Public Key Cryptography

1
Public Key Cryptography

• Principles of Public-Key Cryptosystems
• The RSA Algorithm
• Key Management
• Diffie-Hellman Key Exchange
• Elliptic Curve Cryptography

2
Public Key Cryptography

• Radical departure from conventional cryptography
• Asymmetric, or two key, cipher
• Public key for encryption
• Private key for decryption
• Based on mathematics
• Not necessarily stronger than symmetric
  cryptography
• Typically used in conjunction with symmetric
  cryptography
• Generally restricted to key management and
  digital signatures
• Does not solve the general key management problem

3
Public-Key Cryptosystems
Principles of PKC

• Concept of public-key cryptography evolved from
  an attempt to attack two of the most difficult
  problems associated with the conventional
  encryption
• Key distribution
• Digital signature
• Diffie and Hellman first publicly introduced the
  concepts of public-key cryptography in 1976
• Public-key algorithm rely on one key for
  encryption and a different but related key for
  decryption
• Requirement
• It is computationally infeasible to determine the
  decryption key given the encryption key
• Optional feature
• Either key can be used for encryption with the
  other serving as the decryption key

4
Public Key Encryption Process
Principles of PKC

• Confidentiality C E(pubkey, M)
• Authentication D E(privkey, M)
• Digital signature

5
Conventional and Public-Key Encryption
Principles of PKC

• Conventional (Symmetric)
• Same algorithm and key used
• for encryption and decryption
• Parties share algorithm and key
• Key must be kept secret
• Cipher must be strong
• Plaintext/ciphertext pairs must
• not weaken the security of the key

• Public-Key (Asymmetric)
• Same algorithm but different keys
• used for encryption and decryption
• Parties share algorithm but each has
• one key from a matched pair
• One key must be kept secret
• Cipher must be strong
• Plaintext/ciphertext pairs plus one of
• the keys must not weaken the other
• key

6
Principles of PKC
Public-Key Cryptosystem Secrecy
Y EKUb(X) X DKRb(Y)
KUb Bs public key KRb Bs private key
7
Principles of PKC
PKC Authentication
Y EKRa(X) X DKUa(Y)
No protection of confidentiality
8
Principles of PKC
PKC Secrecy and Authentication
Z EKUbEKRa(X) X DKUaDKRb(Z)
9
PKC Algorithm Requirements
Principles of PKC

• By Diffie and Hellman, in 1976
• Key pair generation is computationally easy
• Encryption is computationally easy
• Decryption is computationally easy
• Computationally infeasible to determine private
  key given public key
• Computationally infeasible to recover plaintext
  given public key and ciphertext
• Encryption and decryption functions can be
  applied in either order
• M DKRbEKUb(M) EKRbDKUb(M)

10
One-way and Trap-door Functions
Principles of PKC

• One-way function
• Y f(X) easy (polynomial time)
• X f-1(Y) infeasible (non-polynomial time)
• Trap-door one-way functions
• Family of invertible functions, one for each k
• Y fk(X) easy, given k and X
• X fk-1(Y) easy, given k and Y
• X fk-1(Y) infeasible if Y is known but k is
  unknown

11
RSA Algorithm
RSA Algorithm

• Developed in 1977, by Ron Rivest, Adi Shamir, and
  Len Adleman
• Block cipher block size is log2(n), for some
  integer n
• Encryption C Me mod n
• Decryption M Cd mod n Med mod n
• Requirements
• Find values of e, d, and n s.t. Med M mod n for
  all M lt n
• Relatively easy to compute Me and Cd
• Infeasible to determine d given n and e

12
RSA
RSA Algorithm

• Need to find a relationship of the form
• Med M mod n
• Can use the corollary of Eulers theorem
• Given two primes p and q, and two integers, n and
  m, s.t. n pq and 0 lt m lt n. and an
  arbitrary integer k, the following relationship
  holds
• mk?(n)1 ? m mod n
• where ?(n) is the Eulers totient function
• ?(n) ?(pq) (p-1)(q-1)
• Can achieve the desired relationship if ed
  k?(n)1
• Equivalent to saying that ed ? 1 mod ?(n) or d ?
  e-1 mod ?(n)
• That is, e and d are multiplicative inverses
  modulo ?(n)
• This is true only if d (and therefore e) is
  relatively to prime to ?(n)

13
RSA Algorithm
RSA Algorithm
14
RSA Algorithm
RSA Example

• Select two primes, p 7 and q 17
• Calculate n pq 7 ? 17 119
• Calculate ?(n) (p-1)(q-1) 96
• Select e s.t. e is relatively prime to ?(n) and
  less than ?(n) in this case, e 5
• Determine d s.t. de mod 96 1 and d lt 96. The
  correct value is d 77 (77 ? 5 385 4 ? 96
  1)
• KU 5, 119, KR 77, 119

15
RSA Algorithm
RSA Computational Aspects

• Encryption and Decryption
• Both require modular exponentiation
• Can use the following efficient algorithm to
  compute ab mod n
• Repeated squaring

• Modular-Exponentiation(a, b, n)
• c ? 0
• d ? 1
• let bkbk-1b0 be the binary representation of b
• for i ? k downto 0
• do c ? 2c
• d ? (d ? d) mod n
• if bi 1
• then c ? c 1
• d ? (d ? a) mod n
• return d

16
RSA Algorithm
RSA Computational Aspects - 2

• Key Generation
• Selecting two prime numbers, p and q
• Selecting either e or d and calculating the other
• Selecting a prime number

1. Pick an odd integer n at random (e.g. using
PRNG) 2. Pick an integer a lt n at random 3.
Perform the probabilistic primality test, such as
Miller-Ravin. If n fails the test, reject the
value n and goto step 1 4. If n has passed a
sufficient number of tests, accept n otherwise
goto step 2
17
RSA Computational Aspects - 3
RSA Algorithm

• How many numbers are likely to be rejected before
  a prime number is found?
• Prime number theorem
• ?(x) x/ln(x)
• In other words, primes near x are spaced on the
  average one every (ln x) integers
• Thus, on average, ln(x) tests are required to
  find a prime
• (Actually ln(x)/2 because all even numbers can
  be immediately rejected)
• Example
• If a prime on the order of magnitude of 2100 were
  thought, then about ln(2200)/2 70 trials would
  be needed to find a prime

18
RSA Computational Aspects - 4
RSA Algorithm

• Selecting e and calculating d (or alternatively
  selecting d and calculating e)
• Need to select an e s.t. gcd(?(n), e) 1 and
  then calculate d e-1 mod ?(n)
• Extended Euclids Algorithm can do this
• Generate e randomly. Then using the EEA, test if
  gcd((?(n), e) 1, and then get d. Otherwise do
  again
• Need very few tests

• Extended Euclid(e, ?(n))
• (X1, X2, X3) ? (1, 0, ?(n)) (Y1, Y2, Y3) ? (0,
  1, e)
• If Y3 0 return X3 gcd(e, ?(n)) no inverse
• If Y3 1 return Y3 gcd(e, ?(n)) Y2 e-1
  mod ?(n)
• Q ?X3/Y3?
• (T1, T2, T3) ? (X1 ? QY1, X2 ? QY2, X3 ? QY3)
• (X1, X2, X3) ? (Y1, Y2, Y3)
• (Y1, Y2, Y3) ? (T1, T2, T3)
• goto 2

19
Attacks on RSA Algorithm
RSA Algorithm

• Brute force (Key space search)
• Try all possible private keys
• Use large keys
• Attacks on mathematical foundation
• Several approaches, all equivalent to factoring
• Timing attacks
• Based on the running time of the decryption
  algorithm

20
Mathematical Attacks on RSA
RSA Algorithm

• Factor n into p and q
• Allows calculation of ?(n), which allows
  determination of d e-1 (mod ?(n))
• Determine ?(n) directly from n
• Equivalent to factoring
• Determine d e-1 (mod ?(n)) directly
• Seems to be as hard as factoring

21
Factoring
RSA Algorithm

• For a large n with large prime factors, factoring
  is a hard problem -
• RSA factoring challenge
• Sponsored by RSA Labs.
• To encourage research into computational number
  theory and the practical difficulty factoring
  large integers
• A cash prize is awarded to the first person to
  factor each challenge number

Progress in Factorization
22
RSA Factoring Challenge
RSA Algorithm

• Latest result is RSA 155 (512 bits)
• Reported Aug 22, 1999
• Factored with General Number Field Sieve
• 35.7 CPU-years in total on
• 160 175-400 MHz SGI and Sun workstations
• 8 250 MHz SGI Origin 2000 processors
• 120 300-450 MHz Pentium II PCs
• 4 500 MHz Digital/Compaq boxes
• This CPU-effort is estimated to be equivalent to
  approximately 8000 MIPS years calendar time for
  the sieving was 3.7 months.

23
RSA Factoring Challenge Numbers
RSA Algorithm
Numbers are designated RSA-XXXX, where XXXX is
the numbers length in bits Challenge Number
Prize (US) Status RSA-576 (174
Digits) 10,000 Not Factored RSA-640 (193
Digits) 20,000 Not Factored RSA-704 (212
Digits) 30,000 Not Factored RSA-768 (232
Digits) 50,000 Not Factored RSA-896 (270
Digits) 75,000 Not Factored RSA-1024 (309
Digits) 100,000 Not Factored RSA-1536 (463
Digits) 150,000 Not Factored RSA-2048 (617
Digits) 200,000 Not Factored RSA-576 Decimal
Digits 174 18819881292060796383869723946165043
980716356337941 738270076335642298885971523466548
53190606065047430 4531738801130339671619969232120
5734031879550656996 221305168759307650257059
24
Constraints on p and q
RSA Algorithm

• Suggested constraints on p and q (by RSA
  inventors and researchers)
• Length of p and q should differ by only a few
  digits
• Both p-1 and q-1 should contain a large prime
  factor
• gcd(p-1, q-1) should be small
• d gt n¼

25
Timing Attacks
RSA Algorithm

• Big integer multiplication take a long time
• Assume that the target system uses the following
  modular exponentiation algorithm for decryption
• By observing the time taken for modular
  multiplication, it is possible to infer bits in b
• If bi is set, d ? (d ? a) mod n will be executed
  (Will be much slower than the case of bi 0)
• By varying values of a (ciphertext), and
  observing the execution (decryption) times
  carefully, values of bkbk-1b0 (private key) can
  be inferred

• Modular-Exponentiation(a, b, n) / Compute ab
  mod n /
• d ? 1 / let bkbk-1b0 be the binary
  representation of b /
• for i ? k downto 0
• do d ? (d ? d) mod n
• if bi 1
• then d ? (d ? a) mod n
• return d

26
Timing Attack Countermeasures
RSA Algorithm

• Constant exponentiation time
• Ensure that all exponentiations take the same
  amount of time
• Simple fix, but degrade the performance
• Random delay
• Add a random delay to the exponentiation
  algorithm to confuse the timing attack
• Blinding
• Multiply the ciphertext by a random number before
  performing the exponentiation
• RSA Data Securitys blinding method
• Generate a secret random r, 0 lt r lt n-1
• Compute C Cre mod n, where e is the public
  exponent
• Compute M (C)d mod n with the ordinary RSA
• Compute M M r-1 mod n (Cre)dr-1 mod n
  Cdredr-1 mod n
• Cd mod n ? (red mod n r mod n)
• 2 to 10 performance penalty

27
Public Key Distribution
Key Management

• Public announcement
• Public available directory
• Public key authority
• Public key certificates

28
Public Announcement of Public Keys
Key Management

• Attach to email
• Publish on web page,
• Convenient, but has obvious weakness (forgery)

29
Public Key Directory
Key Management

• Trusted entity maintains a public directory
• Name public key
• Individuals register with the authority
• In person or using authenticated communication
• Must allow replacement
• To update compromised or lost keys
• Trusted entity publishes the directory
• Phone book, newspaper ads, etc
• Via (authenticated) network communication

30
Public Key Directory Weaknesses
Key Management

• More secure than individual announcements
• Vulnerable to compromise of trusted entity
• Network communication
• Database contents

31
Public Key Authority
Key Management

• Trusted entity maintains a public directory
• Name public key
• Trusted entity distributes its own public key
• Alice requests Bobs public key
• Include nonce to prevent replay
• Authority response is encrypted under private key
• i.e., digitally signed
• Response contains Bobs public key, Alices
  original request and nonce
• Alice requests communication with Bob
• Encrypted under Bobs public key
• Request contains Alices identity and a nonce
• Bob retrieves Alices public key from the
  authority

32
Public Key Authority
Key Management
33
Public Key Authority
Key Management

• Alice and Bob mutually authenticate and assure
  freshness
• Bob responds to Alice
• Encrypted under Alices public key
• Contains Alices nonce and a new nonce
• Alice returns Bobs nonce
• Encrypted under Bobs public key
• Seven messages in total
• First four can be avoided in the future if the
  responses are cached, but that comes with some
  risk, so the cache should be periodically updated
• Public key authority could be a performance
  bottleneck
• Subject to tampering, as above

34
Public Key Certificates
Key Management

• Goal is to provide a mechanism as secure and
  reliable as the public key authority without
  requiring direct contact
• Public key certificate
• Each user possesses her own
• Used to convey public key
• Distributed on request (or any means)
• Public key certificate requirement
• Anyone can read a certificate and determine the
  name and public key of the owner
• Anyone can verify that the certificate originated
  from the public key certification authority
• Only the public key certification authority can
  issue or update certificates
• Anyone can tell whether a certificate is current

35
Public Key Certificates
Key Management

• Each principal applies to the CA with her public
  key and a request for a certificate
• Application must be in person or authenticated
• Certificate contents
• Identity of principal
• Public key of principal
• Timestamp (expiration date)
• Certificate is signed by CA
• Verifying a certificate
• Check the CA signature
• Using certificates
• Alice and Bob exchange certificates
• Alice and Bob validate the certificates they
  receive

36
Public Key Certificates
Key Management
37
Public-Key Distribution of Secret Key
Key Management

• Because of its huge computational cost,
  Public-Key cryptosystem usage tends to be
  restricted
• Digital signatures
• Secret key distribution

38
Secret Key Distribution(Merkles Algorithm)
Key Management

• Alice creates a public/private key pair, sends
  her public key to Bob
• Bob creates a secret key, sends it to Alice
  encrypted in her public key
• Simple but vulnerable to MITM (Man-in-the-Middle)
  active attack

39
Secret Key Distribution (Needham-Schroeders)
Key Management

• Provides a protection against both active and
  passive attacks
• Assume Alice and Bob have exchanged public keys
  (by any scheme described early)
• Alice encrypts and sends a nonce to Bob
• Bob encrypts and sends Alices nonce and his own
  nonce
• Alice encrypts and sends Bobs nonce back to Bob
• Alice selects, signs, encrypts and sends a secret
  key to Bob

40
Secret Key Distribution (Needham-Schroeders)
Key Management
41
Diffie-Hellman Key Exchange

• Relies on difficulty of computing discrete
  logarithm

K (YB)XA mod q (?XB mod q)XA mod q
(?XB)XA mod q ?XBXA mod q (?XA)XB mod
q (?XA mod q)XB mod q (YA)XB mod q
42
Diffie-Hellman Key Exchange
EXAMPLE Q 97, primitive root of q, in this
case, ? 5 A and B selects secret keys XA 36
and XB 58 Each computes public key YA 536
50 mod 97, YB 558 44 mod 97 After exchanging
public keys, each compute the common secret
key K (YB)XA mod 97 4436 75 mod 97 K
(YA)XB mod 97 5058 75 mod 97
43
Chapter 6 HW

• Prob. 6.2
• Prob. 6.3
• Prob. 6.4
• Prob. 6.7
• Prob. 6.14