Public Key Cryptography

1
Lecture 9

• Public Key Cryptography
• Public Key Algorithms
• CIS 4362 - CIS 5357
• Network Security

2
Eulers Totient function ?(n) - again

• ?(n) is the number of positive integers less than
  n and relatively prime to n.
• Let p be a prime. Then ?(p) p 1
• Let n pq for p and q prime. Then ?(n) ?(pq)
  ?(p)?(q)
• Proof outline look at numbers relatively prime
  to pq. Must take all the numbers less than pq
  but eliminate multiples of p and multiples of q.
• (pq 1)(q 1)(p 1) (p 1)(q 1)
• Example let n 15,
• Then ?(15) ?(5) ?(3) 8 Z15
  1,2,4,7,8,11,13,14

3
Eulers Theorem - extension

• Eulers theorem for every a and n that are
  relatively prime, a?(n) 1 mod n
• Corollary for every a and n that are relatively
  prime, ak?(n)1 a mod n
• For n a product of two primes p and q, then for
  all a and k non-negative, ak?(n)1 a mod n
  Proof outline consider case where a is a
  multiple of p, a cp. Then gcd(a,q) 1.

4
Discrete Logarithms

• Let y gx mod p
• x is said to be the (discrete) logarithm of y,
  with base g.
• It is easy to compute y, given g,x, and p.
• It is hard to find x, given g,p, and y.
• It is believed to be as hard as factoring large
  primes.

5
xy 0 1 2 3 4 5 6 7 8 9 10 11 12
0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 1 2 4 8 6 2 4 8 6 2 4 8 6
3 1 3 9 7 1 3 9 7 1 3 9 7 1
4 1 4 6 4 6 4 6 4 6 4 6 4 6
5 1 5 5 5 5 5 5 5 5 5 5 5 5
6 1 6 6 6 6 6 6 6 6 6 6 6 6
7 1 7 9 3 1 7 9 3 1 7 9 3 1
8 1 8 4 2 6 8 4 2 6 8 4 2 6
9 1 9 1 9 1 9 1 9 1 9 1 9 1
Table for exponentiation mod 10
6
Looking at the mod 10 table

• Note that ?(10) 4. Also, 10 is the product of
  distinct primes so Eulers theorem applies (for
  any x)
• that is x1 k?(n) x mod n where n 10, for
  all x
• thus ?(10) 4 means that every 4th column will
  be the same (except starting at x0)
• Note however that although exponentiating by 1,
  3, and 4, are a permutation of the set 1-9,
  exponentiating by 2 does not result in a
  permutation.
• this is because 2 is not a coprime of 4 ?(10)
• for all coprimes of 4, for example e 3 we can
  find a d such that ed 1 mod 4.
• Thus, using mod 10 arithmetic, xed x1 ?(10)
  x and thus x3 has an exponentiative inverse in
  the sense that for all x, (x3)d x, for some d.

7
RSA

• Rivest, Shamir, Adleman, 1978, MIT
• Variable key size, common to use 1024 bits
• Generating RSA keys is based on finding
  multiplicative inverses of large numbers
  (modulo), which is not hard
• Generating RSA ciphertext is based on modulo
  exponentiation, which is not hard
• RSA's strength is based on difficulty of
  factoring large numbers and computing discrete
  logarithms, which is believed to be hard.
• There may be other trap doors in RSA, but none
  have been found yet.

8
The RSA AlgorithmChoosing public and private keys

• Let k be the key length then choose two large
  prime numbers p and q of bit lengths k/2, for
  example 512 bits each. Let n pq.
• Choose e lt n with e relatively prime to ?(n).
  The public key is lte,ngt
• Find multiplicative inverse d of e mod ?(n). The
  private key is ltd,ngt

9
RSA operationsencryption / decryption

• Encryption for a message m lt n, c me mod n
  (c is the ciphertext)
• Decryption given the ciphertext c,compute cd
  mod n
• Note that cd mod n med mod n m since d was
  chosen so that ed 1 k ?(n) and we are simply
  using Eulers (extension) theorem

10
RSA operationssignature / verification

• Signature for a message m lt n, s md mod n
  (s is the signature)
• Signature verification given the signature
  s,compute se mod n
• Note that se mod n med mod n m. Also anyone
  can verify the signature using the public key.

11
RSA Example

1. Select two large primes, 2357 and 2551.

1. Multiply them to get n 6012707
2. Select e 3674911, relatively prime to ?(n)
   600780

1. d 422191 is the multiplicative inverse of e mod
   ?(n)

• Encrypt m 5234673 lt n as
• c me mod n
• 52346733674911 mod 6012707
• 3650502

• Decrypt c as, m cd mod n
• 3650502 422191 mod 6012707
• 5234673

12
Back to one way functionsan example of
encryption / decryption

• Let n be a large number
• Let the plaintext be viewed as M lt n
• To get the ciphertext, we do the following
• C Me mod n
• Example
• Let (e,n) be (7, 187) and M be 88
• Then C 887 mod 187 11
• (d,n)(23,187)and 187 17 ? 11
• Then M 1123 mod 187 88

13
An Attack on RSA

• An intruder, X intercepts a message (m) intended
  for Alice encrypted under Alice's public key(e)
  
• (m)e mod n
• The intruder generates a value x, computes
• xeme mod n (xm)e mod n
• and sends it to Alice
• Alice decrypts the message to attain the value
• xm mod n, which appears to be garbage
• If Alice disposes of the "garbage" carelessly,
  the intruder can recover it and compute
• (xmx-1) mod n m

14
Some aspects of RSA

• It's strength is based on the difficulty of
  factoring large numbers and the difficulty of
  computing discrete logarithms
• It is much more computationally intensive than
  DES, IDEA, AES, etc.
• It has avoidable weaknesses
• If there are a limited number of plaintext
  messages used in practice, can compute all the
  corresponding ciphertext messages and compare
• Encrypting small messages (say the value of e
  used is 3. Then can recover using cube root
• Smooth number threat product of small primes
• Need to pad properly

15
Diffie Hellman

• Oldest public key system in use
• Allows Alice and Bob to agree on a shared key
  even though all messages are exchanged in the
  open
• Limited functionality the shared secret can
  subsequently be used for encrypting / decrypting
  using other systems
• Weakness no authentication as a basic element
  of DH

16
Diffie Hellman Key Exchange

• Choose a large prime p and g lt p. These are
  publicly known to all. (some restrictions on g
  and p for additional security)
• Alice and Bob randomly choose a and b
  respectively - these are their individual
  private keys.
• Alice computes TA ga mod p, Bob computes
  TB gb mod p
• Alice and Bob exchange the values TA and TB
• Alice computes TBa mod p and Bob computes TAb mod
  p
• They have both computed the same number, the
  shared secret key

17
Intro to El Gamal

1. Alice and Bob agree on a large (512 bits) prime
   p and a generator g lt p with some restrictions on
   g. (Operations are all mod p)
2. Alice chooses a random number a (her private
   key) and computes and publishes her public key
   TA ga
3. To transmit a message M, Bob selects a random
   number r (private), and computes and sends to
   Alice C (gr,Mgar)
4. Alice computes gar , then g-ar, and finally
   M M(gar)(g-ar)

18
El Gamal Example
ga mod p 3 gr mod p 3 gar mod p
9 Mgar mod p 10 g-ar mod p 5
g 5 p 11 a 2 r 7 M 6
Mgar g-ar mod p 6