# Cryptography Public Key Cryptosystems by qza17959

VIEWS: 5 PAGES: 38

• pg 1
```									    Cryptography
Public Key Cryptosystems

Anita Jones
CS451 Information Security

Public key encryption

The two problems to be solved:
Key distribution
Digital signature
Revolutionary new approach
Based on math functions, not simple
operations on bit patterns

September, 2006
Asymmetric (Public
Key) Encryption

Ralph Merkle, Martin Hellman, Whitfield Diffie (1977)

Contributions

Diffie & Hellman showed that encryption
with pairs of keys was possible

Rivest, Shamir & Adleman created a cost-
effective method, and then
commercialized it which make it readily
accessible to users

September, 2006
A revolution of sorts

Diffie & Hellman (1976) sought to solve 2 problems:
better way to distribute keys
provide for a digital document signature
public key encryption is based on mathematical
functions, not on substitution & permutation
asymmetric – two different keys
it does not displace block ciphers (symmetric keys)
Why not? Because it costs too much

September, 2006
Basics

Each user generates a pair of keys
Each user places one key in a publicly
accessible place
Each user keeps the other key secret

EKR(M) = C       EKU(C) = M

Where, M = plaintext (message); C = ciphertext
KR = restricted (private) key KU = unrestricted (public) key

September, 2006
Requirements for Public Key
 Computationally EASY to
 generate a pair of keys (public KU, private KR)
 encrypt, given key KU & message M
 decrypt, given key KR & encrypted message, C
 Computationally INFEASIBLE to
 determine private key KR, knowing public key
KU
 recover original message (M), given public key
KU & ciphertext, C, for message M
September, 2006
First of two uses
Confidentiality
 A wants to send message to B
 A encrypts message with B’s public key
 A sends encrypted message to B
 B decrypts message with its private key

 (and by the way, B’s public key will not
“decrypt” the encrypted message)

September, 2006
Second of two uses
Authentication, or digital signature
 A wants to send message to B in a way that B
can be assured that A (and no one else) sent it
 A encrypts message with A’s private key (sign!)
 A sends encrypted/signed message to B
 B decrypts message with A’s public key
 B then knows that
only A could have sent it
data integrity assured, once encrypted (if whole
message is encrypted)
September, 2006
How do you distribute the
Public Key?
Digression

message once it is “correctly” decrypted?
If a “bit flipped”, then resulting plaintext is
unintelligible; remember “avalanche” property

Both the cryptanalyst and a legitimate
plaintext
September, 2006
Comparisons – Preview *
Symmetric                          Asymmetric
•#
• of Keys             1                                 2

•Protection of key
•                     Must be kept secret               One secret; One public

•Best Uses
•                     Crypto “workhorse”;               Key distribution, authentication
secrecy & integrity of data–
single characters to blocks
of data, messages, files

•Key Distribution
•                     Must be “out-of-band”             Public key can be used to distribute
other keys

•Speed
•                     Fast - based on addition,         Slow; complex mathematics (e.g.
masks, and shifts                 exponentiation); typically 10,000 times
slower than symmetric keys

•Key Lengths
•                     40, 128, 256, 512                 512, 1024, 2048

•Examples
•                     DES, 3DES, AES,                   RSA, El Gamal, Merkle-Hellman,
Blowfish, Twofish, IDEA           Elliptic Curve
September, 2006                    Primary Source: Security in Computing, Pfleeger&Pfleeger, p. 75
Symmetric vs Asymmetric encryption

One is superior to the other

Public key encryption replaces symmetric
encryption

Public key encryption makes key
distribution trivially easy

September, 2006

plaintext and ciphertext are (considered)
integers between 0 and n-1, some n
public KU = {e, n} and public KR = {d, n}

for plaintext M and ciphertext C
 C = Me mod n
 M = Cd mod n = (Me)d mod n = Med mod n

Why so prevalent? Because RSA Inc. commercialized it
September, 2006
RSA Important properties
There exists e, d, n such that
Med = M mod n for all M < n

Easy to calculate Me and Cd
for all values of M < n

Infeasible to determine d, given e and n

September, 2006
Modulo arithmetic – review
a mod n is the remainder of a divided by n
So, values of a mod n are all between 0 and n-1
24 mod 7 = 3     5 mod 7 = 5
a = b mod n means a mod n = b mod n
i.e. give the same remainder
a=b mod n means a = b + kn (k negative or positive)
a and b are congruent mod n
24 mod 7 = 10 mod 7 = 3, so 24 =10 = 3 mod 7
September, 2006
RSA: computing e, n, and d
select 2 prime numbers p, q (p not = q)
calculate n = p * q (n is the modulus)
calculate ø(n) = (p-1) * (q-1)
select e such that
e is relatively prime to ø(n) and 1 < e < ø(n)
determine d such that
d * e = 1 mod ø(n)

September, 2006
RSA: computing e, n, and d
select prime numbers p = 7, q = 17
calculate n = p * q = 119
calculate ø(n) = (p-1) * (q-1) = 6 * 16 = 96
select e = 5 such that
e is relative prime to ø(n) and e < ø(n)
determine d = 77 such that
d * e = 1 mod ø(n) and d < ø(n)
5 * 77 = 385 = 4 * 96 + 1

September, 2006
RSA: applying e, n, and d
KU = {5, 119} and KR = {77, 119}
let plaintext M = 19
Encryption C = Me mod n
C = EKU(19) = 195 mod 119 = 2,476,099 mod 119
                  = 66
Decryption M = Cd mod n
M = DKR(66) = 6677 mod 119
           = <big number> mod 119
           = 19 mod 119
           = 19
September, 2006
RSA -- getting parameters “right”

need to choose suitably large p, q
e is usually chosen to be small
typically e may be the same for all users
originally a value of 3 was suggested, but
it is regarded as too small currently
216 -1 = 65535 is typical used
the decryption exponent d will be large

September, 2006
Practical aspects of RSA

 So why is RSA so much slower than DES?
today’s computer’s can't directly handle
numbers larger than 32- or 64-bits

need multiple precision arithmetic requiring
libraries to handle large numbers

September, 2006
Is Public Key Crypto Secure?
 A 128 bit key would be a number between 1 and
340,282,366,920,938,000,000,000,000,000,000,000,000
 How many prime numbers are between 1 and this number?
 approximately n / ln(n) which is about 2^128 / ln( 2^128 ) =
3,835,341,275,459,350,000,000,000,000,000,000,000

 How long would it take to find all of these prime numbers if you could
calculate one trillion of these numbers per second?
 More than 121,617,874,031,562,000 years (i.e., about 10 million times
longer than the universe has existed so far.)
 Reference: http://www.livinginternet.com/?i/is_crypt_pkc_inv.htm

 Answer – Yes, but know its limitations (e.g. plaintext attacks, block
sizes, etc.)

September, 2006
Speeding up RSA
modulo arithmetic permits reducing
intermediate results, because
(a*b) mod n = [(a mod n)*(b mod n)]mod n
195 mod 119 = 2,476,099 mod 119 = ?
      = [(191 mod 119) * ( 192 mod 119) *
                    (192 mod 119)] mod 119
Note: 192 mod 119 = 361 mod 119 = 4
195 mod 119 = [19 * 4 * 4] mod 119
            = 304 mod 119 = 66
September, 2006
Speeding up RSA

usual multiplication takes O(n2) bit ops
faster technique: Schonhage-Strassen Integer
Multiplication Algorithm:
breaks each integer into blocks, & uses them as coefficients of a
polynomial
evaluates these polynomials at suitable points, & multiplies the
resultant values
interpolates these values to form the coefficients of the product
polynomial
combines the coefficients to form the product of the original
integer

September, 2006
Attacks on RSA
Brute force – try all possible private keys
Depends on length of the key

Mathematical attack – factor n into its two
primes

Timing attack – use measurement of the
decryption time to guess values

September, 2006
RSA security rests on factoring
security of RSA is assumed to rest on the
difficulty of computing ø(n),
i.e. finding (p-1), (q-1)
best known theoretical factoring algorithms
take years (assume 1 binary op per nanosec)
when number of decimal digits in n exceed
100
so, 1024 + bits looks secure for now

September, 2006
Breaking RSA
RSA inventors offered \$100 reward for
finding a plaintext sentence enciphered via
RSA
public key had 129 decimal digits (~ 428 bits)
RSA predicted 40 quadrillion years was
needed
1994 -- a group claimed the prize after 8
months of work (1600 computers used)

September, 2006
Elliptic Curve Cryptography
RSA challenger – uses fewer bits than RSA, so is
computationally cheaper
Based on cubic equations of form:
y2 + axy + by = x3 +cx2 + dx + e
… real a, b, c, d, e
Define a form of addition on points on curve -
multiple additions are the counterpart of modular
exponentiation in RSA

Less experience, so it is not as trusted as RSA

September, 2006
Applications

September, 2006
Digital Signature

Construct that authenticates both the origin
& content of a message
In a manner that is provable to a third party
E.g. A sends EA-R [M]; B has EA-U [M], M
where M = EA-U [EA-R [M]]

Repudiation problem:
A says “My key was stolen”

September, 2006
Key Distribution

A sends/posts A’s public key
All others can see it

Forgery problem: Z posts a key and says
that it is A’s public key
Z can read what others send to A
Until A alerts others to the forged key

September, 2006
Public Key Certificate
Create a trusted third party
Key distribution center (KDC) or certificate authority
(CA)
Maintains a registry of user keys
Creates certificates: [ID of A, A’s public key]
Certificate signed by CA
Encrypted with KDC’s private key
Use: user gives CA the user’s public key
User obtains certificate; publishes certificate
Assumed valid until user informs CA that key is invalid

September, 2006
Key distribution -- using certificates
A and B register with the CA
A and B exchange certificates
A creates secret (shared) session key
A encrypts session key with A’s private key
A then encrypts with B’s public key
A sends to B

September, 2006
We need a more formal way of
describing these exchanges!

September, 2006
Backups

September, 2006
Why?
Why should it be the case that
if M is plaintext & C is ciphertext
& if C = Me mod n, that

M = Cd mod n = (Me)d mod n = Med mod n,

I.e. what makes us think that there even
exists an e and d such that Med mod n = M?

September, 2006
Theory behind RSA
if n = pq where p, q are primes, then:
xø(n) = 1 mod n
for all x not divisible by p or q, ie gcd(x,ø(n))=1
where ø(n)=(p-1)(q-1)
RSA chooses e & d to be inverses mod ø(n)
ie e*d=1+q*ø(n)
therefore
M = Cd = Med = M1+q*ø(n) =
M1 *(M ø(n) )q = M1*(1)q = M1 mod N
September, 2006
Speeding up RSA (cont)

Discrete Fourier Transform, & the
Convolution Theorem are used to speed
up the interpolation stage
results in multiplying in O(n log n) bit ops
(versus O(n2)
special hardware is a possibility

September, 2006

```
To top