public key encryption

CS 330 Public Key Crypto 1

Cryptography & Computer Security

Public-Key CryptoSystems


Public Key Cryptography

Every Egyptian received two names, which were known respectively as the true name and the good name, or the great name and the little name; and while the good or little name was made public, the true or great name appears to have been carefully concealed.

—The Golden Bough, Sir James George Frazer


Private-Key Cryptography• traditional private-key cryptography uses one key

– shared by both sender and receiver – it’s symmetric – if this key is disclosed communications are compromised

• hence it does not protect… – Alice - from Bob forging a message & claiming it was sent by

Alice – Alice or Bob - from Eve discovering (or stealing) the key and

forging messages or reading their messages

• the main problem with symmetric key cryptography is key distribution and management


Why Public-Key Cryptography?• key distribution –

• digital signatures – how to verify a message comes intact from the claimed sender

• the public invention of public-key crypto is due to Whitfield Diffie & Martin Hellman at Stanford in 1976 – NSA claims to have invented it in the mid-60s (no

verification of this - it is still classified)

– James Ellis of CESG created a similar method around 1970 but his work wasn’t declassified till 1987. ( http://jya.com/ellisdoc.htm )

http://jya.com/ellisdoc.htm


Public-Key Cryptography

• public-key cryptography involves the use of two keys: – a public-key, which may be known by anybody, and is used

to encrypt messages, and verify signatures – a private-key, known only to the recipient, is used to

decrypt messages, and sign (create) signatures

• is asymmetric because – those who encrypt messages or verify signatures cannot

decrypt messages or create signatures



there can also be a phone book of public keys


Public-Key Applications

• can classify uses into 3 categories:

– encryption/decryption (provide secrecy)

– digital signatures (provide authentication)

– key exchange (of session keys)

• some algorithms are suitable for all uses, others are specific to one


Public-key digital signatures



• differs from classical symmetric crypto because it uses mathematical functions rather than substitution and permutation to implement the encipherment & decipherment.

• it solves the key distribution problem by not distributing the private keys


Public-key Algorithm Requirements

1. It must be computationally easy for Bob to generate a pair of keys KBobPub and KBobPri

2. it must be computationally easy for Alice, knowing KBobPub and the message M to generate a cryptogram C

C = E(M, KBobPub)

3. It must be computationally easy for Bob, using KBobPri, to decrypt C

M = D(C, KBobPri)


More Public-key requirements

4. It must be computationally infeasible for Eve to recover KBobPri just by knowing KBobPub

5. It must be computationally infeasible for Eve to recover M, knowing KBobPub and C.

6. The encryption and decryption functions must be able to be applied in either order.


Public-Key Caveats

• Public-key systems are no more secure than their symmetric key counterparts – the difficulty in cryptanalysis rests solely on the length of the

key and the amount of work required to break the system with a particular key

• Public-key systems will not replace symmetric key systems – they complement rather than replace symmetric key crypto

• because it turns out there are (so far) no good methods of implementing public-key crypto that are nearly as fast as symmetric block or stream ciphers


Public-Key System Implementation

• The requirements on the previous slides dictate that the function used to do encryption and decryption needs to be – easy to compute in one direction – very hard to compute in the inverse direction unless the public

or private key is known – this is known as a trap-door one-way function

• So any public-key system must depend on a practical and suitable trap-door one-way function – it turns out these are pretty hard to find!


Security of Public Key Schemes

• like private key schemes, brute force exhaustive search attack is always theoretically possible

• but the keys used are typically too large (>512bits) – but be careful, you actually need a much larger public-private

key pair to get the same amount of security as a symmetric key

• security relies on a large enough difference in difficulty between the easy (en/decrypt) and hard (cryptanalyze) problems


more PK security

• In general the hard problem is known, it’s just made too hard to do in practice

– this is like Kerckoff’s principle - requiring that the cryptosystem itself be known and holding all the security in the key

– the difference here is that the public-key algorithms are well-known number theory problems whose security is easier to analyze than most symmetric systems

• so it’s somewhat easier to prove just how secure the public-key system is.


yet more PK security

• typically requires the use of very large numbers

– which requires multiple-precision arithmetic on computers

– and algorithms that take many iterations of a loop to complete

– so…it is slow compared to symmetric key schemes

– Now on to how to do public-key crypto....


Introduction to Number TheoryThe Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll

give you anything in the world you ask for."

Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has no non-trivial solution in the integers."*

They agreed on a three-day period for the labor, and the Devil disappeared.

At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you do at my task? Did you prove the theorem?'

"Eh? No . . . no, I haven't proved it."

"Then I can have whatever I ask for? Money? The Presidency?'

"What? Oh, that—of course. But listen! If we could just prove the following two lemmas—”

—The Mathematical Magpie, Clifton Fadiman (*proved by Sir Andrew Wiles from Princeton in 1994)


Prime Numbers and Prime Factorization

• to factor a number n is to write it as a product of other numbers: n = a * b * c

• note that factoring a number is relatively hard compared to multiplying the factors together to generate the number

• the prime factorization of a number n is when it is written as a product of primes – eg. 91=7 *13 ; 3600=24 * 32 * 52


It’s fundamental, really

• The fundamental theorem of arithmetic (also known as the unique factorization theorem) says

– any integer n can be written as the unique product of a finite number of prime numbers.

so 12 = 2 * 2 * 3 123 = 41 * 3 etc.


Fermat's Little Theorem

• if p is prime and gcd(a,p)=1, then

• nice little proof on page Appendix B (online) of Stallings

• This theorem can also be expressed as: if p is prime and a is any positive integer, then

note that this version doesn’t require gcd(a, p) = 1

€

ap−1 ≡1mod p

€

ap ≡ a mod p


Euler’s Totient Function • when doing arithmetic modulo n

– a complete set of residues is: 0..n-1

• a reduced set of residues are those numbers (residues) which are relatively prime to n – e.g. for n = 10, – complete set of residues is {0, 1, 2, 3, 4, 5, 6, 7, 8, 9} – reduced set of residues is {1, 3, 7, 9}

• the number of elements in the reduced set of residues is called the Euler Totient Function ø(n) – it is the number of numbers that are relatively prime to and

less than n

€

φ(n)


Euler’s Totient Function ø(n)- again

to compute ø(n) we need to count the number of elements to be excluded

so for composite numbers we need to factor them…

in general we need the prime factorization, but for p (p prime) we get ø(p) = p-1 for ∅(n) = p*q (p, q prime) and p != q, we get

∅(n) = ∅(p) * ∅(q) = (p -1) * (q - 1)!

e.g. ø(37) = 36!ø(21)= ø(3)*ø(7)=(3–1)*(7–1) = 2*6 = 12


General Definition of Euler’s Totient 1. ø(1) = 1 (by definition)

2. ø(p) = p-1 when p is prime

3. ø(n) = ø(pq) = (p-1)*(q-1) when n = pq and p, q are prime and p != q

4. ø(pk) = (p-1)pk-1 = pk * (1 - 1/p) when p is prime and thus pk is a power of a prime.

5. In general, then for n = p1k1 ... prkr when the pi are distinct, we get

which looks like a generalization of #4 and which can also be written as

ø(n) is always even for n >= 3.

€

φ(n) = n 1− 1p

$

% &

'

( )

p |n∏

€

φ(n) = (p1 −1)p1k1−1!(pr −1)pr

kr −1


Euler's Theorem

• a generalization of Fermat's Little Theorem

• when gcd(a,n)=1 (a and n are relatively prime)

• eg. a=3;n=10; ø(10)=4; !hence 34 = 81 = 1 mod 10!a=2;n=11; ø(11)=10;!hence 210 = 1024 = 1 mod 11!

or like Fermat…

€

aφ (n) ≡ 1mod n

€

aφ (n )+1 ≡ a(modn)


RSA• by Rivest, Shamir & Adleman of MIT in 1977

• best known & widely used public-key scheme

• based on exponentiation in a finite (Galois) field over integers modulo a prime – Note that exponentiation takes O((log n)3) operations – this is relatively easy

• uses large integers (e.g. 1024 bits)

• security due to cost of factoring large numbers – this is very hard.


RSA Description• Let n = pq, where p & q are prime. Let P = C = Zn

• define K = {(n, p, q, d, e):n = p*q, p, q, prime, and d*e = 1 mod (ø(n))} meaning that d = e-1 (mod ø(n))

• Then define – cipher = eK(plain) = plaine mod n, and – plain = dK(cipher) = cipherd mod n – with plain and cipher in Zn. – The values n and e are the public key, [n, e] and – n and d are the private key, [n, d] which is kept secret. – p and q are also kept secret.


RSA Key Setup• each user generates a public/private key pair by:

• selecting two large primes at random - p, q !

• computing their system modulus n = pq and ø(n)=(p-1)*(q-1) !

• selecting at random the encryption key e where 1 < e < ø(N), gcd(e,ø(N))=1 !

• solve the following equation to find decryption key d e * d = 1 mod ø(N) and 0 ≤ d ≤ N !so d is the inverse of e mod ∅(n)


RSA Key Setup

• publish their public encryption key: KU = {e, n}

• keep secret private decryption key: KR = {d, n} (and n = pq)

• key setup is done rarely - only when you need to create a key pair.


RSA Use

• to encrypt a message M the sender: – obtains public key of recipient KU = {e,n} – computes: C = Me mod n, where 0 ≤ M < n

• to decrypt the ciphertext C the owner: – uses their private key KR = {d,n} – computes: M = Cd mod n

• note that the message M (a block of text or bits) must be smaller than the modulus n – both are elements of the set Zn


Select p, q p and q both prime, p ≠ q

calculate n = p * q

Calculate ø(n) = (p-1)(q-1)

select e gcd(ø(n), e) = 1; 1< e < ø(n)

calculate d d = e

Public key is KU = {e, n}

Private key is KR = {d, n}

To encrypt Plaintext M < n

Ciphertext C = M

To decrypt ciphertext C

Plaintext M = C


RSA Example - Key Generation

1. Select primes: p=17 & q=11!

2. Compute n = pq =17*11=187!

3. Compute ø(n)=(p–1)(q-1)=16*10=160!

4. Select e such that gcd(e,160)= 1; choose e=7!

5. Determine d: de = 1 mod 160 and d < 160 Value is d=23 since 23*7 = 161 = 10*160+1!

6. Publish public key KU = {7,187}!

7. Keep secret private key KR = {23,187}


So lets encrypt…

• sample RSA encryption/decryption is:

• given message M = 88 (Note that 88 < 187)

• encryption: C = 887 mod 187 = 11 (but remember 887= 881 * 882 * 884)

• decryption: M = 1123 mod 187 = 88 (and 1123 = 118 * 118 * 114 * 112 * 111)


RSA Computational Notes

• users of RSA must: – determine two primes at random - p, q – select either e or d and compute the other

• primes p,q must not be easily derived from modulus n = p * q – means that p & q must be sufficiently large – typically guess and use a probabilistic test to find the primes

(Solovay-Strassen or Miller-Rabin)

• To encrypt & decrypt one must use modular exponentiation & the Chinese Remainder Theorem because e, d, & n are potentially very large.


Chinese Remainder Theorem

• Suppose we have a set of numbers {m1, m2, …, mr} that are pairwise relatively prime and positive – i.e. gcd(mi, mj) =1 for i ≠ j, and mi > 0 for all i

– and let M = m1 * m2 * … * mr

– and suppose we have A = {a1, a2, …, ar } integers where A ∈ ZM

– then (1) the system of r congruences

• x = ai (mod mi) (1 ≤ i ≤ r)

– has a unique integer solution modulo M.


And this is useful, how?

• Well, it turns out that you can compute X as

• which is equivalent to

€

X = ((a1M1y1 + a2M2y2 + ....+ arMryr)modm)

€

X = aiMiyi (modM)i=1

r

∑


What the heck does that mean???• It means you can take a very large number

• break it up into its prime factors

• do an arithmetic computation modulo it’s prime factors

• and then combine those answers and get an answer to the entire computation modulo the very large number.

• We’ll need this for some of the Public Key algorithms!

• it means you can do arithmetic on very large numbers using smaller numbers (say ones that will fit in the word size of your computer) efficiently!

• finally, it means one can find X by solving x = ai mod mi for all 1 ≤ i ≤ r rather than trying to solve for A mod M


Oh, that Chinese Remainder Theorem

• one can implement the CRT in several ways

• See Stinson, pgs 119 - 122 for an alternate description.

• See also Knuth, volume 2 (Seminumerical Algorithms), 249-256.


RSA Security

• three approaches to attacking RSA:

1.brute force key search • usually infeasible given size of numbers • but some smaller key sizes (up to 512 bits) have been

broken

2.mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)

3.timing attacks (on running of decryption)


Factoring Problem• mathematical approach to breaking RSA takes 3

forms: (a) factor N = p.q, hence find ø(N) and then d (b) determine ø(N) directly and find d (c) find d directly

but.....

Pratt was the first to show that prime factorization lies in the complexity class NP. (oops) !Pratt, V. "Every Prime Has a Succinct Certificate." SIAM J. Comput. 4, 214-220, 1975.

http://mathworld.wolfram.com/NP-Problem.html

CS 330 Public Key Crypto

Factoring...

• It is currently believed that all three methods above are equivalent to factoring

– have seen slow improvements over the years • as of Aug-99 best is 130 decimal digits (512) bit with

GNFS

– biggest improvement comes from improved algorithm • cf “Quadratic Sieve” to “Generalized Number Field Sieve”

– barring dramatic breakthrough 1024+ bit RSA secure • ensure p, q of similar size and matching other constraints

41


Recent progress in factorization

note that a MIPS-year is a million instructions per second running for a year.

Note also that factorization needs the ability to test numbers to see if they are primes...

an effort concluded in 2009 factored a 232-digit number utilizing hundreds of machines over a span of 2 years (see http://eprint.iacr.org/2010/006.pdf )

http://eprint.iacr.org/2010/006.pdf


Primality Testing

• we often need to find large prime numbers – like to find p and q for RSA – or to find test values for factoring large values of N

in RSA

• simple algorithm is the sieve of Eratosthenes using trial division – ie. divide by all numbers (primes) in turn less than the square

root of the number (well, this is a variation on the sieve) – it works for all integers, but it’s only practical for small

numbers


or…• alternatively we can use statistical primality tests

based on some properties of primes

– for which all primes numbers satisfy the property

– but some composite numbers, called pseudo-primes, also satisfy the property (but there are very few of these)

– the two standard statistical tests are the Solovay-Strassen algorithm and the Miller-Rabin algorithm

• Solovay-Strassen is older and less accurate at determining if a number is prime

• so lets look at Miller-Rabin


Miller-Rabin Algorithm• a test based on Fermat’s Little Theorem • Decide if n (an odd integer > 2) is prime

TEST (n) is: 1. Find integers k, q, k > 0, q odd, so that (n–1)= 2kq!

• (you can always do this by dividing repeatedly by 2 or, if n is a binary number by shifting right until the low order bit is a 1)

2. repeat steps 3 - 6 till you’re satisfied or you return 3. Select a random integer a, 1 < a < n–1 4. if aq (mod n) = 1 then return (“probably prime"); 5. for j = 0 to k – 1 do if a2jq(mod n)== n-1 then return(”probably prime ") 6. return ("composite")


Probabilistic Considerations

• if Miller-Rabin returns “composite” the number is definitely not prime

• otherwise it is either a prime or an Euler pseudo-prime

• if we repeat TEST(n) with different random numbers a then the chance n is prime after m tests is: – Pr(n prime after m tests) = 1 - 4-m

– e.g. for m = 10 this probability is > 0.99999

(There is a deterministic algorithm for determining if a large integer is prime - the AKS algorithm, but it’s thought to be not as efficient as Miller-Rabin)


Prime Distribution

• The prime number theorem states that primes occur roughly every (ln n) integers – alternatively you can say that the number of primes less than

n is roughly (n / ln n)

• since we can immediately ignore even numbers and multiples of 5, in practice we only need to test 0.4*ln(n) numbers of size n before locating a prime – note this is only the “average” sometimes primes are close

together, at other times they are quite far apart


Timing Attacks

• developed in mid-1990’s

• exploit timing variations in operations – eg. multiplying by small vs large number – or IF statements varying which instructions are

executed

• infer operand size based on time taken

• RSA exploits time taken in exponentiation

• countermeasures – use constant exponentiation time – add random delays – blind values used in calculations

public key encryption

Documents