Public-Key Cryptography
uses two keys a public & a private key
asymmetric since parties are not equal
complements rather than replaces private key crypto
Public-key/two-key/Asymmetric cryptography involves the use
of two keys
Public-key, which may be known by anybody, and can be
used to Encrypt messages and verify signatures
Private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
is Asymmetric because
those who encrypt messages or verify signatures cannot
decrypt messages or create signatue
Public-Key Characteristics
Public-Key Characteristics
Public-Key Applications
Public-Key Applications
Public-Key Cryptosystems
easy
p,q
N=pq
hard
Functions
A function as rule mapping a domain to a range
Trap-Door OWF
Definition: f:DR is a trap-door one way function if there is a
trap-door s such that:
Without knowledge of s, the function f is a one way
function
Given s, inverting f is easy
Example: fg,p(x) = gx mod p is not a trap-door one way
function.
Example: RSA is a trap-door OWF.
RSA Example
1.
2.
3.
4.
5.
6.
7.
Exponentiation
Exponentiation
RSA Security
Three approaches to attacking RSA
brute force key search (infeasible given size of numbers)
mathematical attacks (based on difficulty of computing
(N), by factoring modulus N)
timing attacks (on running of decryption)
Factoring Problem
mathematical approach takes 3 forms:
factor N=p.q, hence find (N) and then d
determine (N) directly and find d
find d directly
currently believe all equivalent to factoring
have seen slow improvements over the years
as of Aug-99 best is 130 decimal digits (512) bit with GNFS
biggest improvement comes from improved algorithm
cf Quadratic Sieve to Generalized Number Field Sieve
barring dramatic breakthrough 1024+ bit RSA secure
ensure p, q of similar size and matching other constraints
Timing Attacks
developed in mid-1990s
exploit timing variations in operations
eg. multiplying by small vs large number
or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
use constant exponentiation time
add random delays
blind values used in calculations
Exponentiation in Zpq*
Motivation: We want to exponentiation for
encryption.
Let e be an integer, 1 < e < (p-1) (q-1).
Question: When is exponentiation to the eth
power, x --> xe, a one-to-one op in Zpq* ?
Exponentiation in Zpq*
Claim: If e is relatively prime to (p-1)(q-1)
then x --> xe is a one-to-one op in Zpq*
Constructive proof: Since gcd(e, (p-1)(q-1))=1,
e has a multiplicative inverse mod (p-1)(q-1).
Denote it by d, then ed=1 + C(p-1)(q-1).
Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =x
meaning y --> yd is the inverse of x-->xe QED
A Small Example
Let p=47, q=59, N=pq=2773. (N)= 46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 is
the inverse of 157 mod 2668.
For N =2773 we can encode two letters per
Block, using a two digit number per letter:
blank=00, A=01,B=02,,Z=26.
Message: ITS ALL GREEK TO ME is encoded
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
A Small Example
N=2773, e=17 (10001 in binary).
ITS ALL GREEK TO ME is encoded as
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)
The whole message (10 blocks) is encrypted as
0948 2342 1084 1444 2663 2390 0778 0774 0219 1655
Indeed 0948d=0948157=920 (mod 2773), etc.
easy
xe mod N
hard
Attacks on RSA
1.
Basic Scheme
A public key encryption scheme includes the following
elements:
A private key k
A public key k
An encryption algorithm, which is a trap door OWF. The
trap-door info is the private key
Public key is published
Encryption uses the public key (anyone can encrypt)
Decryption requires the private key
Properties of RSA
The requirement (e,(n))=1 is important for uniqueness
Finding d, given p and q is easy. Finding d given only n and e is
assumed to be hard (the RSA assumption)
The public exponent e may be small. Typically its value is either
3 (problematic) or 216+1
Each encryption involves several modular multiplications.
Decryption is longer.
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and ciphertext are
treated as integers in asymmetric-key cryptography.
Encryption/Decryption
C = f (Kpublic , P)
P = g(Kprivate , C)
Problem No. 1
In the RSA public-key encryption scheme, each user has
a public key, e, and a private key, d. Suppose Bob leaks
his private key. Rather than generating a new modulus, he
decides to generate a new public and a new private
key. Is this safe?
Problem No. 2
Suppose we have a set of blocks encoded with the RSA
algorithm and we dont have the private key.Assume n = pq, e
is the public key. Suppose also someone tells us they know
one of the plaintext blocks has a common factor with n. Does
this help us in any way?