Lecture 6: Public Key Cryptography

1
Lecture 6 Public Key Cryptography

• RSA
• Diffie-Hellman
• Zero-Knowledge Proof Schemes

2
Public Key Algorithms Features

• two different numbers e and d
• e and d are inverses using one reverses the
  effect of the other
• you shouldnt be able to compute d from e
• if must be efficient to find a matching pair of
  keys
• it must be efficient to encrypt and decrypt

3
Example Simple Algorithm

• multiplication modulo p (where p is a prime, why
  prime? easy to compute e and d, more later)
• let p127
• Choose e and d so that ed1 mod 127
• e.g. e53 and d12
• To encrypt a number, multiply by 53 mod 127
• To decrypt a number, multiply by 12 mod 127
• Decryption must restore the initial value!
• 12 is an inverse of 53 in multiplication modulo
  127(multiplicative inverse) whats an inverse in
  (regular) multiplication? Addition?
• problem not secure
• the number 127 is too small. You could compute d
  from e by trying all possible values
• modular division is possible - the inverse can be
  computed quickly even when p is large (Euclids
  algorithmpatent long expired)

4
Modulo Exponentiation

• an integer x is relatively prime to n if the only
  common factor is 1
• totient function F(n) is of integers lt n and
  relatively prime to n
• If n is a prime, F(n) n-1
• Euler proved xF(n) mod n 1
• So xkF(n) mod n 1 and xkF(n)1 mod n x (if
  xltn)
• If we can find de 1 mod F(n), theyd be
  exponentiative inverses to n
• that is xde mod n x
• observe that given two primes p and q
  F(pq)(p-1)(q-1) remove multiples of p and
  multiples of q

5
RSA

• Named after its inventors Rivest, Shamir, and
  Adelman
• pick two large primes p and q, let n be pq
• pick e such that it is relatively prime to F(n)
  that is e1 mod F(n)
• since p and q are known F(n) is easy to compute
  (how?)
• find a number d such that it is a multiplicative
  inverse of e mod F(n)
• that is de1 mod F(n)
• in this case xed mod n x
• encryption is ciphertext plaintext e mod n
• whats is decryption process?
• why is xed mod n (xe mod n)(xd mod n) mod n ?
• what is public key? private key?
• how does digital signature work?
• security of RSA hinges on difficulty of factoring
  large numbers n (to compute F(n))

6
Finding Large Primes

• If factoring is hard, how do you find large
  primes?
• primes get progressively thinner as the numbers
  increase
• ten digit number probability 1/23
• hundred digit number (needed for secure RSA)
  1/230
• It turns out you can test a number for primality
  easily even though factoring is hard!
• Pick random large numbers and test them until you
  find a prime one
• Fermats theorem
• x p-1 mod p 1 if p prime
• So to test if n is a prime, pick x and raise x to
  n-1. If its not 1, n definitely not prime
• But can it be 1 even if n not prime? Yes, but
  probably not.
• for a 100-digit number, the non-prime prob. is 1
  in 1013
• Can use different xs

7
Optimizing Exponentiation

• brute force exponentiation of (100-digit numbers
  for both base and exponent) is not possible
• optimization compute intermediate reminders
• aa mod b ((a mod b)(a mod b)) mod b
• another optimization instead of multiplying the
  number by the same factor multiple times repeat
  squaring
• a4(aa)(aa)
• can the two optimizations be combined?

8
Optimizing Encryption Operations

• Turns out RSA secure even if e in (e,n) is small
  (like 3 or 2161)
• 655372161 is popular because its prime and
  easily represented in binary
• if e is small what operations are efficient?
• can we also make d small?
• problems with 3
• if m is smaller than cube root of n then m3 mod n
  m3this makes m easy to discover, why?
• to solve pad small message
• p and q must be chosen so that 3 is relatively
  prime to
• choose p and q so that 3 is relatively prime to
  bothp-1 and q-1
• other threats
• sooth numbers (factors of small primes) threat
• multiple message threat
• Public-Key Cryptography Standard (PKCS)
  standardizes use of RSA to minimize threats

9
Diffie-Hellman

• Allows two individuals to agree on a secret key,
  even though they can only communicate in public
• Alice chooses a private number and from that
  calculates a public number
• Bob does the same
• Each can use the others public number and their
  own private number to compute the same secret
• An eavesdropper cant reproduce it

agree on g,pgltp, p - large prime
Alice
Bob
choose random A
choose random B
TAgA mod p
TBgB mod p
compute TAB
compute TBA
agree on gAB mod p
10
Security of Diffie-Hellman

• We assume the following is hard
• Given g, p, and gX mod p, what is X (computing
  discrete logarithm of gX mod p)?
• With the best known mathematical techniques, this
  is somewhat harder than factoring a composite of
  the same magnitude as p

11
Encryption with Diffie-Hellman

• D-H needs a response from both Alice and Both to
  initiate communication
• this does not have to happen in real time
• suppose Bob publishes ltg,p,Tgt in advance
  somewhere where Alice cat get it
• then Alice, without Bobs further participation,
  can
• select A,
• compute TA, and KABgAB mod p
• use KAB to encrypt the message (with secret key
  crypto) to produce C
• send TA and C to Bob
• Bob is able to compute KAB and decrypt the message

12
Man-in-the-Middle Attack

• D-H provides no authentication and is vulnerable
  to man-in-the-middle attack

Alice
Bob
Trudy
TAgA mod p
TTgT mod p
TTgT mod p
TBgB mod p
agree on gAT mod p
agree on gTB mod p
datagAT mod p
datagTB mod p
datagAT mod p
datagTB mod p

• can Alice and Bob prevent this attack if they
  agree on a secret password/answer in advance
  (is the fish green?/no, it is blue)
• exchange personal information Trudy does not
  know?

13
Signed Diffie-Hellman(Avoiding Man-in-the-Middle)
Alice
Bob
choose random A
choose random B
TAgA mod p signed with Alices Private Key
TBgB mod p signed with Bobs Private Key
verify Alices signature
verify Bobs signature
agree on gAB mod p

• if you have keys, why use D-H?
• forward secrecy prevents intruder from
  decrypting the conversation in the future even if
  she records all the conversation and later
  discovers all the keys then available

14
Stronger than RSA and D-H

• security of RSA and D-H are based on complexity
  of solving certain mathematical problems
• which ones?
• the complexity of these problems is shown to be
  the same
• there are solutions that are
• subexponential (less than exponential), but
• subpolinomial (more than any fixed degree
  polynomial)
• because of that the (private) key size is
  selected larger than it needs to be expensive
  private key operation
• elliptic curve cryptography (ECC) no known
  subexponential solution
• private keys are small

15
Zero Knowledge Proofs

• zero knowledge proof systems are used for
  authentication only
• allows Alice to prove that she knows the secret
  without revealing it to Bob
• graph isomorphism
• two graphs are isomorphic if they are identical
  up to vertex renaming
• deciding if two graphs are isomorphic is
  NP-complete, generating two isomorphic graphs and
  verifying isomorphism is trivial
• algorithm
• Alice generates two large (about 500 vertices)
  isomorphic graphs A and B and sends them to Bob
• Alice then generates a new set of graphs G1, G2
  Gk isomorphic to A and B
• Bob asks Alice to show isomorphism for each of G1
  Gk to ether A or B (but not both or Bob learns
  isomorphism between A and B)
• Trudy can generate graphs isomorphic to A or B
  and she has 50 chance of guessing which
  isomorphism Bob wants her to prove
• if k is large, say 30, the probability of Trudy
  succeeding is very small

16
Zero Knowledge Signatures

• Assuming Alice and Bob share graphs A and B
• Alice supplies the graphs G1, G2 Gk in advance
• for a message to be signed (and send to Bob)
  Alice computes a digest
• a binary version of the digest is considered to
  be a request to provide isomorphism to either A
  (zero) or B (one).
• say, the digest is 1011, then for G1, Alice
  provides isomorphism to B, for G2 to A, for G3
  and G4 to B.
• why cannot Trudy replicate that?
• the graph isomorphism-based schemes is too
  inefficient to be used in practice, instead
• a Fiat-Shamir protocol using methods similar to
  RSA is used