Public Key Cryptography
All secret key algorithms & hash algorithms do the same thing
but public key algorithms look very
different from each other.
What is common among all of them is that
each participant has two keys, public and private,
and most of them are based on modular arithmetic.
x mod n is the remainder of x when
divided by n.
e.g.,
8 mod 10 = 8, 18 mod 10 =
8, 24 mod 10 = 4
8 mod 7 = 1, 18 mod 7 =
4, 24 mod 7 = 3
Ø Addition:
Example: addition mod 10
8 + 8 = 6,
1 + 9 = 0,
7 + 6 = 3
See Fig. 6-1 for addition mod
10 Table:
Encryption: Addition mod 10 can be used for
encryption of digits.
Add k, a secret
key between 1-9, to each digit.
Example: if k = 7, then 1987 is encrypted to 8654.
Decryption: Add -k, the additive inverse of k, to each digit.
An
additive inverse of x is the number
you'd have to add to x to get 0.
Example: if k = 7, then -k is
3 since 7+3 = 0
Thus
8654 will is decrypted to 1987.
In the
above table (Fig.
6-1), each "0" is the intersection of
k and -k, e.g., 0 is the
intersection of 3 and 7.
Ø Multiplication:
Example: multiplication mod 10
8 x 8 = 4, 1 x
9 = 9 , 7 x 6 = 2
See Fig. 6-2
for multiplication mod 10 Table:
Encryption: multiplication by 1, 3, 7, 9 works as a
cipher
since it performs 1-1 mapping.
Example:
if k = 7, then
1987 is encrypted to 7369
Decryption: is done by multiplying each digit by k-1 ,
the multiplicative inverse of k.
It is the
number to multiply by k to get 1.
Example: if k = 7, then k-1 is 3 since
7x3 = 1
In the
above table (Fig.
6-2),
each
"1" is the intersection of k
and k-1.
Euclide's Algorithm: (Section 7.4)
Efficiently
find multiplicative inverses mod
n.
Given x and n,
it finds a number y such that x.y mod n = 1
(if there is such y).
Note that only {1,3,7,9} have multiplicative inverse mod 10.
What is so
special about the set {1,3,7,9}?
These
numbers are relatively prime
to 10,
i.e.,
they do not share with 10 any common factors other than 1.
Note
that 9 is not a prime number but it is relatively prime to 10.
How
many numbers less than n are relatively prime to n?
This quantity is referred
to as:
Ø(n) and is called the totient
function.
· If
n is prime:
then {1,2,
..., n-1} are all relatively prime and
thus Ø(n) = n-1.
· If n = p.q where p
and q
are two distinct primes,
then Ø(n)
= (p-1)(q-1).
Example: for n = 10 = 2.5, Ø(10)
=(2-1).(5-1)=1.4=4,
which is the set {1,3,7,9}.
Ø Exponentation:
Example: exponentiation mod 10
4 2 = 6, 8 8 = 6, 19 = 1 , 76
= 9
See Fig.
6-3 for exponentiation mod 10 Table:
Amazing
fact about Ø(n):
x m mod n = x m mod Ø(n) mod n
Since Ø(10)=4, in Fig. 6-3, x m mod 10 = x m mod 4
mod 10
the ith
column is identical to the i+4th column,
e.g., 1st =5th
=9th and 3rd = 7th =11th.
Special case:
if m = 1 mod Ø(n),
then for any number x,
x m mod
n = x mod n.
Example: For n =10, Ø(10)=4
m = 9
x =
3: 39 mod 10 = 3 &
x = 6:
69 mod 10 = 6 &
and in general: x9 mod 10 = x mod 10
An
exponentiative
inverse of e is the number d such that:
e.d = 1 mod Ø(n)
Example: For n=
10, Ø(10)=4:
e=3 and d=7 are exponentiative
inverses since:
3.7 = 21 = 1 mod 4
Encrypt/Decrypt:
· To encrypt m:
compute c = me mod
n
· To decrypt c:
compute m = cd mod
n
Example:
encrypt m = 8: c = 83 = 2
decrypt c = 2: m = 27 = 8
Sign/Verify:
· To sign m:
compute s = md mod
n
· To verify s:
compute m = se mod
n
Example:
sign m = 8:
s = 87 = 2
verify s = 2:
m = 23 = 8
In public cryptography:
<e, n> is public key
&
<d, n> is private key
Key length:
Variable (long for security,
short for efficiency).
Most common values is 512 & 1024 bits.
Block size:
plain text length is
variable but less
than key length &
cipher
text length equals key length.
Thus RSA is used for encrypting
small amount of data,
e.g., secret key and then use secret key cryptography for
encrypting/decrypting large amount of data.
RSA Algorithm:
Generate public & private keys pair:
1. Choose two large primes p and q.
(Typically 256 bits each & keep them
secret).
2. Compute n = p.q & Ø(n) = (p-1)(q-1).
(It is very hard to factor n
into p & q ).
3. Choose a number e that
is relatively prime to Ø(n).
4. Find a number d that is the
exponentiative inverse of e
i.e., e.d = 1 mod Ø(n).
5. The public key: <e,n> & the private key: <d,n>.
Encrypt/Decrypt:
To encrypt a message
m ( less than n):
c = me mod n
To decrypt c:
m = cd mod n
This works since:
cd mod n
= (me)d mod n
= me.d mod n
= m mod
n // since
e.d = 1 mod Ø(n)
=
m
// since m < n
Sign/Verify:
To sign a message m ( less
than n):
s = md mod n
To verify s:
m = se mod n
This also works since:
se mod n = me.d mod n = m
mod n = m
Why is RSA Secure:
Every one knows the public key: <e, n>.
To find the private key
<d,n>
you need to know Ø(n) since e.d = 1 mod Ø(n).
To know Ø(n) you need
to know p and q since
Ø(n) = (p-1).(q-1).
Thus to break RSA you
should know how to factor n to find p and q.
Factoring a big number like n is hard. The best technique to factor 512 bit number takes 30,000
MIPS-years!
Efficiency of RSA Operations:
Exponentiation
How to compute 12354 mod 678?
1232 = 123.123 = 15129 = 213 mod 678
1233 = 123.213 =
26199 = 435 mod 678
1234 = 123.435 =
53505 = 621 mod 678
......
12354 =
......
= 87 mod 678
This requires 54
small number multiplications
and 54 small
number divisions.
How to compute 12332 mod 678?
1232 = 123.123 =
15129 = 213 mod 678
1234
= 213.213 = 45369 = 621 mod 678
1238
= 621.621 = 385641 = 537 mod 678
12316 =
537.537 = 288369 = 219 mod 678
12332 =
219.219 = 47961 = 501 mod 678
This requires 5
multiplications
and 5 divisions
instead of 32.
To efficiently compute 12354 : 54 is represented in binary as:
1
1
0
1
1
0
|
|
|
| |
(((( (1232)123
) 2
)2123 )2123 )2
This requires 8 multiplications and 8 divisions instead of 32.
Each 1 requires two
multipliactions and two divisions
and each 0 requires one
multipliaction and one division.
Thus in the above we have three 1s and
two 0s
and that yields: 3.2 + 2.1 = 8.
Note that we ignore the
leading 1.
Another example: y14
, 14 is represented in binary as:
1
1
1
0
|
|
|
(( (
y2) y )2y
)2
This
requires 5 multiplications
and 5 divisions instead
of 32.
Generating RSA Keys
- Finding big prime
number:
Choose a random
number r and test
if it is a prime.
test: pick a
< r
if (ar-1 mod r) != 1
then
r is not prime
else
r is prime // the probability of being wrong is 1 in 1013
- Finding d, n &
e:
Finding e:
Two
popular values for e are: 3 and 65537 (216 +
1).
These
make public key operations on message m faster
(encryption and signature
verification is me):
-
m3 requires 2 multiplications & 2
divisions.
-
m65537 requires 17 multiplactions & 17
divisions
since the binary value of 65537 is 100..01 (15 zeros).
Finding
n:
If e
= 3:
How to choose p & q so that 3 is relatively prime to
Ø(n) = (p-1)(q-1)?
Choose random numbers x and y then:
p = (2x+1)*3+2 &
q = (2y+1)*3+2
Why?
To ensure that (p-1) relatively prime to 3 we choose:
(p-1) = 1 mod 3
or p = 2 mod 3.
Hence choose p as k*3+2 and
to make sure that p is odd let k=2x+1.
Thus p = (2x+1)*3 + 2.
If e = 65537:
Randomly choose p and q and make sure that
they are not 1 mod 65537
(the probability of rejection is 1 in 216).
Once
we selected p and q, then:
n = p.q &
Ø(n) = (p-1)(q-1).
Finding d:
How to
fine d such that e.d = 1 mod Ø(n) ?
Use
The RSA keys:
public key: <3 | 65537, n> private key: <d , n>.
Alice and Bob agree on: p
(large prime) & g <
p.
Pick SA (512-bit
random
number)
Pick SB (512-bit
random number)
Compute TA =
( gSA) mod p
Compute TB = (gSB) mod p
TA >>> <<<
TB
Compute X =
TB SA
mod p
Compute Y = TA
SB mod p
X is the same as Y!
why?
X = TBSA = gSBSA
Y = TASB = gSASB
No one can compute g (SASB)
by
knowing g (SA ) & g (SB )
The bucket Brigade/Man-in-theMiddle Attach
Pick SA
Pick SX
Pick SB
Compute:
TA = gSA mod
p
TX = gSX mod
p
TB = gSB mod p
TA >>
TA .. TX
>> TX
TX <<
TX .. TB
<< TB
Compute: KAX = TX SA
mod p KAX
= TA SX mod p
KBX = TX SB
mod p
KBX = TB SX mod p
Possible Defense
·
Each
person i picks Si and computes Ti = gSi mod p and Keeps Si private and makes Ti public
·
If Alice
like to communicate with Bob, she finds TB and computes:
KAB = TB
SA mod p
·
Then
tells Bob she likes to communicate with him.
·
Bob
finds TA and hen computes:
KBA = TA SB mod
p
This requires PKI (public Key Infrastructure) to
manage Ti
Ø
Each
person has long-term
public/private
key pair:
Private: S
Public: < g, p, T > where T = gS mod p
Ø
For
each message m
to be signed:
§
Generate
a per-message public/private key pair:
Private: Sm
Public: Tm = gSm mod p
§
Compute
the message digest: dm
= MD (
m | Tm )
§
Compute
the message signature: X = Sm + dm S mod ( p -1 )
§
Send:
m, Tm and X
Verify:
Ø
Compute
the message digest: dm
= MD (
m | Tm )
Ø
Compute: Y1 = gX
and Y2 = Tm T dm
and
If Y1 =
Y2 then
the signature is correct.
Why?
Y1 = g
X =
gSm + dmS = gSm
gdmS = Tm gS dm= Tm T
dm
= Y2
Digital Signature Standard (DSS)
Proposed by NIST based on a modified version of ElGammal
algorithm.
Example:
Graph isomorphism problem:
We consider two graphs isomorphic if we can rename the vertices of one to get a graph identical to the other.
This is a well known NP-complete problem.
f > A > 1
g >
B > 2
h > C > 3
i > D > 4
j > E > 5
Public Key: ( GA , GB )
Private Key: GA ßà GB
To prove to Bob that she
is
§
She
renames the vertices to produce a set of isomorphic graphs: G1 G2 .... Gk and sends them to Bob.
§
Bob asks