudiation Alice orders 100 shares of stock from Bob
Alice computes MAC using symmetric key
Stock drops, Alice claims she did not order
Can Bob prove that Alice placed the order?
No! Since Bob also knows the symmetric key, he could have forged message
Problem: Bob knows Alice placed the order, but he can’t prove it 58

59. Non-repudiation Alice orders 100 shares of stock from Bob
Alice signs order with her private key
Stock drops, Alice claims she did not order
Can Bob prove that Alice placed the order?
Yes! Only someone with Alice’s private key could have signed the order
This assumes Alice’s private key is not stolen (revocation problem) 59

60. Public Key Notation Sign message M with Alice’s private key: [M]Alice
Encrypt message M with Alice’s public key: {M}Alice
Then
{[M]Alice}Alice = M
[{M}Alice]Alice = M 60

61. Sign and Encrypt vs Encrypt and Sign61

62. Confidentiality and Non-repudiation?
Suppose that we want confidentiality and integrity/non-repudiation
Can public key crypto achieve both?
Alice sends message to Bob
Sign and encrypt {[M]Alice}Bob
Encrypt and sign [{M}Bob]Alice
Can the order possibly matter? 62

63. Sign and Encrypt M = “I like you” Q: What’s the problem?
{[M]Alice}Bob
{[M]Alice}Charlie
Alice
Bob
Charlie
Q: What’s the problem?
A: No problem  public key is public 63

64. Encrypt and Sign M = “My theory, which is mine….”
[{M}Bob]Alice
[{M}Bob]Charlie
Alice
Charlie
Bob
Note that Charlie cannot decrypt M
Q: What is the problem?
A: No problem  public key is public 64

65. Confidentiality in the Real World65

66. Symmetric Key vs Public Key
Symmetric key +’s
Speed
No public key infrastructure (PKI) needed
Public Key +’s
Signatures (non-repudiation)
No shared secret (but, private keys…) 66

67. Real World Confidentiality
Hybrid cryptosystem
Public key crypto to establish a key
Symmetric key crypto to encrypt data…
I’m Alice, {ga mod p}Bob
I’m Bob, {gb mod p}Alice
E(data, K = gab mod p)
Alice, a
Bob, b
Can Bob be sure he’s talking to Alice (and vice versa)?
Concept of Authentication 67

68. Outline Public-key Examples Knapsack RSA Diffie-Hellman (DH) ElGamal
Uses of Public-key Crypto
Public Key Infrastructure (PKI)

69. Public Key Certificate
Certificate contains name of user and user’s public key (and possibly other info)
It is signed by the issuer, a Certificate Authority (CA), such as VeriSign
M = (Alice, Alice’s public key), S = [M]CA
Alice’s Certificate = (M, S)
Signature on certificate is verified using CA’s public key:
Verify that M = {S}CA 69

70. Certificate Authority
Certificate authority (CA) is a trusted 3rd party (TTP)  creates and signs certificates
Verify signature to verify integrity & identity of owner of corresponding private key
Does not verify the identity of the sender of certificate  certificates are public keys!
Big problem if CA makes a mistake (a CA once issued Microsoft certificate to someone else)
A common format for certificates is X.509 70

71. PKI
Public Key Infrastructure (PKI): the stuff needed to securely use public key crypto
Key generation and management
Certificate authority (CA) or authorities
Certificate revocation lists (CRLs), etc.
No general standard for PKI
We mention 3 generic “trust models” 71

72. PKI Trust Models Monopoly model
One universally trusted organization is the CA for the known universe
Big problems if CA is ever compromised
Who will act as CA???
System is useless if you don’t trust the CA! 72

73. PKI Trust Models Oligarchy Multiple trusted CAs
This is approach used in browsers today
Browser may have 80 or more certificates, just to verify certificates!
User can decide which CAs to trust 73

74. PKI Trust Models Anarchy model Why is it anarchy?
Everyone is a CA…
Users must decide who to trust
This approach used in PGP: “Web of trust”
Why is it anarchy?
Suppose a certificate is signed by Frank and you don’t know Frank, but you do trust Bob and Bob says Alice is trustworthy and Alice vouches for Frank. Should you accept the certificate?
Many other trust models and PKI issues 74

75. Backup Slides Original Source:
M. Stamp, “Information Security: Principles and Practice,” John Wiley

76. Knapsack Lattice Reduction Attack76

77. Lattice?
Many problems can be solved by finding a “short” vector in a lattice
Let b1,b2,…,bn be vectors in m
All 1b1+2b2+…+nbn, each i is an integer is a discrete set of points 77

78. What is a Lattice? Suppose b1=[1,3]T and b2=[2,1]T
Then any point in the plane can be written as 1b1+2b2 for some 1,2  
Since b1 and b2 are linearly independent
We say the plane 2 is spanned by (b1,b2)
If 1,2 are restricted to integers, the resulting span is a lattice
Then a lattice is a discrete set of points 78

79. Lattice Example Suppose b1=[1,3]T and b2=[2,1]T
The lattice spanned by (b1,b2) is pictured to the right 79

80. Exact Cover
Exact cover  given a set S and a collection of subsets of S, find a collection of these subsets with each element of S is in exactly one subset
Exact Cover is a combinatorial problems that can be solved by finding a “short” vector in lattice 80

81. Exact Cover Example Set S = {0,1,2,3,4,5,6}
Spse m = 7 elements and n = 13 subsets
Subset:
Elements:
Find a collection of these subsets with each element of S in exactly one subset
Could try all 213 possibilities
If problem is too big, try heuristic search
Many different heuristic search techniques 81

82. Exact Cover Solution Exact cover in matrix form
Set S = {0,1,2,3,4,5,6}
Spse m = 7 elements and n = 13 subsets
Subset:
Elements:
subsets
Solve: AU = B
where ui  {0,1} e l m n t s
Solution:
U = [ ]T
m x 1
m x n
n x 1 82

83. Example We can restate AU = B as MV = W where
Matrix M
Vector V
Vector W
The desired solution is U
Columns of M are linearly independent
Let c0,c1,c2,…,cn be the columns of M
Let v0,v1,v2,…,vn be the elements of V
Then W = v0c0 + v1c1 + … + vncn 83

84. Example
Let L be the lattice spanned by c0,c1,c2,…,cn (ci are the columns of M)
Recall MV = W
Where W = [U,0]T and we want to find U
But if we find W, we’ve also solved it!
Note W is in lattice L since all vi are integers and W = v0c0 + v1c1 + … + vncn 84

85. Facts W = [u0,u1,…,un-1,0,0,…,0]  L, each ui  {0,1}
The length of a vector Y  N is
||Y|| = sqrt(y02+y12+…+yN-12)
Then the length of W is
||W|| = sqrt(u02+u12+…+un-12)  sqrt(n)
So W is a very short vector in L where
First n entries of W all 0 or 1
Last m elements of W are all 0
Can we use these facts to find U? 85

86. Lattice Reduction
If we can find a short vector in L, with first n entries all 0 or 1 and last m entries all 0, then we might have found U
LLL lattice reduction algorithm will efficiently find short vectors in a lattice
Less than 30 lines of pseudo-code for LLL!
No guarantee LLL will find a specific vector
But probability of success is often good 86

87. Knapsack Example
What does lattice reduction have to do with the knapsack cryptosystem?
Suppose we have
Superincreasing knapsack
S = [2,3,7,14,30,57,120,251]
Suppose m = 41, n = 491  m1 = 12 mod n
Public knapsack: ti = 41  si mod 491
T = [82,123,287,83,248,373,10,471]
Public key: T Private key: (S,m1,n) 87

88. Knapsack Example Public key: T Private key: (S,m1,n)
n = 491, m1 = 12
Example: is encrypted as
= 548
Then receiver computes
548  12 = 193 mod 491
and uses S to solve for 88

89. Knapsack LLL Attack Attacker knows public key
Attacker knows ciphertext: 548
Attacker wants to find ui  {0,1} s.t.
82u0+123u1+287u2+83u3+248u4+373u5+10u6+471u7=548
This can be written as a matrix equation (dot product): T  U = 548 89

90. Knapsack LLL Attack Attacker knows: T = [82,123,287,83,248,373,10,471]
Wants to solve: T  U = 548 where each ui  {0,1}
Same form as AU = B on previous slides!
We can rewrite problem as MV = W where
LLL gives us short vectors in the lattice spanned by the columns of M 90

91. LLL Result LLL finds short vectors in lattice of M
Matrix M’ is result of applying LLL to M 
Column marked with “” has the right form
Possible solution: U = [1,0,0,1,0,1,1,0]T
Easy to verify this is the plaintext! 91

92. Bottom Line
Lattice reduction is a surprising method of attack on knapsack
A cryptosystem is only secure as long as nobody has found an attack
Lesson: Advances in mathematics can break cryptosystems! 92