Chapter 6 Public-Key Cryptography

1
Chapter 6Public-Key Cryptography

• Public-Key Cryptosystem
• RSA Algorithm
• Key Management
• Diffie-Hellman Key Exchange
• Elliptic Curve Cryptography

2
Milestones in Cryptology

• 1917 Edward Hugh Hebern developed the first
  rotor machine
• 1971 IBM Lucifer project
• 1975 DES standard announced
• 1976 Diffie and Hellman presented public-key
  concept

3

• Both rotor machines and DES still relied on the
  bread-and-butter tools of substitution and
  permutation.
• Public key algorithms are based on mathematical
  functions rather than on substitution and
  permutation.
• Public key cryptography is asymmetric
• involving the use of two separate keys
• in contrast to symmetric conventional encryption
  which use only one key.

4

• The use of two keys in public key algorithm has
  profound in the areas of
• confidentiality
• key distribution
• authentication

5
Three Misconceptions on Public Key

• It is MORE secure than conventional encryption.
• Security is based on key length and computational
  cost.
• There is no such principle that one is better
  than the other.
• It is a general-purpose technique and has made
  the conventional encryption obsolete.
• Due to the computational overhead of current
  public-key schemes, the conventional ones are not
  abandoned.

6

• Its key distribution is trivial!
• Also involves a central agent.
• No simpler, nor more efficient, than conventional
  ones.
• This chapter provides an overview of public-key
  encryption
• conceptual framework
• RSA algorithm, the most important
  encryption/decryption algorithm that has been
  shown to be feasible for public-key encryption.
• Key distribution and management for public-key
  system (Diffie-Hellman key exchange)

7
Diffies Goals in Designing Public Key

• Key distribution
• Diffie and Hellman observed that ...What good
  would it do after all to develop impenetrable
  cryptosystems, if their users were forced to
  share their keys with a KDC that could be
  compromised by either burglary or subpoena?...

8

• Digital Signature
• Electronic messages and documents need the
  equivalence of signatures used in paper ones.
• In 1976, Diffie and Hellman came up with a method
  satisfying both goals.

9
6.1 Public-Key Cryptosystem

• There are two keys
• encryption key (public key)
• decryption key (private key)
• Characteristic of public-key systems
• It is computationally infeasible to determine the
  decryption key, even if the cryptographic
  algorithm and encryption key are know.
• Either of the two keys can be used for
  encryption, and the other decryption.
• If so, authentication can be done.
• Some algorithms do not enjoy the second property.

10
Public-Key Encryption Procedure

• Fig (a)
• Each system generates a pair of public and
  private keys.
• The public key is placed in a public register or
  file.
• If A wishes to send a message to B, it encrypts
  the message using Bs public key.
• When B receives the message, B decrypts it using
  Bs private key.

11
Characteristics of Public-Key System

• The private key can be computed locally.
• The private key is NEVER transmitted on the net.
• At any time, a system can change its
  public-private keys pair.
• Applications
• confidentiality
• authentication
• confidentiality authentication

12
Public-Key System for Confidentiality
13
Fig. 6.2

• Source A produces message XX1,X2,,XM
• M elements of X are letters in some finite
  alphabet.
• B generates a related pair of keys
• A public key Kub, publicly available
• A private key KRb, only known to B
• A form the cipher text YY1,Y2,,YM by
• Y E KUb(X)
• The receiver uses private key to decipher
• X E KRb(Y)

14
Conventional and Public-Key Encryption

• Conventional Encryption
• Needed to Work
• 1. The same algorithm with the same key is used
  for encryption and decryption
• 2. The sender and receiver must share the
  algorithm and the key

• Public-Key Encryption
• Needed to Work
• 1. One algorithm is used for encryption and
  decryption with a pair of keys, one for
  encryption and one for decryption
• 2. The sender and receiver must each have one of
  the matched pairs of keys (not the same one)

15

• Conventional Encryption
• Needed for Security
• 1. The key must be kept secret.
• 2. It must be impossible or at least impratical
  to decipher a message if no other information is
  available.
• 3. Knowledge of the algorithm plus samples of
  cipher text must be insufficient to determine the
  key.

• Public-Key Encryption
• Needed for Security
• 1. One of the two keys must be kept secret.
• 2. It must be impossible or at least impractical
  to decipher a message if no other information is
  available.
• 3. Knowledge of the algorithm plus one of the
  keys plus samples of cipher text must be
  insufficient to determine the other key.

16
Public-Key System for Authentication

• If the key pair has the symmetric property, then
  authentication can be done.
• I.e., the private key can also be used for
  encryption.
• Fig. (b)
• Use the private key for encryption, and the
  public key for decryption.

17
Public-Key Authentication

• NO confidentiality!
• Its only safe from alternation.

18
Fig 6.1(b) and 6.3

• The use of public-key encryption to provide
  authentication
• Source A produce YEKRa(X)
• Destination B XEKUa(Y)
• A prepares a message to B and encryps it using
  As private key before transmitting it.
• B can decrypt the message using As public key.
• The entire encrypted message serves as a digital
  signature.
• The message being sent is safe from alteration
  but not from eavesdropping

19
Confidentiality Authentication

• Using two pairs of public-private keys.

20
Fig. 6.4 Secrecy and Authentication

• Source A
• ZEKUbEKRa(X)
• Destination B
• XDKUaDKRb(Z)
• The final cipher text can be decrypted only by
  the intended receiver, who alone has the matching
  private key.
• The disadvantage is that the public-key algorithm
  is complex.

21
Summary of Public-Key System

• Applications of public-key algorithm
• encryption/decryption
• digital signature
• key exchange such as exchange session keys
  (shared)
• Comparison of some Public-Key Systems

22
Requirement of Public-Key Cryptography(Proposed
by Diffie and Hellman)

• computationally easy for receiver B to generate
  the key pair(public key KUb, private key KRb).
• computationally easy for sender A to encrypt the
  plaintext CEKUb(M)
• computationally easy for receiver B to decrypt
  the cipher MDKRb(C)
• computationally infeasible for an opponent to
  determine the private key KRb, given the public
  key KUb

23

• computationally infeasible for an opponent to
  determine the plaintext, given the public key KUb
  and ciphertext C
• encryption and decryption algorithms can be used
  interchangeably, i.e., MEKUb(DKRb(M))DKRb(EKUb(M
  )).
• The order is optional!!
• e.g., RSA gt (Me)d (Md)e

24
Trapdoor One-Way Function

• one-way function
• map a domain to a range such that every function
  value has a unique inverse
• with condition
• the calculating of the function is easy
• calculating the inverse is infeasible
• Y f(X) easy
• X f-1(Y) infeasible
• Easy is defined by solved in polynomial time, in
  class P (e.g., input is n bits, computational
  cost is na for some constant a).

25

• Infeasible cost grows faster than polynomial
  time (e.g., 2n)
• Traditional complexity analysis is on worst
  cases.
• In cryptoanalysis, the cost should be applied to
  virtually ALL inputs.
• Trapdoor one-way function
• is a one-way function
• easy to calculate in one direction
• infeasible to calculate in the other direction,
  unless some additional information is known

26

• Y fk(X) easy, if k and X are known
• X fk-1(Y) easy, if k and Y are known
• X fk-1(Y) infeasible, if Y is known
• but k is unknown
• The public-key scheme depends on discovery of a
  suitable trapdoor one-way function!!
• The key size must be large enough to make
  brute-force attack impractical but small enough
  for practical encryption and decryption.

27

• In practice, the key sizes that have been
  proposed do make brute-force attack impractical
  but result in encryption speed that are too slow
  for general purpose use.
• Instead, as was mentioned earlier, public-key
  encryption is currently confined to key
  management and signature applications.

28
Crisis of Public-Key Scheme

• vulnerable to brute-force attack (any one has
  this problem)
• solution use LARGER keys
• as key size increases, most trapdoor functions
  increase complexity more than linearity
• However, this will result in very SLOW
  encryption/decryption.
• This is why public-key encryption is currently
  confined to key management and signature
  applications.

29
6.2 RSA Algorithm

• In 1978, Rivest, Shamir, and Adleman at MIT first
  published a solution called RSA, which becomes
  the only widely accepted and implemented
  public-key encryption.
• RSA
• block cipher both plaintext and ciphertext are
  between 0 and n-1
• some number theory background is needed

30
RSA Description

• Plaintext (M) is encrypted in blocks.
• The binary value of M lt n.
• Encryption and Decryption
• C Me mod n // cihper
• M Cd mod n (Me)d mod n Med mod n
• Public key KUe, n
• Private key KRd, n
• Requirements
• There exist e, d, n such that M Med (mod n)
  for all M lt n.
• It is easy to calculate Me and Cd for all Mltn.
• It is infeasible to find d given e and n.

31

• One potential solution Eulers Theorem
• given the followings
• two primes p and q
• two integers n and m
• such that n pq and 0ltmltn
• an arbitrary integer k
• the equation holds mkf(n)1 mk(p-1)(q-1)1 m
  (mod n), where
• f(n)
• Euler totient function
• the number of integers less than n and
  relatively prime to n
• n pq and we know that p and q are primes.
• f(n) 1, 2, , n p, 2p, 3p, ,qp q,
  2q, 3q, , pq
• pq p q 1
• (p-1)(q-1)

32

• To apply the Eulers theorem, recall that we want
  the equation Med M (mod n)
• We can let ed k f(n) 1
• ltgt ed 1 (mod f(n) (p-1)(q-1))
• ltgt e d-1 (mod f(n) (p-1)(q-1))
• According to the rules of modular arithmetic,
  this holds true only if d (and thus e) is
  relatively prime to f(n).
• That is, gcd(d, f(n)) 1.
• If so, (Me)d M (mod n).

33
RSA Outline

• Parameters
• p and q are two primes (private, chosen)
• n pq (public, calculated)
• e, with gcd(f(n), e)1 (public, chosen)
• d e-1 mod f(n) (private, calculated)
• encryption with public key CMe (mod n)
• decryption with private key M Cd (mod n)
• See Fig. 6.5

34
(No Transcript)
35
(No Transcript)
36
An RSA Example

• 1. Select two prime numbers, p7, q17
• 2. Calculate n pq 119
• 3. Calculate f(n) (p-1)(q-1) 96
• 4. Select e such that e is relatively prime to
  f(n) 96 and less than f(n) in this case, e5
• 5. Determine d such that de1 mod 96 and dlt96.
  The correct value is d77, because
  7753854961
• . gt KU5, 119, KR77,119
• 6. Let plain M19 gt cipher66
• gt after decrypt 19

37
(No Transcript)
38
Computational Cost of RSA

• Encryption
• the power Me is typically gargantuan
• fortunately, with mod n, we have
• (a mod n)(b mod n) mod n ab mod n,
• so we can reduce the intermediate value!!
• the exponent e is also large ...
• M93 M x M x M x ... x M // 93
  multiplications
• fortunately, we have good solution from algorithm
  class ...
• M20 M16 M4 M2
• Can you give an O(log e) algorithm?
• Decryption
• Md, which is similar!!

39
Efficiency of exponentiation

• x16xxxxxxxxxxxxxxx
• 15 multiplications can be reduced to four
  multiplications
• x2, x4, x8, x16.
• If we wish to find the value am, let m be a
  binary number bkbk-1b0
• m?bi?02i

40

• Algorithm for compute ab mod n
• c0 d1
• for i k down to 0
• c2c
• d(d d) mod n
• if bi1 then
• cc1
• d(da) mod n
• return d

41

• Key Generation Concern
• (I) construct the primes p and q
• As n is available, p and q should be reasonably
  large to avoid a brute-force attack.
• At present, there are NO useful techniques that
  yield arbitrarily large primes
• Randomization algorithm to generate probable
  primes KNUT81 Miller-Rabin algorithm
• 1. pick an odd integer n at random
• 2. pick an integer a lt n at random
• 3. test the primality of n against a
• if n fails, reject n and go back to step 1.
• if n passes a sufficient number of tests, accept
  notherwise go back to step 2.

42

• Some properties of prime numbers
• Primes near are spaced by approximately (ln N)
  integers.
• Thus, only (ln N) guesses in average are needed.
• Excluding even numbers only (ln N)/2 guesses!!
• You can even include multiples of 3, 5, etc.
• Ex when N2200, ln2200/2 70 trials
• Key Generation Concern
• (II) construct d and e
• randomly choose d and test against f(n) for
  relative primality
• the probability that two random numbers are
  relative prime is about 0.6 (see Problem 7.1)
• calculate e d-1
• extended Euclid algorithm (later in Chapter 7)

43
Possible Attacks on RSA

• Attack 1 brute force (which is quite impossible)
• Attack 2 factoring n (which is used in most
  studies)
• Factor n into two primes p and q.
• Calculate f(n) (p-1)(q-1).
• Determine d e-1 (mod f(n) ).
• Currently, no reasonable algorithm is known to
  factor the product of two primes which is large.
• The best one takes time

44

• Attack 3 determine f(n) directly, without
  knowing p and q, then determine d.
• Attack 4 determine d directly, without knowing
  f(n).
• Attack 5 timing attack

45
Factoring a Large Number

• Determining f(n) given n is equivalent to
  factoring n.
• Determining d given e and n, appears to be at
  least as time-consuming as the factoring problem
• Thus, we can use factoring performance as a
  benchmark against which to evaluate the security
  of RSA

46

• MIPS-year
• the work that can be done by a million-instruction
  s-per-second processor running for one year
• EX 200-MHz Pentium is about a 50-MIPS-year
  machine.
• Currently best factoring costs (achieved by
  different algorithms)

47

• Before RSA-129 challenge, the most widely used
  algorithm is quadratic sieve.
• A shocking attack to RSA-130 challenge is by GNFS
  (generalized number field sieve), which can
  factor RSA-130 faster than RSA-129 at only 10 of
  the computing effort.
• Note as the key length increases, the cost to
  encrypt/decrypt also increases.
• GNFS can be further improved to SNFS (special
  number field sieve).
• Costs of GNFS and SNFS

48
(No Transcript)
49

• Attack 3 (determining f(n) given n) and Attack 4
  (determining d given e and n) are at least as
  time-consuming as Attack 2.
• To avoid n being factored, it is suggested
• p and q differ by only a few digits (say, both
  75100 digits)
• (p-1) and (q-1) both contain a large prime factor
• gcd(p-1, q-1) should be small

50
Timing Attack

• KOCH96
• If a snooper can keep track of how long a
  computer takes to decipher a message, the private
  key may be compromised.
• Ex to perform Cd, such that d 1001001
• When we use the exponential algorithm, we will
  compute
• C0 C3 C6
• The computing time will somehow reflect value of
  d.

51
Countermeasures to Timing Attack

• Constant running time for all exponential
  calculation
• Ex C1001 and C1100111 take about the same amount
  time.
• Random delay
• Add some random delay to confuse the timing
  attack.

52

• Blinding
• Multiply the Ciphertext by a random number before
  performing exponentiation.
• Ex RSA Data Security
• r a random number between 0 and n-1
• at encryption C Cre Mere (mod n)
• at decryption M (C)d
• M M r-1 (C)d r-1 Medred r-1
  M1r1 r-1
• note red r (mod n)