public_key_cryptography

Public Key Cryptography

All secret key algorithms & hash algorithms do the same thing

but public key algorithms look very different from each other.

What is common among all of them is that

each participant has two key: public & private,

and most of them are based on modular arithmetic.

Modular Arithmetic

x mod n is the remainder of x when divided by n.

e.g., 8 mod 10 = 8, 18 mod 10 = 8, 24 mod 10 = 4
8 mod 7 = 1, 18 mod 7 = 4, 24 mod 7 = 3

Addition:

Example: addition mod 10

8 + 8 = 6,

1 + 9 = 0,

7 + 6 = 3

See Fig. 6-1 for addition mod 10 Table:

Description: Description: fig6-1

Encryption: Addition mod 10 can be used for encryption of digits.

Add k, a secret key between 1-9 to each digit.

Example: if k = 7, then 1987 is encrypted to 8654.

Decryption: Add -k, the additive inverse of k, to each digit.

An additive inverse of x is the number you'd have to add to x to get 0.

Example: if k = 7, then -k is 3 since 7+3 = 0

Thus 8654 will is decrypted to 1987.

In the above table (Fig. 6-1), each "0" is the intersection of

k and -k, e.g., 0 is the intersection of 3 and 7.

Multiplication:

Example: multiplication mod 10 :

8 x 8 = 4, 1 x 9 = 9 , 7 x 6 = 2

See Fig. 6-2 for multiplication mod 10 Table:

Description: Description: fig6-2

Encryption: multiplication by 1, 3, 7, 9 works as a cipher

since it performs 1-1 mapping.

Example: if k = 7, then 1987 is encrypted to 7369

Decryption: is done by multiplying each digit by k^-1 ,

the multiplicative inverse of k.

It is the number to multiply by k to get 1.

Example: if k = 7, then k^-1 is 3 since 7x3 = 1

In the above table (Fig. 6-2),

each "1" is the intersection of k and k^-1.

Note that only {1,3,7,9} have multiplicative inverse mod 10.

What is so special about the set {1,3,7,9}?

These numbers are relatively prime to 10,

i.e., they do not share with 10 any common factors other than 1.

Note that 9 is not a prime number but it is relatively prime to 10.

Only numbers that are relatively prime to n have multiplicative inverses.

How many numbers less than n are relatively prime to n?
This quantity is referred to as:

Ø(n) and is called the totient function.

· If n is prime:

then {1,2, ..., n-1} are all relatively prime and
thus Ø(n) = n-1.

· If n = p.q where p and q are two distinct primes,

then Ø(n) = (p-1)(q-1).

Why is that?

There are p multiples of q, q multiples of p and 0 that are not relatively prime to n=pq.

Thus Ø(n) = pq –(p+q-1) = (p-1)(q-1)

Example: for n = 10 = 2.5, Ø(10) =(2-1).(5-1)=1.4=4,
which is the set {1,3,7,9}.

Exponentation:

Example: exponentiation mod 10

4 ² = 6, 8 ⁸ = 6, 1⁹ = 1 , 7⁶ = 9

See Fig. 6-3 for exponentiation mod 10 Table:

Description: Description: fig6-3

Amazing fact about Ø(n):

x ^mmod n = x ^{m mod Ø(n)} mod n

Since Ø(10)=4, in Fig. 6-3:

x ^mmod 10 = x ^{m mod 4} mod 10

The i^th column is identical to the i+4^th column,

e.g., 1^st =5^th =9^th and 3^rd = 7^th =11^th.
Special case:

if m = 1 mod Ø(n), then for any number x,

x ^mmod n = x mod n.

Example: For n =10, Ø(10)=4

Since m = 9 is 1 mod 4:

3⁹mod 10 = 3 mod 10 = 3 &

6⁹mod 10 = 6 mod 10 = 6

in general:

for any x : x⁹mod 10 = x mod 10 = x

An exponentiative inverse of e is the number d such that:

e.d = 1 mod Ø(n)

Example: For n= 10, Ø(10)=4:

e=3 and d=7 are exponentiative inverses since:

3.7 = 21 = 1 mod 4

Encrypt/Decrypt:

· To encrypt m: compute c = m^emod n

· To decrypt c: compute m = c^dmod n

Example:

encrypt m = 8: c = 8³= 2

decrypt c = 2: m = 2⁷= 8

Sign/Verify:

· To sign m: compute s = m^dmod n

· To verify s: compute m = s^emod n

Example:

sign m = 8: s = 8⁷= 2

verify s = 2: m = 2³= 8

In public cryptography:

<e, n> is public key

<d, n> is private key

Note that:

If n = p.q where p and q are two distinct primes,

then Ø(n) = (p-1)(q-1).

The relation between e and d:

e.d = 1 mod Ø(n)

To computer d you must know Ø(n) which is very hard to compute from knowing n.

RSA: Rivest, Shamir & Adleman

Key length:

Variable (long for security, short for efficiency).

Most common values is 512 & 1024 bits.

Block size:

plain text length is variable but less than key length &
cipher text length equals key length.

Thus RSA is used for encrypting small amount of data, e.g., a secret key

and then use the secret key cryptography for encrypting/decrypting large amount of data.

RSA Algorithm:

Generate public & private keys pair:

1. Choose two distinct large primes p and q.
(Typically 256 bits each & keep them secret).

2. Compute n = p.q & Ø(n) = (p-1)(q-1).
(Note that it is very hard to factor n into p & q ).

3. Choose a number e that is relatively prime to Ø(n).

4. Find a number d that is the exponentiative inverse of e
i.e., e.d = 1 mod Ø(n).

5. The public key <e,n> & the private key <d,n>.

Encrypt/Decrypt:

To encrypt a message m ( less than n):

c = m^emod n

To decrypt c:

m = c^dmod n

This works since:
   c^dmod n = (m^e)^dmod n
                  = m^e.dmod n
                  = m mod n    // since e.d = 1 mod Ø(n)
                  = m                // since m < n

Sign/Verify:

To sign a message m ( less than n):

s = m^dmod n

To verify s:

m = s^emod n

This also works since:

s^emod n = m^e.dmod n = m mod n = m

Why is RSA Secure:

Every one knows the public key: < e, n >.

To find the private key < d, n > you need to know Ø(n)

since e.d = 1 mod Ø(n).

To know Ø(n) you need to know p and q since

Ø(n) = (p-1).(q-1).

Thus to break RSA you should know:

how to factor n to find p and q.

Factoring a big number like n is hard.

The best technique to factor 512 bit number takes 30,000 MIPS-years!

Efficiency of RSA Operations:

Exponentiation

How to compute 123⁵⁴ mod 678?

123²= 123.123 = 15129 = 213 mod 678
123³= 123.213 = 26199 = 435 mod 678
123⁴= 123.435 = 53505 = 621 mod 678
......
123⁵⁴= ...... = 87 mod 678

This requires 54 small number multiplications

and 54 small number divisions.
How to compute 123³² mod 678?

123²= 123.123 = 15129     = 213 mod 678
123⁴= 213.213 = 45369     = 621 mod 678
123⁸= 621.621 = 385641   = 537 mod 678
123¹⁶= 537.537 = 288369   = 219 mod 678
123³²= 219.219 = 47961     = 501 mod 678

This requires 5 multiplications

and 5 divisions instead of 32.

To efficiently compute 123⁵⁴: 54 is represented in binary as:

1 1 0 1 1 0

| | | | |
(((( (123²)123 )²)²123 )²123 )²

This requires 8 multiplications and 8 divisions instead of 32.

Each 1 requires two multipliactions and two divisions
and each 0 requires one multipliaction and one division.

Thus in the above we have three 1s and two 0s

and that yields: 3.2 + 2.1 = 8.
Note that we ignore the leading 1.

Another example: y¹⁴, 14 is represented in binary as:

       1                1                 1                  0
                      |                  |                   |
      ((             ( y²) y            )²y               )²

This requires 5 multiplications and 5 divisions instead of 32.

Generating RSA Keys

Finding e:

Two popular values for e are: 3 (2¹+ 1) and 65537 (2¹⁶+ 1).

Other common values: 5 (2²+ 1) and 17 (2⁴+ 1).

These make public key operations on message m faster
(encryption and signature verification is m^e):

- m³requires 2 multiplications & 2 divisions.

- m⁶⁵⁵³⁷ requires 17 multiplactions & 17 divisions

since the binary value of 65537 is 100..01 (15 zeros).

Finding n:

Randomly choose p and q

and make sure that they are not 1 mod e.

n = p.q &

Ø(n) = (p-1)(q-1).

Finding Big Primes:

For a random 100 digit number (typical size for RSA), the chance is 1 in 230 being a prime.

How to test if a number p is prime? We use:

Fermat’s Theorem:

If p is prime and 0< a <p, a^p^-1= 1 mod p

A primality test then is to pick a number a < p and compute a^p^-1 mod p:

· If the answer is not 1, p is not prime.

· If it is 1 the probability that p is not a prime is ~ 1/10¹³

If the risk of 1 in 10¹³is unacceptable, repeat the test using multiple values of a.

Finding d:

How to fine d such that e.d = 1 mod Ø(n) ?
Use Euclid algorithm (see Section 7.4, page 187 of textbook).

The RSA keys:

public key: <3 | 65537, n> private key: <d , n>.

Precautions when using e=3:

· If a message m to be incrypted is small < then raising m to the power of 3 mod n will simply produce the value c = m³ < n. Thus any one can decrypt it by taking a cubec root of c to produce m.

The problem can be avoided by padding the message with a random number before encyption so that m³ need to be reduced mod n.

· If a message m is send to 3 receipients with public keys: <3, n₁>, <3, n₂>, <3, n₃> and if a bad guy sees: m³ mod n₁, m³ mod n₂, m³ mod n_3. Then he can use the Chinnese Remainder Theorem (CRT) to compute m³ mod n₁n₂n₃ from these 3 values. Since m is smaller than each of n_i, m³ will be smaller than n₁n₂n₃and the bad guy gets m by computing the cubec root of m³ .

The problem can be avoided by padding the message with the ID of each recipient.

Optimizing RSA Private Key Operations:

· In RSA, d and n=pq are on the order of 512-bit numbers

While p and q are on the order of 265-bits.

· RSA private key operations takes a message c in the order of 512-bits and computes:

m = c^d mod n.

· We can use the CRT to speed up the RSA operations using mod p and mod q instead of mod n.

i.e. using 256-bits instead of 512-bits operations. The following is known as Garner’s Formula:

m = (((a-b)( q^-1mod p)) mod p).q + b

where:

a = c_p^dp mod p & b = c_q^dq mod q

c_p = c mod p & c_q = c mod q

d_p = d mod (p-1) & d_q = d mod (q-1)

Diffie-Hellman

Alice and Bob agree on: p (large prime) & g < p.

Alice Bob

Pick S_A (512-bit random number) Pick S_B (512-bit random number)
Compute T_A= ( gS_A) mod p Compute T_B= (gS_B) mod p

T_A>>> <<< T_B

Compute X = T_B^SA mod p Compute Y = T_A^SB mod p

X is the same as Y!

why?

X = (T_B) ^SA = (g^SB) ^SA
Y = (T_A) ^SB = (g^SA) ^SB

No one can compute g^(SASB)by knowing g ^(SA ⁾ & g^(SB ⁾

The bucket Brigade/Man-in-theMiddle Attach

Alice Mr. X Bob

Pick S_A Pick S_X Pick S_B

Compute: T_A= g^SA mod p T_X= g^SX mod p T_B= g^SB mod p

T_A_>>T_{A ..}T_X_>>T_X
T_X_<<T_{X ..}T_B_<<T_B

Compute: K_AX = T_X^SA mod p K_AX = T_A^SX mod p K_BX = T_X^SB mod p
K_BX = T_B^SX mod p

Possible Defense

· Each person i picks S_i and computes T_i = g^Si mod p and

keeps S_iprivate & makes T_ipublic

· If Alice like to communicate with Bob, she finds T_Band computes:
K_AB= T_B^SA mod p

· Then tells Bob she likes to communicate with him.

· Bob finds T_A and then computes:

K_BA= T_A^SB mod p

This requires PKI (Public Key Infrastructure) to manage T_i

El-Gammal Signature

· Each person has long-term public/private key pair:

Private: S
Public: < g, p, T > where T = gS mod p

· For each message m to be signed:

1. For each message m, generate a per-message public/private key pair:

Private: S_m
Public: T_m= g^Sm mod p

2. Compute the message digest: d_{m =}MD ( m | T_m)

3. Compute the message signature: X = S_m+ d_m^S mod ( p -1 )

4. Send: m, T_m and X

Verify:

· Compute the message digest: d_{m =}MD ( m | T_m)

· Compute: Y1 = g^X and Y2 = T_mT ^dm

If Y1 = Y2 then the signature is correct.

Why?

Since X = S_m+ d_m^S mod ( p -1 ),

T_m= g^Sm mod p

T = gS mod p

Y1 = g ^X= g^Sm^{+ d}_m^S= g^Sm g^d_m^S= T_mg^{S dm}= T_mT ^dm = Y2

Digital Signature Standard (DSS)

Proposed by NIST based on a modified version of El-Gammal algorithm.

Zero Knowledge Proof Systems

Example:

Graph isomorphism problem:

We consider two graphs isomorphic if we can rename the vertices of one to get a graph identical to the other.

This is a well-known NP-complete problem.

Description: Description: http://www.cs.odu.edu/~cs772/fall06/lectures/zeroknowledge.gif

f > A > 1

g > B > 2

h > C > 3

i > D > 4

j > E > 5

Alice specifies a large graph G_A and renames the vertices to produce another isomorphic graph G_B.

Public Key: ( G_A_,G_B)
Private Key: G_AßàG_B

To prove to Bob that she is Alice:

· She renames the vertices to produce a set of isomorphic graphs: G₁G_{2 ....}G_kand sends them to Bob.

· Bob asks Alice to show him for each i the mapping between: G_i and either G_A or G_B but not both,

(Otherwise Bob may know her private key!)