Public Key Cryptography
All the secret key
algorithms & the hash algorithms do the same thing
but public key
algorithms look very different from
each other.
What is common among them is each participant has two key: public & private,
and most of them are based on modular arithmetic.
x mod n is the remainder
of x
when divided by n.
e.g.,
8 mod 10 = 8, 18 mod 10 =
8, 24 mod 10 = 4
8 mod 7 = 1, 18 mod 7 =
4, 24 mod 7 = 3
ü
Addition:
Example: addition mod 10
8 + 8 = 6,
1 + 9 = 0,
7 + 6 = 3
See Fig. 6-1 for addition mod 10 Table:
Encryption: Addition mod 10 can be used for encryption of
digits.
Add k, a secret
key between 1-9 to each digit.
Example: if k = 7, then 1987 is encrypted to 8654.
Decryption: Add -k, the additive inverse of k,
to each digit.
An
additive inverse of x is the number
you'd have to add to x to get 0.
Example: if k = 7, then -k
is 3 since 7+3 = 0
Thus
8654 will is decrypted to 1987.
In the
above table (Fig.
6-1), each "0" is the intersection of k and -k,
e.g.,
0 is the intersection of 3 and 7.
ü Multiplication:
Example: multiplication mod
10 :
8 x 8 = 4, 1 x 9 = 9 , 7 x 6 = 2
See Fig. 6-2 for multiplication mod 10 Table:
Encryption: multiplication by
1, 3, 7, 9 works as a cipher since it performs 1-1
mapping.
Example: if k = 7, then 1987 is encrypted to 7369
Decryption: is done by multiplying each digit by k-1 , the multiplicative
inverse of k.
It is
the number to multiply by k to get 1.
Example: if k = 7, then k-1
is 3 since 7x3 = 1
In the
above table (Fig.
6-2), each "1" is the intersection of k
and k-1.
Note that only {1,3,7,9} have multiplicative inverse mod 10.
à
What
is so special about the set {1,3,7,9}?
These
numbers are relatively
prime to 10,
i.e.,
they do not share with 10 any common factors other than 1.
Note
that 9 is not
a prime number but it is relatively prime to 10.
à Only numbers that are relatively prime to n have multiplicative inverses.
ü
How many numbers less than n are
relatively prime to n?
This
quantity is referred to as:
Ø(n) and is called the totient function.
ü If
n is
prime: then {1,2, ..., n-1}
are all relatively prime and thus Ø(n) = n-1.
ü If n = p.q where p and q
are two distinct primes, then Ø(n) = (p-1)(q-1).
Why is that?
There are p multiples of q, q multiples of p
and 0
that are not relatively prime to n=pq.
Thus Ø(n) = pq –(p+q-1) =
(p-1)(q-1)
Example: for n = 10 = 2.5, Ø(10)
=(2-1).(5-1)=1.4=4,
which is the set {1,3,7,9}.
ê Exponentation:
Example: exponentiation mod 10
4 2 = 6, 8 8 = 6, 19 =
1 , 76 = 9
See Fig.
6-3 for exponentiation mod 10 Table:
Amazing fact about Ø(n):
x m mod n = x m mod Ø(n) mod n
Since Ø(10)=4, in Fig. 6-3:
x m mod 10 = x m mod 4
mod 10
Thus the ith column is identical to the i+4th column,
e.g., 1st =5th =9th
and 3rd = 7th =11th.
Special case:
if m = 1 mod Ø(n),
then for any number x:
x m mod n =
x mod n.
Example: For n =10, Ø(10)=4
Since 9 = 1 mod 4:
39 mod
10 = 3 mod 10 = 3 & 69 mod 10 = 6 mod 10 = 6
An
exponentiative inverse of e is the number d such that:
e.d = 1 mod Ø(n)
Example: For n= 10, Ø(10)=4:
e=3 and d=7 are exponentiative inverses since: 3.7 = 21 = 1 mod 4
Encrypt/Decrypt:
· To encrypt m:
compute c = me mod
n
· To decrypt c:
compute m = cd mod
n
Example:
encrypt m = 8: c = 83 = 2
decrypt c = 2: m = 27 = 8
Sign/Verify:
· To sign m: compute s = md mod n
·
To verify s:
compute m = se mod n
Example:
sign m = 8: s = 87 =
2
verify s = 2: m = 23 =
8
In public key cryptography:
<e, n> is public key
&
<d, n> is private key
Note that:
If n = p.q
where p and q are two distinct primes, then Ø(n) = (p-1)(q-1).
The relation between e and d: e.d = 1 mod Ø(n)
To compute d by knowing e and n
you must know Ø(n) which is
very hard to factor n to p & q
Key length:
Variable
(long for security, short for efficiency).
Most common values are 512
& 1024 bits.
Block size:
plain text
length is variable but less than key length &
cipher text length equals
key length.
Thus RSA is used for encrypting small amount of data, e.g., a secret
key
and then use the secret key cryptography
for encrypting/decrypting large amount of data.
RSA Algorithm:
Generate public & private keys pair:
1. Choose two distinct large primes p and q.
(Typically 256 bits each & keep them secret).
2. Compute n = p.q &
Ø(n) = (p-1)(q-1).
(Note that it is very hard to factor n into p & q ).
3. Choose a number e that
is relatively prime to Ø(n).
4. Find a number d that is the exponentiative inverse of e
i.e., e.d = 1 mod Ø(n).
5. The public
key <e,n> & the private key <d,n>.
Encrypt/Decrypt:
To encrypt a message m ( less than n): c = me mod n
To decrypt c: m = cd mod n
This works since:
cd mod n = (me)d mod n
= me.d mod n
= m mod n // since e.d = 1 mod Ø(n)
= m
// since
m
< n
Sign/Verify:
To sign a message m ( less than
n): s = md mod n
To verify s: m = se mod n
This also works since:
se mod n = me.d mod n
= m mod n = m
Why is RSA Secure:
Every one knows the public key: <
e, n >.
To find the private key <
d, n > you need to know Ø(n)
since e.d =
1 mod Ø(n).
To know Ø(n) you need to know p and q since
Ø(n)
= (p-1).(q-1).
Thus to break RSA you
should know:
how
to factor n to find p and q.
Factoring a big number like n is
hard.
The best technique to factor 512 bit number takes 30,000
MIPS-years!
Efficiency of RSA
Operations:
Exponentiation
How to compute 12354 mod 678?
1232 = 123.123 = 15129 = 213 mod 678
1233 = 123.213 =
26199 = 435 mod 678
1234 = 123.435 =
53505 = 621 mod 678
......
12354 =
......
= 87 mod 678
This requires 54 small number multiplications & 54 small number
divisions.
How to
compute 12332 mod 678?
1232 = 123.123 =
15129 = 213 mod 678
1234
= 213.213 = 45369 = 621 mod 678
1238
= 621.621 = 385641 = 537 mod 678
12316 =
537.537 = 288369 = 219 mod 678
12332 =
219.219 = 47961 = 501 mod 678
This requires 5 multiplications &
5 divisions
instead of 32.
To efficiently compute 12354
: 54 is represented in binary as:
1
1 0 1 1 0
| |
|
| |
(((( (1232)123
) 2 )2123 )2123 )2
This requires 8
multiplications and 8
divisions instead of 54.
Each 1 requires 2 multiplications + 2
divisions &
each 0 requires 1 multiplication +
1 division.
Thus in the above we have 3 1s, 2 0s
and that yields: 3.2 + 2.1 = 8.
Note that we ignore the leading 1.
Another example: y14 , 14 is represented
in binary as:
1
1
1
0
|
|
|
(( ( y2)
y )2y
)2
This requires 5 multiplications
and 5 divisions instead
of 32.
Generating RSA Keys
Finding e:
Two
popular values for e are: 3
(21+ 1) and 65537 (216 + 1).
Other common
values: 5 (22+ 1) and 17 (24+ 1).
These
make public key operations on message m faster
(encryption and signature verification is me ):
ü m3 requires 2 multiplications & 2
divisions.
ü m65537
requires 17 multiplications & 17 divisions
since the binary value of 65537 is 100..01 (15 zeros).
Finding n:
Randomly choose p and q and make sure that they
are not 1 mod e.
n =
p.q &
Ø(n) = (p-1)(q-1).
For a
random 100 digit number (typical size for RSA), the chance is 1 in 230 being a
prime.
How to
test if a number p is prime? We use:
Fermat’s
Theorem:
If p
is prime and a <p,
ap-1
= 1 mod p
A primality test then is to pick a number a
< p and compute ap-1 mod p:
·
If the answer is not 1, p is not prime.
· If it
is 1 the probability that p
is not a prime is ~ 1/1013
If the risk of 1 in 1013 is unacceptable, repeat the test using multiple values
of a.
Finding d:
How to
fine d such that e.d = 1
mod Ø(n) ?
Use Euclid algorithm (Section
7.4, page 187 of textbook).
The RSA keys:
Public key: <3 | 65537, n> Private key: <d , n>.
Precautions when using e=3:
·
If a message m
to be incrypted is small < 
then raising m to the power of 3 mod
n will simply produce the value c = m3
< n. Thus any one can decrypt it
by taking a cubec root of c to produce m
ü The problem can be avoided by padding the message with a random
number before encyption so that m3 need to be reduced mod n.
·
If a message m
is send to 3 receipients with public keys: <3,
n1>, <3, n2>,
<3, n3> and if a bad guy sees:
c1 = m3 mod n1 ,
c2 = m3 mod n2
c3 = m3 mod n3.
Then
he can use the Chinnese
Remainder Theorem (CRT) to compute:
c = m3 mod n1n2n3 from c1 , c2 , c3 values.
Since
m
is smaller than each of ni , m3 will be smaller than n1n2n3
Thus
the bad guy gets m by computing the 
ü The problem can be avoided by padding the message with the ID of
each recipient.
Optimizing
RSA Private Key Operations:
·
In RSA, d and n=pq
are on the order of 512-bit numbers
while p and q
are on the order of 265-bits.
·
RSA private key operations takes a
message c in the order of 512-bits and computes:
m = cd
mod n.
·
We can use the CRT
to speed up the RSA
operations using mod p and mod q instead of mod
n.
i.e. using 256-bits instead of 512-bits operations.
The following is known as Garner’s
Formula:
m = (((a-b)( q-1 mod p)) mod p).q + b
where:
a = cp
dp mod p & b = cq dq mod q
cp = c mod p & cq
= c mod q
dp
= d mod (p-1) & dq
= d mod (q-1)
Use Euclid’s
Algorithm to compute q-1
mod p
Alice and Bob agree on: p (large prime) & g <
p.
Alice
Bob
Pick SA (512-bit random
number)
Pick SB (512-bit random number)
Compute TA = ( gSA)
mod
p Compute TB = (gSB)
mod p
TA >>>
……. <<< TB
Compute X
= TB SA mod p
Compute Y = TA SB mod p
X
is the same as Y!
why?
X = (TB) SA = (gSB) SA
Y
= (TA) SB
= (gSA) SB
No one can compute g (SASB) by knowing g SA & g SB
The bucket Brigade / Man-in-theMiddle Attach
Alice Mr. X
Bob
Pick SA Pick
SX Pick SB
Compute: TA = gSA mod
TX = gSX
mod p TB
= gSB mod p
TA
>>
TA .. TX >> TX
TX
<<
TX .. TB << TB
Compute:
KAX = TX
SA mod p KAX
= TA SX mod p
KBX = TX SB
mod p
KBX
= TB SX mod p
Possible Defense
·
Each
person i picks
Si and computes Ti = gSi
mod p and
keeps Si private
& makes Ti
public
· If Alice like to communicate with Bob, she finds TB and computes:
KAB = TB
SA mod p
Then tells Bob she likes
to communicate with him.
· Bob finds TA and then computes:
KBA = TA SB mod
p
This requires PKI (Public Key Infrastructure) to manage Ti
ü Each person has long-term public/private key pair:
Private: S
Public: < g, p, T > where T = gS mod p
ü For each message m to be signed:
generate a per-message public/private key pair:
Private: Sm
Public: Tm = gSm
mod p
ü Compute the message digest: dm = MD ( m
| Tm )
ü Compute the message signature: X = Sm + dm S mod ( p -1 )
ü Send: <m, Tm , X >
Verify:
Received: <m, Tm , X> & knows the sender public : < g, p, T >
ü
Compute
the message digest: dm = MD ( m | Tm )
ü Compute: Y1 = gX
and Y2 = Tm T dm
If Y1 = Y2 then the signature is correct.
Why?
Since X = Sm + dm S mod ( p -1 ),
Tm = gSm
mod p
T = gS mod p
Y1 = g X = gSm
+ dmS =
gSm gdmS
= Tm gS dm= Tm T dm = Y2
Digital Signature Standard (DSS)
Proposed
by NIST based on a modified version of El-Gammal
algorithm.
Example:
Graph isomorphism
problem:
Two graphs are isomorphic if we can rename the vertices of one to get a graph identical
to the other.
This is a well-known NP-complete problem.
f >
A > 1
g >
B > 2
h >
C > 3
i >
D > 4
j >
E > 5
Alice specifies a large graph GA and renames the vertices to produce another isomorphic graph GB.
Public Key:
( GA , GB )
Private Key: GA ßà GB
To prove to Bob
that she is Alice:
ü
She
renames the vertices to produce a set of isomorphic graphs:
G1 G2 .... Gk
and sends them to Bob.
ü
Bob
asks Alice to show him for each i the mapping between:
Gi and either GA or GB but not
both (Otherwise Bob may know her private key!)