Public Key Encryption

CS 330 Public Key Crypto 1
Cryptography & Computer Security

Public-Key CryptoSystems
Public Key Cryptography
Every Egyptian received two names, which were known
respectively as the true name and the good name, or
the great name and the little name; and while the good
or little name was made public, the true or great name
appears to have been carefully concealed.
The Golden Bough, Sir James George Frazer
Private-Key Cryptography
traditional private-key cryptography uses one key
shared by both sender and receiver
its symmetric
if this key is disclosed communications are compromised
hence it does not protect
Alice - from Bob forging a message & claiming it was sent by
Alice
Alice or Bob - from Eve discovering (or stealing) the key and
forging messages or reading their messages
the main problem with symmetric key cryptography is
key distribution and management
Why Public-Key Cryptography?
key distribution
digital signatures how to verify a message comes intact
from the claimed sender
the public invention of public-key crypto is due to Whiteld
Di#e & Martin Hellman at Stanford in 1976
NSA claims to have invented it in the mid-60s (no
verication of this - it is still classied)
James Ellis of CESG created a similar method around 1970
but his work wasnt declassied till 1987. ( http://
jya.com/ellisdoc.htm )
Public-Key Cryptography
public-key cryptography involves the use of two
keys:
a public-key, which may be known by anybody, and is used
to encrypt messages, and verify signatures
a private-key, known only to the recipient, is used to
decrypt messages, and sign (create) signatures
is asymmetric because
those who encrypt messages or verify signatures cannot
decrypt messages or create signatures
there can also
be a phone
book of public
keys
Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others are
specic to one
Public-key digital signatures
di$ers from classical symmetric crypto because it uses
mathematical functions rather than substitution and
permutation to implement the encipherment &
decipherment.
it solves the key distribution problem by not
distributing the private keys
Public-key Algorithm Requirements
1. It must be computationally easy for Bob to generate
a pair of keys KBob
Pub
and KBob
Pri
2. it must be computationally easy for Alice, knowing

KBob
Pub
and the message M to generate a cryptogram
C
C = E(M, KBob
Pub
)
3. It must be computationally easy for Bob, using
KBob
Pri
, to decrypt C
M = D(C, KBob
Pri
)
More Public-key requirements
4. It must be computationally infeasible for Eve to
recover KBob
Pri
just by knowing KBob
Pub
5. It must be computationally infeasible for Eve to

recover M, knowing KBob
Pub
and C.
6. The encryption and decryption functions must be
able to be applied in either order.
Public-Key Caveats
Public-key systems are no more secure than their
symmetric key counterparts
the di#culty in cryptanalysis rests solely on the length of the
key and the amount of work required to break the system with
a particular key
Public-key systems will not replace symmetric key
systems
they complement rather than replace symmetric key crypto
because it turns out there are (so far) no good methods of
implementing public-key crypto that are nearly as fast as
symmetric block or stream ciphers
Public-Key System Implementation
The requirements on the previous slides dictate that the
function used to do encryption and decryption needs to
be
easy to compute in one direction
very hard to compute in the inverse direction unless the public
or private key is known
this is known as a trap-door one-way function
So any public-key system must depend on a practical
and suitable trap-door one-way function
it turns out these are pretty hard to nd!
Security of Public Key Schemes
like private key schemes, brute force exhaustive
search attack is always theoretically possible
but the keys used are typically too large (>512bits)
but be careful, you actually need a much larger public-private
key pair to get the same amount of security as a symmetric
key
security relies on a large enough di$erence in
di#culty between the easy (en/decrypt) and hard
(cryptanalyze) problems
more PK security
In general the hard problem is known, its just made
too hard to do in practice
this is like Kercko$s principle - requiring that the
cryptosystem itself be known and holding all the security
in the key
the di$erence here is that the public-key algorithms are
well-known number theory problems whose security is
easier to analyze than most symmetric systems
so its somewhat easier to prove just how secure the
public-key system is.
yet more PK security
typically requires the use of very large numbers
which requires multiple-precision arithmetic on
computers
and algorithms that take many iterations of a loop to
complete
soit is slow compared to symmetric key schemes
Now on to how to do public-key crypto....
Introduction to Number Theory
The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll
give you anything in the world you ask for."
Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation
a
n
+ b
n
= c
n
has no non-trivial solution in the integers."*
They agreed on a three-day period for the labor, and the Devil
disappeared.
At the end of three days, the Devil presented himself, haggard, jumpy,
biting his lip. Daniel Webster said to him, "Well, how did you do at my
task? Did you prove the theorem?'
"Eh? No . . . no, I haven't proved it."
"Then I can have whatever I ask for? Money? The Presidency?'
"What? Oh, thatof course. But listen! If we could just prove the following
two lemmas
The Mathematical Magpie, Clifton Fadiman
(*proved by Sir Andrew Wiles from Princeton in 1994)
Prime Numbers and Prime Factorization
to factor a number n is to write it as a product of other
numbers: n = a * b * c
note that factoring a number is relatively hard
compared to multiplying the factors together to
generate the number
the prime factorization of a number n is when it is
written as a product of primes
eg. 91=7 *13 ; 3600=2
4
* 3
2
* 5
2

Its fundamental, really
The fundamental theorem of arithmetic (also known
as the unique factorization theorem) says
any integer n can be written as the unique product of a
nite number of prime numbers.
so 12 = 2 * 2 * 3
123 = 41 * 3
etc.
Fermat's Little Theorem
if p is prime and gcd(a,p)=1, then

nice little proof on page Appendix B (online) of
Stallings
This theorem can also be expressed as: if p is prime
and a is any positive integer, then
note that this version doesnt require gcd(a, p) = 1
!
a
p"1
#1mod p
!
a
p
" a mod p
Eulers Totient Function
when doing arithmetic modulo n
a complete set of residues is: 0..n-1
a reduced set of residues are those numbers
(residues) which are relatively prime to n
e.g. for n = 10,
complete set of residues is {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
reduced set of residues is {1, 3, 7, 9}
the number of elements in the reduced set of residues
is called the Euler Totient Function (n)
it is the number of numbers that are relatively prime to and
less than n
!
"(n)
Eulers Totient Function (n)- again
to compute (n) we need to count the number of
elements to be excluded
so for composite numbers we need to factor them
in general we need the prime factorization, but
for p (p prime) we get (p) = p-1
for !(n) = p*q (p, q prime) and p != q, we get
!(n) = !(p) * !(q) = (p -1) * (q - 1)
e.g.
(37) = 36
(21)= (3)*(7)=(31)*(71) = 2*6 = 12
General Denition of Eulers Totient
1. (1) = 1 (by denition)
2. (p) = p-1 when p is prime
3. (n) = (pq) = (p-1)*(q-1) when n = pq and p, q are prime and
p != q
4. (p
k
) = (p-1)p
k-1
= p
k
* (1 - 1/p) when p is prime and thus p
k
is
a power of a prime.
5. In general, then for n = p
1
k1
... p
r
kr
when the p
i
are distinct, we get
which looks like a generalization of #4 and which can also be written as
(n) is always even for n >= 3.
!
"(n) = n 1#
1
p
$
%
&
'
(
)
p| n
*

!
"(n) = ( p
1
#1) p
1
k
1
#1
!( p
r
#1) p
r
k
r
#1
Euler's Theorem
a generalization of Fermat's Little Theorem

when gcd(a,n)=1 (a and n are relatively prime)
eg.
a=3;n=10; (10)=4;
hence 3
4
= 81 = 1 mod 10
a=2;n=11; (11)=10;
hence 2
10
= 1024 = 1 mod 11
or like Fermat
!
a
" (n)
# 1mod n
!
a
"(n)+1
# a(modn)
RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
based on exponentiation in a nite (Galois) eld over
integers modulo a prime
Note that exponentiation takes O((log n)
3
) operations
this is relatively easy
uses large integers (e.g. 1024 bits)
security due to cost of factoring large numbers
this is very hard.
RSA Description
Let n = pq, where p & q are prime. Let P = C = Z

n
dene
K = {(n, p, q, d, e):n = p*q, p, q, prime,
and d*e = 1 mod ((n))} meaning that d = e
-1
(mod
(n))
Then dene
cipher = e
K
(plain) = plain
e
mod n, and
plain = d
K
(cipher) = cipher
d
mod n
with plain and cipher in Z

n
.
The values n and e are the public key, [n, e] and
n and d are the private key, [n, d] which is kept secret.
p and q are also kept secret.
RSA Key Setup
each user generates a public/private key pair by:
selecting two large primes at random - p, q
computing their system modulus n = pq and
(n)=(p-1)*(q-1)
selecting at random the encryption key e
where 1 < e < (N), gcd(e,(N))=1
solve the following equation to nd decryption key d
e * d = 1 mod (N) and 0 " d " N
so d is the inverse of e mod !(n)
RSA Key Setup
publish their public encryption key: KU = {e, n}
keep secret private decryption key: KR = {d, n}
(and n = pq)
key setup is done rarely - only when you need to
create a key pair.
RSA Use
to encrypt a message M the sender:
obtains public key of recipient KU = {e,n}
computes: C = M
e
mod n, where 0 " M < n
to decrypt the ciphertext C the owner:
uses their private key KR = {d,n}
computes: M = C
d
mod n
note that the message M (a block of text or bits)
must be smaller than the modulus n
both are elements of the set Z

n
Select p, q p and q both prime, p % q
calculate n = p * q
Calculate (n) = (p-1)(q-1)
select e gcd((n), e) = 1; 1< e <
(n)
calculate d d = e
Public key is KU = {e, n}
Private key is KR = {d, n}
To encrypt Plaintext M < n
Ciphertext C = M
To decrypt ciphertext C
Plaintext M = C
RSA Example - Key Generation
1. Select primes: p=17 & q=11
2. Compute n = pq =17*11=187
3. Compute (n)=(p1)(q-1)=16*10=160
4. Select e such that gcd(e,160)= 1;
choose e=7
5. Determine d: de = 1 mod 160 and d < 160
Value is d=23 since 23*7 = 161 = 10*160+1
6. Publish public key KU = {7,187}
7. Keep secret private key KR = {23,187}
So lets encrypt
sample RSA encryption/decryption is:
given message M = 88
(Note that 88 < 187)
encryption:
C = 88
7
mod 187 = 11
(but remember 88
7
= 88
1
* 88
2
* 88
4
)
decryption:
M = 11
23
mod 187 = 88
(and 11
23
= 11
8
* 11
8
* 11
4
* 11
2
* 11
1
)
RSA Computational Notes
users of RSA must:
determine two primes at random - p, q
select either e or d and compute the other
primes p,q must not be easily derived from modulus
n = p * q
means that p & q must be su#ciently large
typically guess and use a probabilistic test to nd the primes
(Solovay-Strassen or Miller-Rabin)
To encrypt & decrypt one must use modular
exponentiation & the Chinese Remainder Theorem
because e, d, & n are potentially very large.
Chinese Remainder Theorem
Suppose we have a set of numbers {m

1
, m
2
, , m
r
} that
are pairwise relatively prime and positive
i.e. gcd(m
i
, m
j
) =1 for i % j, and m
i
> 0 for all i
and let M = m
1
* m
2
* * m
r
and suppose we have A = {a

1
, a
2
, , a
r
} integers where A " Z
M
then (1) the system of r congruences
x = a
i
(mod m
i
) (1 & i & r)
has a unique integer solution modulo M.
And this is useful, how?
Well, it turns out that you can compute X as
which is equivalent to
!
X = ((a
1
M
1
y
1
+ a
2
M
2
y
2
+ .... + a
r
M
r
y
r
)modm)
!
X = a
i
M
i
y
i
(mod M)
i=1
r
"
What the heck does that mean???
It means you can take a very large number
break it up into its prime factors
do an arithmetic computation modulo its prime factors
and then combine those answers and get an answer to the entire
computation modulo the very large number.
Well need this for some of the Public Key algorithms!
it means you can do arithmetic on very large numbers using
smaller numbers (say ones that will fit in the word size of your
computer) efficiently!
finally, it means one can find X by solving x = a

i
mod m
i
for all 1
! i ! r rather than trying to solve for A mod M
Oh, that Chinese Remainder Theorem
one can implement the CRT in several ways
See Stinson, pgs 119 - 122 for an alternate
description.
See also Knuth, volume 2 (Seminumerical Algorithms),
249-256.
RSA Security
three approaches to attacking RSA:
1.brute force key search
usually infeasible given size of numbers
but some smaller key sizes (up to 512 bits) have been
broken
2.mathematical attacks (based on di#culty of computing
(N), by factoring modulus N)
3.timing attacks (on running of decryption)
Factoring Problem
mathematical approach to breaking RSA takes 3
forms:
(a) factor N = p.q, hence nd (N) and then d
(b) determine (N) directly and nd d
(c) nd d directly
but.....
Pratt was the rst to show that prime factorization lies in
the complexity class NP. (oops)

Pratt, V. "Every Prime Has a Succinct Certicate." SIAM J. Comput. 4,
214-220, 1975.
CS 330 Public Key Crypto
Factoring...
It is currently believed that all three methods above
are equivalent to factoring
have seen slow improvements over the years
as of Aug-99 best is 130 decimal digits (512) bit with
GNFS
biggest improvement comes from improved algorithm
cf Quadratic Sieve to Generalized Number Field Sieve
barring dramatic breakthrough 1024+ bit RSA secure
ensure p, q of similar size and matching other constraints
41
Recent progress in factorization
note that a MIPS-year is a million instructions per second running for
a year.
Note also that factorization needs the ability to test numbers to see if
they are primes...
an e$ort concluded in 2009 factored a 232-digit number utilizing
hundreds of machines over a span of 2 years (see http://
eprint.iacr.org/2010/006.pdf )
Primality Testing
we often need to nd large prime numbers
like to nd p and q for RSA
or to nd test values for factoring large values of N
in RSA
simple algorithm is the sieve of Eratosthenes using
trial division
ie. divide by all numbers (primes) in turn less than the square
root of the number (well, this is a variation on the sieve)
it works for all integers, but its only practical for small
numbers
or
alternatively we can use statistical primality tests
based on some properties of primes
for which all primes numbers satisfy the property
but some composite numbers, called pseudo-primes, also
satisfy the property (but there are very few of these)
the two standard statistical tests are the Solovay-Strassen
algorithm and the Miller-Rabin algorithm
Solovay-Strassen is older and less accurate at determining
if a number is prime
so lets look at Miller-Rabin
Miller-Rabin Algorithm
a test based on Fermats Little Theorem
Decide if n (an odd integer > 2) is prime
TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n1)= 2
k
q
(you can always do this by dividing repeatedly by 2 or,
if n is a binary number by shifting right until the low
order bit is a 1)
2. repeat steps 3 - 6 till youre satised or you return
3. Select a random integer a, 1 < a < n1
4. if a
q
(mod n) = 1 then return (probably prime");
5. for j = 0 to k 1 do
if a
2jq
(mod n)== n-1 then return(probably prime ")
6. return ("composite")
Probabilistic Considerations
if Miller-Rabin returns composite the number is denitely not
prime
otherwise it is either a prime or an Euler pseudo-prime
if we repeat TEST(n) with di$erent random numbers a then the
chance n is prime after m tests is:
Pr(n prime after m tests) = 1 - 4
-m
e.g. for m = 10 this probability is > 0.99999
(There is a deterministic algorithm for determining if a large integer is
prime - the AKS algorithm, but its thought to be not as e#cient as
Miller-Rabin)
Prime Distribution
The prime number theorem states that primes occur
roughly every (ln n) integers
alternatively you can say that the number of primes less than
n is roughly (n / ln n)
since we can immediately ignore even numbers and
multiples of 5, in practice we only need to test
0.4*ln(n) numbers of size n before locating a prime
note this is only the average sometimes primes are close
together, at other times they are quite far apart
Timing Attacks
developed in mid-1990s
exploit timing variations in operations
eg. multiplying by small vs large number
or IF statements varying which instructions are
executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
use constant exponentiation time
add random delays
blind values used in calculations

Public Key Encryption

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Public Key Encryption

Hochgeladen von

Copyright:

Verfügbare Formate

CS 330 Public Key Crypto 1

Cryptography & Computer Security

2. it must be computationally easy for Alice, knowing

5. It must be computationally infeasible for Eve to

if p is prime and gcd(a,p)=1, then

Let n = pq, where p & q are prime. Let P = C = Z

with plain and cipher in Z

both are elements of the set Z

Suppose we have a set of numbers {m

and suppose we have A = {a

then (1) the system of r congruences

finally, it means one can find X by solving x = a

Das könnte Ihnen auch gefallen