INTRODUCTION

Symmetric and Asymmetric-key cryptography will exist in parallel and continue to serve the community. It is believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other. Symmetric-key cryptography is based on sharing secrecy; Asymmetric-key cryptography is based on personal secrecy.

Private-Key (Symmetric Key) Cryptography

Traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications are compromised. Hence, does not protect sender from receiver forging a message & claiming is sent by sender. Symmetric key cryptography is based on applying substitution and permutation of symbols (characters or bits). In a community of n people, N (N-1)/2 shared secrets are needed fro symmetric key cryptography.

Need for Both

There is a very important fact that is sometimes misunderstood: The advent of asymmetric-key cryptography does not eliminate the need for symmetric-key cryptography.

Public-Key Cryptography
uses two keys a public & a private key asymmetric since parties are not equal complements rather than replaces private key crypto Public-key/two-key/Asymmetric cryptography involves the use of two keys Public-key, which may be known by anybody, and can be used to Encrypt messages and verify signatures Private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures is Asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatue

Conventional and Public-Key Cryptography

Conventional and Public-Key Cryptography

Conventional Encryption Needed to Work The same algorithm with the same key is used for encryption and decryption. The sender and receiver must share the algorithm and the key Needed for Security The key must be kept secrete It must be impossible or at least impractical to decipher a message if no other information is available. Knowledge of the algorithm plus samples of ciphertext must be insufficient to determine the key Public key Encryption Needed to Work One algorithm is used for encryption and decryption with a pair of keys, one for encryption and one for decryption. The Sender and Receiver must have one of the matched pair of keys. Needed for Security One of the two keys must be kept secret. It must be impossible or at least impractical to decipher a message if no other information is available. Knowledge of the algorithm plus of the keys plus samples of ciphertext must be insufficient to determine the other key.

Public-Key Characteristics

Public-Key Characteristics

Public-Key algorithms rely on two keys with the characteristics that it is computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to encrypt/decrypt messages when the relevant (encrypt/decrypt) key is known either of the two related keys can be used for encryption with the other used for decryption (in some schemes)

Security of Public Key Schemes

Security of Public Key Schemes

like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (encrypt/decrypt) and hard (cryptanalyse) problems more generally the hard problem is known, its just made too hard to do in practise Requires the use of very large numbers. Hence, slow compared to private key schemes

Public-Key Applications

Public-Key Applications

can classify uses into 3 categories Encryption/Decryption (provide secrecy) Digital Signatures (provide authentication) Key Exchange (of session keys) some algorithms are suitable for all uses, others are specific to one

Why Public-Key Cryptography?

developed to address two key issues Key Distribution how to have secure communications in general without having to trust a KDC with your key Digital Signatures how to verify a message comes intact from the claimed sender

Asymmetric key cry ptography uses two separate keys: one private and one public.
Locking and unlocking in asymmetric-key cryptosystem

General Idea of Asymmetric-key Cryptosystem

Public-Key Cryptosystems

Integer Multiplication & Factoring as a One Way Function.

easy

p,q
hard

N=pq

Trapdoor One-Way Function

The main idea behind asymmetric-key cryptography is the concept of the trapdoor one-way function.

Functions A function as rule mapping a domain to a range

Trap-Door OWF
Definition: f:DR is a trap-door one way function if there is a trap-door s such that: Without knowledge of s, the function f is a one way function Given s, inverting f is easy Example: fg,p(x) = gx mod p is not a trap-door one way function. Example: RSA is a trap-door OWF.

RSA as a One Way Trapdoor Function.

easy

xe mod N hard

Easy with trapdoor info ( d )

One-Way Function (OWF) 1. f is easy to compute. 2. f 1 is difficult to compute Trapdoor One-Way Function (TOWF) 3. Given y and a trapdoor, x can be computed easily.

RSA (Rivest, Shamir & Adleman )

Each user generates a public/private key pair by selecting two large primes at random - p, q computing their system modulus N=p.q note (N)=(p-1)(q-1) selecting at random the encryption key e where 1<e<(N), gcd(e, (N))=1 solve following equation to find decryption key d e.d=1 mod (N) and 0dN publish their public encryption key: KU={e, N} keep secret private decryption key: KR={d, p, q}

RSA (Rivest, Shamir & Adleman )

To encrypt a message M the sender obtains public key of recipient KU={e,N} computes: C=Me mod N, where 0M<N To decrypt the ciphertext C the owner uses their private key KR={d,p,q} computes: M=Cd mod N Note that the message M must be smaller than the modulus N (block if needed)

Constructing an instance of RSA PKC

Alice first picks at random two large primes, p and q. Alice then picks at random a large d that is relatively prime to (p1)(q-1) ( gcd(d,(N))=1 ). Alice computes e such that de1 mod (N) Let N=pq be the product of p and q. Alice publishes the public key (N,e). Alice keeps the private key d, as well as the primes p, q and the number (N), in a safe place.

Why RSA Works

because of Euler's Theorem a(n)mod N = 1 where gcd(a,N)=1 in RSA have N=p.q (N)=(p-1)(q-1) carefully chosen e & d to be inverses mod (N) hence e.d=1+k.(N) for some k Hence Cd = (Me)d = M1+k.(N) = M1.(M(N))q = M1.(1)q = M1 = M mod N

RSA Public Key Cryptosystem

Let N=pq be the product of two primes Choose e such that gcd(e,(N))=1 Let d be such that de1 mod (N) The public key is (N,e) The private key is d Encryption of MZN* by C=E(M)=Me mod N Decryption of CZN* by M=D(C)=Cd mod N

RSA Example
1. 2. 3. 4. 5. 6. 7. Select primes: p=17 & q=11 Compute n = pq =1711=187 Compute (n)=(p1)(q-1)=1610=160 Select e : gcd(e,160)=1; choose e=7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 237=161= 10160+1 Publish public key KU={7,187} Keep secret private key KR={23,17,11}

RSA Example Contd.

sample RSA encryption/decryption is: given message M = 88 (nb. 88<187) Encryption C = 887 mod 187 = 11 Decryption M = 1123 mod 187 = 88

Exponentiation
can use the Square and Multiply Algorithm a fast, efficient algorithm for exponentiation concept is based on repeatedly squaring base and multiplying in the ones that are needed to compute the result look at binary representation of exponent only takes O(log2 n) multiples for number n eg. 75 = 74.71 = 3.7 = 10 mod 11 eg. 3129 = 3128.31 = 5.3 = 4 mod 11

Exponentiation

RSA Key Generation

users of RSA must determine two primes at random - p, q select either e or d and compute the other primes p, q must not be easily derived from modulus N=p.q means must be sufficiently large typically guess and use probabilistic test exponents e, d are inverses, so use Inverse algorithm to compute the other

RSA Security
Three approaches to attacking RSA Brute force key search (infeasible given size of numbers) Mathematical attacks (based on difficulty of computing (N), by factoring modulus N) Timing attacks (on running of decryption)

Factoring Problem
mathematical approach takes 3 forms: factor N=p.q, hence find (N) and then d determine (N) directly and find d find d directly currently believe all equivalent to factoring have seen slow improvements over the years as of Aug-99 best is 130 decimal digits (512) bit with GNFS biggest improvement comes from improved algorithm cf Quadratic Sieve to Generalized Number Field Sieve barring dramatic breakthrough 1024+ bit RSA secure ensure p, q of similar size and matching other constraints

Timing Attacks
developed in mid-1990s exploit timing variations in operations eg. multiplying by small vs large number or IF's varying which instructions executed infer operand size based on time taken RSA exploits time taken in exponentiation countermeasures use constant exponentiation time add random delays blind values used in calculations

The Multiplicative Group Zpq*

Let p and q be two large primes. Denote their product N = pq . The multiplicative group ZM* =Zpq* contains all integers in the range [1,pq-1] that are relatively prime to both p and q. The size of the group is (pq) = (p-1) (q-1) = N - (p+q) + 1, so for every x Zpq*, x(p-1)(q-1) = 1.

Exponentiation in Zpq*
Motivation: We want to exponentiation for encryption. Let e be an integer, 1 < e < (p-1) (q-1). Question: When is exponentiation to the eth power, x --> xe, a one-to-one op in Zpq* ?

Exponentiation in Zpq*
Claim: If e is relatively prime to (p-1)(q-1) then x --> xe is a one-to-one op in Zpq* Constructive proof: Since gcd(e, (p-1)(q-1))=1, e has a multiplicative inverse mod (p-1)(q-1). Denote it by d, then ed=1 + C(p-1)(q-1). Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =x meaning y --> yd is the inverse of x-->xe QED

A Small Example
Let p=47, q=59, N=pq=2773. (N)= 46*58=2668. Pick d=157, then 157*17 - 2668 =1, so e=17 is the inverse of 157 mod 2668. For N =2773 we can encode two letters per Block, using a two digit number per letter: blank=00, A=01,B=02,,Z=26. Message: ITS ALL GREEK TO ME is encoded 0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

A Small Example
N=2773, e=17 (10001 in binary). ITS ALL GREEK TO ME is encoded as 0920 1900 0112 1200 0718 0505 1100 2015 0013 0500 First block M=0920 encrypts to Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773) The whole message (10 blocks) is encrypted as 0948 2342 1084 1444 2663 2390 0778 0774 0219 1655 Indeed 0948d=0948157=920 (mod 2773), etc.

Attacks on RSA
1. Factor N=pq. This is believed hard unless p, q have some bad properties. To Avoid such primes, it is recommended to Take p, q large enough (100 digits each). Make sure p, q are not too close together. Make sure both (p-1), (q-1) have large prime factors (to foil Pollards rho algorithm).

Basic Scheme
A public key encryption scheme includes the following elements: A private key k A public key k An encryption algorithm, which is a trap door OWF. The trap-door info is the private key Public key is published Encryption uses the public key (anyone can encrypt) Decryption requires the private key

Properties of RSA
The requirement (e,(n))=1 is important for uniqueness Finding d, given p and q is easy. Finding d given only n and e is assumed to be hard (the RSA assumption) The public exponent e may be small. Typically its value is either 3 (problematic) or 216+1 Each encryption involves several modular multiplications. Decryption is longer.

Plaintext/Ciphertext Unlike in symmetric-key cryptography, plaintext and ciphertext are treated as integers in asymmetric-key cryptography. Encryption/Decryption C = f (Kpublic , P) P = g(Kprivate , C)