1. Chapter 9 – Public Key Cryptography and RSA Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both sender and receiver  if this key is disclosed communications are compromised  also is symmetric, parties are equal  hence does not protect sender from receiver forging a message & claiming is sent by sender

2. Public-Key Cryptography  probably most significant advance in the 3000 year history of cryptography  uses two keys – a public & a private key  asymmetric since parties are not equal  uses clever application of number theoretic concepts to function  complements rather than replaces private key crypto

3. Why Public-Key Cryptography?  developed to address two key issues: key distribution – how to have secure communications in general without having to trust a KDC with your key key distribution – how to have secure communications in general without having to trust a KDC with your key digital signatures – how to verify a message comes intact from the claimed sender digital signatures – how to verify a message comes intact from the claimed sender  public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 known earlier in classified community known earlier in classified community

4. Public-Key Cryptography  public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures  is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures those who encrypt messages or verify signatures cannot decrypt messages or create signatures

5. Public-Key Cryptography

6. Public-Key Characteristics  Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key knowing only algorithm & encryption key it is computationally infeasible to find decryption key knowing only algorithm & encryption key it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms) either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms)

7. Public-Key Cryptosystems

8. Public-Key Applications  can classify uses into 3 categories: encryption/decryption (provide secrecy) encryption/decryption (provide secrecy) digital signatures (provide authentication) digital signatures (provide authentication) key exchange (of session keys) key exchange (of session keys)  some algorithms are suitable for all uses, others are specific to one

9. Security of Public Key Schemes  like private key schemes brute force exhaustive search attack is always theoretically possible  but keys used are too large (>512bits)  security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems  more generally the hard problem is known, but is made hard enough to be impractical to break  requires the use of very large numbers  hence is slow compared to private key schemes

10. Exponentiation Ciphers  We will consider two kinds of exponentiation ciphers developed by the following people:  Both schemes encipher a message block M  [0, n – 1] by computing the exponential C = M e mod n,

11.  where e and n are the key to the enciphering transformation.  M is restored by the same operation, but using a different exponent d for the key: M = C d mod n.  Enciphering and deciphering can be implemented using the fast exponentiation algorithm: C = fast_exp(M, e, n) M = fast_exp(C, d, n)

12. Why the Algorithms Work  Thm: Given e, d, M such that ed mod  (n) = 1,M  [0, n -1],gcd(M, n) = 1, = 1,M  [0, n -1],gcd(M, n) = 1, Then (M e mod n) d mod n = M. Then (M e mod n) d mod n = M.  Proof: (M e mod n) d mod n = M ed mod n (M e mod n) d mod n = M ed mod n ed mod  (n) = 1  ed = t  (n) + 1 M ed mod n = M t  (n)+1 mod n = M M t  (n) mod n = M (M t  (n) mod n) mod n = M

13. where = M t  (n) mod n = (M  (n) mod n) t mod n = 1 t mod n = 1.

14. A Few Words About the Theorem  Note that by symmetry, enciphering and deciphering are commutative and mutual inverses; thus, (M d mod n) e mod n = M de mod n = M  Given  (n), it is easy to generate a pair (e, d) such that ed mod  (n) = 1. This is done by first choosing d relatively prime to  (n), and then computing e as  e = inv(d,  (n))

15.  Because e and d are symmetric, we could also pick e and compute d = inv(e,  (n)).  Given e, it is easy to compute d (or vice versa) if  (n) is known. But if e and n can be released without giving away  (n) or d, then the deciphering transformation can be kept secret, while the enciphering transformation is made public.

16.  It is the ability to hide  (n) that distinguishes the two schemes.

17. Pohlig-Hellman Scheme  The modulus is chosen to be a large prime p. To encipher: C = M e mod p To decipher: M = C d mod p  Because p is prime,  (p) = p – 1.  Thus the scheme can only be used for conventional encryption, where e and d are both kept secret.

18.  Ex. Let p = 11,  (p) = 10. Choose d = 7 and compute e = inv(7, 10) = 3. Suppose M = 5. Then M is enciphered as: C = M e mod p = 5 3 mod 11 = 4. Similarly, C is deciphered as: C d mod p = 4 7 mod 11 = 5 = M.

19. Security Concern  The security of the scheme rests on the complexity of computing discrete logarithms.  A cryptanalyst may deduce p by observing the sizes of plaintext and ciphertext blocks.  Under a known-plaintext attack, a cryptanalyst can compute e (and thereby d) given a pair (M, C):  e = log M C

20.  Pohlig and Hellman show that if (p – 1) has only small prime factors, it is possible to compute the logarithm in O(log2p) time, which is unsatisfactory even for large values of p.  They recommend picking p = 2p + 1, where p is also a large prime.

21. Discrete Logarithm  The fastest known algorithm for computing the discrete logarithm takes about steps.  If p is a few hundred decimal digits long, it will take several billion years to compute.

22. RSA Scheme  The modulus is the product of two large primes p and q, i.e., n = pq. Thus  (n) = (p – 1) (q – 1) To encipher: C = M e mod n To decipher: M = C d mod n

23.  They recommend picking d relatively prime to  (n) in the interval [max(p, q) + 1, n – 1] (any prime in this interval will do).  Once d is chosen, e can be computed using the inv function. If the computed e is less than log 2 n, then a new value of d should be picked.

24. Example  Ex. Let p = 5 and q = 7, so n = 5  7 = 35 and  (n) = 4  6 = 24. Choose d = 11 and compute e = 11. Suppose M = 2. Then C = M e mod n = 2 11 mod 35 = 18 and C d mod n = 18 11 mod 35 = 2 = M.

25.  Ex. Let p = 53 and q = 61, so n = 53  61 = 3233 and  (n) = 52  60 = 3120. Choose d = 791 and compute e = 71. To encipher the message RENAISSANCE, we break it into blocks of 4 digits each, where A = 00, B = 01,..., Z = 25, and blank = 26 (in practice, characters would be represented by their 8-bit ASCII codes). Thus we have

26.  The first block is enciphered as 170471 = 3106. The entire message is enciphered as M= R E N A I S S A N C E =170413000818180013020426 C=310601000931269119842927.

27. Security Concern  Because  (n) cannot be determined without knowing the prime factors p and q, it is possible to keep d secret even if e and n are made public.  Thus the RSA scheme can be used for public-key encryption, where the enciphering transformation is made public and the deciphering transformation is kept secret.

28.  The security of the system depends on the difficulty of factoring n into p and q. The fastest known factoring algorithm takes about the same number of steps required for solving the discrete logarithm problem.

29. More About Euler's Theorem  Recall that for Pohlig-Hellman and RSA schemes to work, we must have M < n and gcd(M, n) = 1.  For Pohlig-Hallman scheme, this is for sure since n is prime. But how about RSA? Since n equals p  q, it is possible that M is a multiple of p or a multiple of q (but not both, of course).  We want to show that even if M is a multiple of p or q, the RSA scheme still works.

30. What Happens When gcd(M, n)  1  Suppose M is a multiple of p, so that M = cp for some c and gcd(M, q) = 1. M  (q) mod q = 1  (M  (q) )  (p) mod q = 1  M  (n) mod q = 1  Therefore, there is some k such that M  (n) = kq + 1

31. Multiply each side by M = cp, M  (n)+1 = M + kqcp = M + ckn Thus M  (n)+1 mod n = M. The case when M is a multiple of q is similar.

32. Summarization (RSA Scheme)  Key Generation Select p, q p and q are both prime Calculate n = p  q Calculate  (n)=(p–1)(q– 1) Select integer e gcd(  (n), e) = 1 Calculate d d = inv(e,  (n)) Public key e and n Private key d and n

33.  Encryption  Decryption  Plaintext : M  Ciphertext : C= M e mod n  Ciphertext : C  Plaintext : M = C d mod n

34. Summarization (RSA Scheme)  Each user A obtains a modulus n A and enciphering and deciphering exponents e A and d A. A registers e A and n A with a public directory, thus making A's enciphering transformation E A public.  A keeps d A and, therefore, the deciphering transformation D A secret.

35. Public-Key Systems  In a public-key system, each user has both a public and private key, and two users can communicate knowing only each other's public keys.  User A has a public enciphering transformation E A, which may be registered with a public directory, and a private deciphering transformation D A, which is known only to user A.

36.  The private transformation D A is described by a private key, and the public transformation E A by a public key derived from the private key by a one-way transformation.  It must be computationally infeasible to determine D A from E A.

37. Secrecy And Authenticity  In a public-key system, secrecy and authenticity are both provided.  Secrecy

38.  Authenticity

39. Secrecy  Suppose user A wishes to send a message M to another user B. If A knows B's public transformation E B, A can transmit M to B in secrecy by sending the ciphertext C = E B (M).  On receipt, B deciphers C using B's private transformation D B, getting  D B (C) = D B (E B (M)) = M.

40.  The scheme does not provide authenticity because any user with access to B's public transformation could substitute another message M' for M by replacing C with C' = EB(M' ).

41. Authenticity  For authenticity, M must be transformed by A's own private transformation D A. A sends C = D A (M) to B.  On receipt, B uses A's public transformation EA to compute  E A (C) = E A (D A (M)) = M.

42.  Authenticity is provided because only A can apply the transformation D A.  Secrecy is not provided because any user with access to A's public transformation can recover M.

43. Both Secrecy And Authenticity  To use a public-key system for both secrecy and authenticity: the ciphertext space must be equivalent to the plaintext space so that E A and D A can operate on both plaintext and ciphertext messages. the ciphertext space must be equivalent to the plaintext space so that E A and D A can operate on both plaintext and ciphertext messages. Both E A and D A must be mutual inverses so that E A (D A (M)) = D A (E A (M)) = M. Both E A and D A must be mutual inverses so that E A (D A (M)) = D A (E A (M)) = M.

44.  Suppose A wishes to send a message M to B. A sends to B the ciphertext C = E B (D A (M)).  On receipt, B deciphers C by E A (D B (C)) = E A (D B (E B (D A (M)))) = E A (D A (M)) = M.

45. Both Secrecy And Authenticity  RSA scheme can be used for both secrecy and authenticity.

46. Secrecy And Authenticity (RSA)  User B can send a secret message M to A using which A deciphers using Only A can decipher C to get M.

47.  Alternatively, A can send a signed message M to B using which B authenticates using  Because only A can apply D A, it cannot be forged, and a judge can settle any dispute arising between A and B.

48. Both Secrecy And Authenticity  A slight difficulty arises when both security and authenticity are desired. For A to send a message to B: C = E B (D A (M)) If n A > n B, the blocks comprising D A (M) might not be in the range [0, n B – 1].  Reducing them modulo n B does not solve the problem, because it would then be impossible to recover the original message.

49. Possible Solutions  One solution is to reblock D A (M).  Reblocking can be avoided using a threshold value h (e.g., h = 10 99 ). Each user has two sets of transformations:  ( E A1, D A1 ) for signatures  ( E A2, D A2 ) for secrecy  where n A1 < h < n A2.

50.  A sends a signed message to B:  C = E B2 (D A1 (M))  B recovers M and checks A’s signature:  E A1 (D B2 (C))  = E A1 (D B2 (E B2 (D A1 (M))  = E A1 (D A1 (M))  = M.

51. Another Solution  If C = EB (DA (M)) is not computable because n A > n B, then C' = D A (E B (M )) is computable.  User B, knowing both n A and n B (both are public), can recover M by computing either of the following: Case 1: n A < n B E A (D B (C))= E A (D B (E B (D A (M)))) E A (D B (C))= E A (D B (E B (D A (M)))) = E A (D A (M)) = M.

52.  Case 2: n A > n B D B (E A (C' ))= D B (E A (D A (E B (M)))) D B (E A (C' ))= D B (E A (D A (E B (M)))) = D B (E B (M)) = D B (E B (M)) = M. = M.

53. Dispute Resolution  If a dispute arises between A and B on the authenticity of A's signature, a judge must be able to ascertain that M originated with M.  If n A < n B, B applies B's private transformation to C and presents the judge with X = D B (C) and M. The judge compute M' = E A (X) using A's public transformation, and verifies that M' = M.

54.  If n A > n B, another approach is needed because D B must be applied after E A, and B may not want to give D B to the judge.  The solution is for B to present the judge with C' and M. The judge computes X= E B (M) X'= E A (C' ) = E A (D A (E B (M))) and verifies that X = X'.

55. Summarization n A < n B n A > n B A transmits C = E B (D A (M)) C' = D A (E B (M )) B computes M = E A (D B (C)) M = D B (E A (C' )) B gives judge M, X = D B (C) M, C' Judge computes M' = E A (X) X= E B (M) X'= E A (C' ) Judge tests M' = M X = X'