Public-key encryption

1
Public-key encryption
2
Symmetric-key encryption

• Invertible function
• Security depends on the shared secret a
  particular key.
• Fast, highly secure
• Fine for repeated communication
• Poor fit for one-shot communication, signatures

3
Asymmetric-key(public key) encryption

• The basic idea
• A user has two keys a public key and a private
  key.
• A message can be encrypted with the public key
  and decrypted with the private key to provide
  security.
• A message can be encrypted with the private key
  and decrypted with the public key to provide
  signatures.

4
One-way functions

• Most common functions are invertible for any
  F(x) y, there is an F-1(y) x.
• Multiplication and division
• DES
• A function which is easy to compute in one
  direction, but hard to compute in the other, is
  known as a one-way function.
• Hashing, modular arithmetic.
• A one-way function that can be easily inverted
  with an additional piece of knowledge is called a
  trapdoor one-way function.

5
One-way functions

• Public key encryption is based on the existence
  of trapdoor one-way functions.
• Encryption with the public key is easy.
• Decryption is computationally hard.
• Knowledge of the private key opens the trapdoor,
  making inversion easy.
• Password systems also use one-way functions.

6
Overview of RSA

• RSA is the most common and well-known public key
  cryptosystem
• Basic notation a key pair (e,d) contains two
  keys
• e is the public key (used to encrypt documents)
• d is the private key (used to decrypt documents)
• M is the plaintext message.
• Let R be the encryption function.
• R(e,M) C. R(d,C) M. - encryption
• R(d,M) C R(e,C) M - signing
• R(e,R(d,M)) M R(d,R(e,M))
• Same function is used for both operations.

7
Modular Arithmetic

• RSAs security is based on modular arithmetic.
• a b (mod n) lt-gt there is a q such that a-bqn
• b is the remainder after dividing a by n
• 23 3 (mod 5)
• A set 0,1,,n-1 is closed under modular
  addition and multiplication.
• (a(mod n) b(mod n))(mod n) (ab) (mod n)
• (ab)(mod n) (a(mod n) b(mod n))(mod n)

8
Modular Arithmetic

• Two numbers p and q are said to be relatively
  prime if their greatest common divisor is 1.
• 5 and 17, 8 and 9, 10 and 21
• To compute gcd
• gcd(a,b) gcd(b, a mod b) (Euclid, 300BC)

9
Identities and Inverses

• An identity is a number that maps a number to
  itself under some operation.
• 0 in normal addition, 1 in multiplication.
• An inverse is a number (within the input set) and
  maps a given number to the identity
• X 1/X, X -X in integer math
• We are particularly interested in multiplicative
  inverses for modular arithmetic.
• (ab) 1 (mod n)

10
Multiplicative Inverses

• 3 and 2 are multiplicative inverses mod 5.
• 7 and 6 are multiplicative inverses mod 41.
• 5 and 2 are multiplicative inverses mod 9.
• For n gt 1, if a and n are relatively prime, there
  is a unique x such that
• ax 1 (mod n)

11
More preliminaries

• Fermats Little Theorem
• If p is prime, then for all a
• ap-1 1 (mod p)
• Chinese Remainder Thm (corollary)
• If p and q are prime, then for all x and a
• x a(mod p) and x a(mod q) iff xa mod(pq)
• These are needed to prove RSAs correctness.

12
The RSA Algorithm

• Pick two large (100 digit) primes p and q.
• Let n pq and ?(n)(p-1)(q-1)
• Select a relatively small integer d that is prime
  to ?(n)
• Find e, the multiplicative inverse of d mod ?(n)
• (d,n) is the public key. To encrypt M, compute
• En(M) Me(mod n)
• (e,n) is the private key. To decrypt C, compute
• De(C) Cd(mod n)

13
RSA example

• Let p 11, q 13
• n pq 143
• (p-1)(q-1) 120 3 x 23 x 5
• Possible d 7, 11, 13, 17, (lets use 7)
• Find e e7 1(mod 120) 103
• Public key (7, 143)
• Private key (103, 143)
• En(42) 427 (mod 143) 81
• De(81) 81103(mod 143) 42

14
Correctness of RSA

• To show RSA is correct, we must show that
  encryption and decryption are inverse functions
• En(De(M)) De(En(M)) M Med (mod n)
• Since d and e are multiplicative inverses, there
  is a k such that
• ed1 k?(n) 1 k(p-1)(q-1)
• Med M1k(p-1)(q-1) M(Mp-1)k(q-1)
• By Fermat Mp-11(mod p)
• Med M(1)k(q-1)(mod p) M(mod p)

15
Correctness of RSA

• Med M(1)k(q-1)(mod p) M(mod p)
• Med M(1)k(q-1)(mod q) M(mod q)
• By Chinese Remainder Thm, we get
• Med M (mod p) M (mod q)
• M (mod pq) M (mod n)
• Therefore, RSA reproduces the original message
  and is correct.

16
Strengths of RSA

• No prior communication needed
• Highly secure (for large enough keys)
• Well-understood
• Allows both encryption and signing

17
Weaknesses of RSA

• Large keys needed (1024 bits is current standard)
• Relatively slow
• Not suitable for very large messages
• Public keys must still be distributed safely.

18
Security of RSA

• The security of RSA is dependent on the
  assumption that its difficult to generate the
  private key d from the public key e and the
  modulus n.
• Equivalent to integer factorization problem.
• This is how we got e and d in the first place.
• Factoring is thought to be computationally hard.
• No proof, though!

19
Difficulty of Factoring

• The fastest known factoring algorithm is the
  generalized number field sieve.
• Sub-exponential time
• Greater than polynomial space.
• Some statistics

Number Length Machines Memory/Machine
430 1 Trivial
760 215,000 4Gb
1020 342 million 170 Gb
1620 1.6x1015 120 Tb
20
Security and Problem Difficulty

• Another way to think about the problem is to ask
  how long a keylength will be secure, given
  Moores law

From the RSA labs factoring FAQ
21
Security and Problem Difficulty

• RSA-155 (512 bit asymmetric-key) broken in 1999.
• Estimate capability grows by 4.25 digits per
  year. (approx.13-14 bits per year)
• 1024-bit RSA should be secure until 2037.
• Using Moores Law 1024-bit is 7 million times
  harder than 512-bit
• So, we need a 7 millionX speedup to crack
  1024-bit RSA with the same relative computational
  power.
• Also about 34 years.
• Question How long does your data need to be
  secure?

22
Digital Signatures

• Desirable properties of a digital signature
• A receiver must be able to validate the signature
• The signature must not be forgeable
• The signer must not be able to repudiate the
  signature.
• Encrypt with private key, validate with public
  key.
• For security and authenticity, encrypt the signed
  message with the receivers public key.

23
Hash Functions

• A hash function is a one-way function that maps a
  message M into a (typically smaller) hashed
  message H.
• Sometimes this is called a fingerprint
• Also sometimes a message digest.
• Goals
• Non-invertible
• fast
• low collision rate

24
Hash Functions

• To sign a document, I compute its hash, encrypt
  that with my private key, and send the encrypted
  hash along with the original document as
  plaintext.
• The receiver hashes the plaintext and then uses
  my public key to verify that I was the one who
  sent the document.
• Can also detect tampering.

25
Combining Public and Secret Keys

• Public-key encryption is often used to
  synchronize secret session keys.
• SSL uses this.
• A generates a secret key and sends it to B,
  encrypted with Bs public key.
• For handshaking, include a random number.
• B decrypts the message and has the secret key.
• For handshaking, B encrypts the random number
  with As public key and returns it.

26
Authentication

• A sends Please authenticate me to B
• B creates a random message and signs it with As
  public key.
• A decrypts the message with its private key,
  encrypts it with Bs public key, and returns it.
• Only someone with As private key can do this.
• Potential attack B gets to pick a string that A
  will encrypt
• This could yield information about As private
  key.

27
Zero-knowledge Protocols

• One application of public-key cryptography is
  zero-knowledge protocols.
• Often, one party might want to prove something to
  another without revealing any information
• Nuclear treaties
• Bank balances
• Sensitive information

28
Zero-knowledge protocols

• Alice wants to prove to Bob that she is Alice.
• If she sends identification, Bob (or an
  eavesdropper) can use it.
• Example Authority chooses a number N77, known
  by all.
• Alices public ID (58, 67)
• Alices private ID (9,10)
• These are multiplicative inverses mod 77

29
Zero-knowledge protocols

• Alice chooses some random numbers and computes
  their square mod N.
• 19, 24, 51 -gt 192(mod 77) 53,
  242(mod 77) 37, 512(mod 77) 60
• Alice sends 53,37,60 to Bob.
• Bob sends back a random 2x3 matrix of 1s and 0s.
• 0 1
• 1 0
• 1 1

30
Zero-knowledge protocols

• Alice uses this grid, plus her original random
  numbers and her secret numbers, to compute
• 19 90 101 (mod 77) 36
• 24 91 100 (mod 77) 62
• 51 91 101 (mod 77) 47
• She sends 36,62,47 to Bob.

31
Zero-knowledge protocols

• Bob verifies Alices identity by computing
• 58,67 are Alices public numbers
• 362 580 671 (mod 77) 53
• 622 581 670 (mod 77) 37
• 472 581 671 (mod 77) 60
• Alices original numbers reappear!
• (Actually, an attacker would have a 1 in 64
  chance of guessing correctly )

32
Zero-knowledge protocols

• In a real system, N would be very large
• 160 digits.
• Many more numbers would be generated.
• This works because Alices secret numbers are
  multiplicative inverses of her public numbers mod
  N.
• Also, Bob learns nothing that he didnt know
  before.

33
Summary

• Public key encryption provides a flexible system
  for secure communication in open environments.
• Based on one-way functions
• Allows for both authentication and signing
• Secure public key distribution remains a problem.