Cryptographic Algorithms and Protocols

1
Cryptographic Algorithms and Protocols

• Text Book Williams Stalling
• Lecture Notes Adapted from that of Lawrie Brown
• Lecturer
• Professor Frances Yao Professor Xiaotie Deng
• Department of Computer Science
• City University of Hong Kong

2
Chapter 9 Public Key Cryptography and RSA

• Every Egyptian received two names, which were
  known respectively as the true name and the good
  name, or the great name and the little name and
  while the good or little name was made public,
  the true or great name appears to have been
  carefully concealed.
• The Golden Bough, Sir James George Frazer

3
Outline

• Introduction of public-key cryptosystem
• RSA trapdoor one-way function
• RSA digital signature

4
1. Public-key cryptosystem
5
Introduction

• First proposed in public by Diffie and Hellman at
  Stanford University in 1976.
• known earlier in classified community
• http//www.research.att.com/smb/nsam-160/
• Enable secure message exchange
• between sender and receiver
• without ever having to meet in advance to agree
  on a common secret-key.

6
Private-Key Cryptography

• Traditional private/secret/single key
  cryptography uses one key
• shared by both sender and receiver
• If this key is disclosed, communications are
  compromised
• The key also is symmetric, parties are equal
• it does not protect sender from
• receiver forging a message claiming is sent by
  sender

7
Public-Key Cryptography

• Probably most significant advance in the 3000
  year history of cryptography
• It uses two keys a public a private key
• It is asymmetric parties are not equal
• It uses clever applications of number theoretic
  concepts to function
• It complements rather than replaces private key
  cryptography

8
Public-Key Cryptography
9
Public-Key Cryptography

• Public-key/two-key/asymmetric cryptography
  involves in, for each agent u, the use of its
  associated pair of keys ltPu, Sugt
• the public key Pu which is published under the
  users name in a public directory accessible
  for everyone to read,
• can be used to encrypt messages, and verify
  signatures
• the private-key Su which is known only to the
  agent u,
• used to decrypt messages, and sign (create)
  signatures
• It is asymmetric because
• Those who encrypt messages or verify signatures
  may not be able to decrypt messages or create
  signatures

10

• Encoding
• To send a secret message M to u,
• everyone looks up Pu, computing CE(Pu, M) where
  E is a public encryption algorithm, and
• sending the resulting ciphertext C to u.
• Decoding
• Upon receiving ciphertext C, u uses his private
  key Su and computing D(Su, C), where D is the
  corresponding decryption algorithm.
• Clearly, for this to work we need that D(Su,
  E(Pu, M))M.

11
Why Public-Key Cryptography?

• Initially to address two key issues
• key distribution how to have secure
  communications in general without having to trust
  a KDC with your key
• digital signatures how to verify a message
  comes intact from the claimed sender
• Ripple Effect Make E-commerce possible.

12
Computational Characteristics

• Public-Key algorithms rely on two keys with the
  characteristics
• computationally infeasible to find decryption key
  knowing only algorithm encryption key
• computationally easy to en/decrypt messages when
  the relevant (en/decrypt) key is known
• either of the two related keys can be used for
  encryption, with the other used for decryption
  (in some schemes).

13
Use of Public-Key Cryptosystems
14
Public-Key Applications

• 3 major categories
• encryption/decryption (provide secrecy)
• digital signatures (provide authentication)
• key exchange (of session keys)
• Some algorithms are suitable for all uses, others
  are specific to one

15
Security of Public Key Schemes

• Security relies on a large enough difference in
  difficulty between easy (en/decrypt) and hard
  (cryptanalyse) problems
• Similar to private key schemes, brute force
  exhaustive search attack is always theoretically
  possible
• But keys used are too large (gt512bits) to break
  that way
• It requires the use of very large numbers
• slow when compared to private key schemes

16
2. RSA trapdoor one-way function
17
One-Way Function and the Factorization assumption

• The most basic primitive for cryptosystem is a
  one-way function (OWF).
• Informally, this is a function which is EASY to
  compute but HARD to invert.
• For example, the following Factorization
  assumption is a well-known candidate for OWF.
• Randomly select two prime numbers p and q. Set
  Npq.
• Only given N it is HARD to compute p or q
• By the Factorization assumption

18
Trapdoor one-way function

• A trapdoor function f is a one-way function with
  an extra property.
• There also exists a secret inverse information
  (the trapdoor) that allows its possessor to
  EFFICIENTLY invert f at any point in the domain
  of his choosing.
• It should be easy to compute f on any point,
• but infeasible to invert f on any point without
  knowledge of the trapdoor.
• Inverting f is easy with knowledge of the
  trapdoor.

19
Use Trapdoor Function for PKC

• Given a pair (f, tf) where f is a trapdoor
  functions and tf is its associated trapdoor
  information,
• Diffe and Hellman suggested in 1976 using the
  supposed existence of trapdoor functions to
  implement Public-Key Cryptosystem as follows.

20
(1). For every message m?M, E(f,
m)f(m). (2). Given c E(f, m)f(m) and tf,
D(tf, c)f-1 (c) f-1(f(m))m.
21
RSA

• In 1977 Rivest, Shamir and Adelman proposed the
  first candidate trapdoor function,
• Now called the RSA. The story of modern
  cryptography followed.
• The best known widely used public-key scheme
• It is based on exponentiation in a finite
  (Galois) field over integers modulo a number
• exponentiation takes O((log n)3) operations
  (easy)
• It uses large integers (eg. 1024 bits)
• The security relies on difficulty of factoring
  large numbers
• factorization takes operations (hard)

22
Use of trapdoor one-way function in PKC

• Each user u in the network has a pair of keys
  ltPu, Sugt associated with him,
• The public key Pu which is published under the
  users name in a public directory accessible
  for everyone to read, and
• The private-key Su which is the trapdoor
  information, known only to u.

23
RSA Key Setup

• Each user generates a public/private key pair by
  
• Selecting two large primes at random p, q
• Computing their system modulus Np.q
• note ?(N)(p-1)(q-1)
• Selecting at random the encryption key e
• where 1ltelt ?(N), gcd(e, ?(N))1
• Solve following equation to find decryption key d
  
• e.d1 mod ?(N) and 0dN
• Fast to do it using Euclid's Algorithm.
• publish their public encryption key Pu e,N
• keep secret private decryption key Su d,p,q

24
RSA Encryption/Decryption

• Encrypt a message M by the sender
• obtains public key of recipient Pue,N
• computes CMe mod N, where 0MltN
• Decrypt the ciphertext C by the owner u
• use its private key Sud,p,q
• compute MCd mod N
• note that the message M must be smaller than the
  modulus N (block if needed)

25
Number Theory Background for RSA
26
Definition of The Euler Totient Function

• Eulers Totient Function ? is defined by
• ?(2)11
• ?(3)1,22
• ?(4)1,32
• ?(5)1,2,3,44
• ?(6)1,52

27
Calculation of Euler Totient Function

• The following are facts about Euler Totient
  Function
• (1) For p a prime and ??1, ?(p?) p?-1(p-1)
• (2) For integers m, n with gcd(m, n)1,
• ?(mn) ?(m) ?(n)
• Corollary ?(pq) (p-1)(q-1) for p, q primes

28
The Group Zn

• Znk gcd(k,n)1, 1ltkltn
• For any positive integer n, Zn forms a group
  under multiplication modulo n.
• If GCD(a,n)GCD(b,n)1, then
• GCD(ab,n)GCD(a,n)GCD(b,n)111
• For any ?? Zn, it is the case that ??(n)1 (mod
  n).

29
Why RSA Works

• By Euler's Theorem
• a?(n)mod N 1
• where gcd(a,N)1
• In RSA, we have
• Np.q
• ?(N)(p-1)(q-1)
• carefully chosen e d to be inverses mod ?(N)
• hence e.d1k.?(N) for some k
• Hence (if M is relatively prime to N)Cd (Me)d
  M1k.ø(N) M1.(Mø(N))k M1.(1)k M1 M mod
  N

30
Corollary of Eulers theorem

• Given two prime numbers p and q, and integers n
  pq and m, with 0ltmltn, the following
  relationship holds
• m?(n)1 ? m mod n (Eq. 8.5)
• Proof When GCD(m,n)?1, and m is a multiply of p
• ? m cp, GCD(m,q) 1 since m lt pq
• ? m?(q) ? 1 mod q
• ? m?(q)?(p)? 1 mod q
• ? m?(n) ? 1 mod q ? m?(n) 1 kq
• ? m?(n)1 m kcpq m kcn (multiply m cp
  in both side)
• ? m?(n)1 m mod n

31
Exponentiation

• A useful operation for PKC
• Given a, n, m, where a? Zn and m is an integer,
• computes am mod n.
• By repeated squaring, am mod n can be computed in
  O(log m) multiplications in mod n, hence O(log3n)
  time, if mltn.

32
RSA Example

• Select primes p17 q11
• Compute n pq 1711187
• Compute ?(n)(p1)(q-1)1610160
• Select e gcd(e,160)1 choose e7
• Determine d de1 mod 160 and d lt 160 Value is
  d23 since 237161 101601
• Publish public key P7,187
• Keep secret private key S23,17,11

33
RSA Example cont

• sample RSA encryption/decryption is
• given message M 88
• Encryption (using public key)
• C 887 mod 187 11
• Decryption (using private key)
• M 1123 mod 187 88

34
Exponentiation

• Use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• Concept is based on repeatedly squaring base
• and multiplying in the ones that are needed to
  compute the result
• look at binary representation of exponent
• only takes O(log2 n) multiples for number n
• eg. 75 74.71 3.7 10 mod 11
• eg. 3129 3128.31 5.3 4 mod 11

35
Exponentiation
36

• Equivalently, the algorithm looks at binary
  expansion of m. What we did is collect all the
  powers of two corresponding to the ones and
  multiply them.
• For example compute 221 mod 22.
• 2110101

37
212 (mod 22) 224 (mod 22) 2416 (mod
22) 2816162562203636(mod 22)14 (mod
22) 21614141962282020 (mod 22) Therefore,
2212162421201622032 2010 (mod 22)200
(mod 22)22922 (mod 22).
38
Some Remarks on RSA
39
The hardness to invert RSA

• Thus far, the best way known to invert RSA is to
  first factor n.
• The best running time for a fully proved
  algorithm is Dixons random squares algorithms
  which runs in time
• But, in practice we may consider others.

40

• Let lp where p is the smallest prime divisor
  of n. The Elliptic Curve algorithm takes expected
  time
• The Quadratic Sieve algorithm runs in expected
  time
• The recommended size for n these days is 1024
  bits.

41
Knowledge of ?(n) is equivalent to knowledge of
the factorization

• To computer ?(n) from p and q
• ?(n) (p-1)(q-1)n1-(pq).
• To compute out p and q from ?(n).
• Since pqn and pqn1- ?(n).
• Define 2b n1- ?(n) since ?(n) is even.
• p and q must be the root of equation x2-2bxn0
  . Thus p and q equal to

42
RSA Key Generation

• Users of RSA must
• determine two primes at random - p, q
• select either e or d and compute the other
• Primes p,q must not be easily derived from
  modulus Np.q
• means must be sufficiently large
• typically guess and use probabilistic test
• Exponents e, d are inverses, so use Inverse
  algorithm to compute the other

43
RSA Security

• three approaches to attacking RSA
• brute force key search (infeasible given size of
  numbers)
• mathematical attacks (based on difficulty of
  computing ?(N), by factoring modulus N)
• timing attacks (on running of decryption)

44
Factoring Problem

• mathematical approach takes 3 forms
• factor Np.q, hence find ?(N) and then d
• determine ?(N) directly and find d
• find d directly
• currently believe all equivalent to factoring
• have seen slow improvements over the years
• as of Aug-99 best is 130 decimal digits (512) bit
  with GNFS
• biggest improvement comes from improved algorithm
• cf Quadratic Sieve to Generalized Number Field
  Sieve
• barring dramatic breakthrough 1024 bit RSA
  secure
• ensure p, q of similar size and matching other
  constraints

45
How to choose p and q

• (1). The two primes should not be too close to
  each other (e. g. one should be a few decimal
  digits longer than the other).
• Also, any one of p and q should not be too small
  due to the Elliptic Curve algorithm
• Reason npq n((pq)/2)2-((p-q)/2)2t2-s
  2. Since p and q are close together we get s is
  small and t is an integer only slightly larger
  than . If you test the successive integers
  t gt you will soon find one such that n
  t2-s2, at which point you have pts and qt-s.

46
(2). p-1 and q-1 should have a fairly small
g.c.d. and both have at least one large prime
factor. (3). Of course, if someone discovers a
factorization method that works quickly under
certain other conditions on p and q, then further
users of RSA would have to take care to avoid
those conditions as well.
47
Summary

• We covered
• principles of public-key cryptography
• RSA algorithm, implementation, security

48
Chapter 10 Key Management Other Public Key
Cryptosystems

• No Singhalese, whether man or woman, would
  venture out of the house without a bunch of keys
  in his hand, for without such a talisman he would
  fear that some devil might take advantage of his
  weak state to slip into his body.
• The Golden Bough, Sir James George Frazer

49
Key Management

• Public-key encryption helps address key
  distribution problems in two aspects
• distribution of public keys
• use of public-key encryption to distribute secret
  keys

50
Distribution of Public Keys

• Can use the following approaches
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates

51
Public Announcement

• Users distribute public keys to recipients or
  broadcast to community at large
• eg. append PGP keys to email messages or post to
  news groups or email list
• Major weakness is forgery
• anyone can create a key claiming to be someone
  else and broadcast it
• can masquerade as claimed user until forgery is
  discovered

52
Publicly Available Directory

• Achieve greater security by registering keys with
  a public directory
• Directory must be trusted with properties
• contains name,public-key entries
• participants register securely with directory
• participants can replace key at any time
• directory is periodically published
• directory can be accessed electronically
• still vulnerable to tampering or forgery

53
Public-Key Authority

• Further improve security by tightening control
  over distribution of keys from directory
• Keeps all the properties of directory
• Requires users to know the public key for the
  directory
• Users interact with directory to obtain any
  desired public key securely
• does require real-time access to directory when
  keys are needed

54
Public-Key Authority
55
Public-Key Certificates

• Certificates allow key exchange without real-time
  access to public-key authority
• a certificate binds identity to a public key
• usually with other info such as period of
  validity, rights of use etc
• with all contents signed by a trusted Public-Key
  or Certificate Authority (CA)
• can be verified by anyone who knows the
  public-key authorities public-key

56
Public-Key Certificates
57
Distribution of Secret Keys using Public-Key

• public-key cryptography can be used for secrecy
  or authentication
• but public-key algorithms are slow
• so usually we want to use private-key encryption
  to protect message contents, such as using a
  session key
• There are several alternatives for negotiating a
  suitable session key

58
Simple Secret Key Distribution

• proposed by Merkle in 1979
• A generates a new temporary public key pair
• A sends B the public key and their identity
• B generates a session key K sends it to A
  encrypted using the supplied public key
• A decrypts the session key and both use
• problem is that an opponent can intercept and
  impersonate both halves of protocol

59
Public-Key Distribution of Secret Keys

• if A and B have securely exchanged public-keys

60
Diffie-Hellman Key Exchange

• The first public-key type scheme proposed
• by Diffie Hellman in 1976 along with the
  exposition of public key concepts
• note now know that James Ellis (UK CESG)
  secretly proposed the concept in 1970
• http//www.gchq.gov.uk/press_office/ellis.html
• http//www.gchq.gov.uk/about/heroes.html
• is practical for public exchange of a secret key
• is used in a number of commercial products

61
Diffie-Hellman Key Exchange

• A public-key distribution scheme
• NOT used to exchange an arbitrary message
• BUT to establish a common key known only to the
  two participants
• Value of key depends on the participants (and
  their private and public key information)
• Based on exponentiation in a finite (Galois)
  field (modulo a prime or a polynomial) - easy
• Security relies on the difficulty of computing
  discrete logarithms (similar to factoring) hard

62
Diffie-Hellman Setup

• All users agree on global parameters
• Large prime integer or polynomial q
• a a primitive root mod q
• Each user (eg. A) generates their key
• chooses a secret key (number) xA lt q
• compute their public key yA axA mod q
• Each user makes public that key yA

63
Diffie-Hellman Key Exchange

• Shared session key for users A B is KAB
• KAB axA.xB mod q
• yAxB mod q (which B can compute)
• yBxA mod q (which A can compute)
• KAB is used as session key in private-key
  encryption scheme between Alice and Bob
• If Alice and Bob subsequently communicate, they
  will have the same key as before, unless they
  choose new public-keys
• Attacker needs an x, must solve discrete log

64
Diffie-Hellman Example

• Users Alice Bob who wish to swap keys
• Agree on prime q353 and a3
• Select random secret keys
• A chooses xA97, B chooses xB233
• Compute public keys
• yA397 mod 353 40 (Alice)
• yB3233 mod 353 248 (Bob)
• Compute shared session key as
• KAB yBxA mod 353 24897 160 (Alice)
• KAB yAxB mod 353 40233 160 (Bob)

65
Summary

• have considered
• Distribution of public keys
• Public-key distribution of secret keys
• Diffie-Hellman key exchange