INTRODUCTION

Symmetric and Asymmetric-key cryptography will exist in

parallel and continue to serve the community. It is believe that
they are complements of each other; the advantages of one can
compensate for the disadvantages of the other.
Symmetric-key cryptography is based on sharing secrecy;
Asymmetric-key cryptography is based on personal secrecy.

Private-Key (Symmetric Key) Cryptography

Traditional private/secret/single key cryptography uses one

key
shared by both sender and receiver
if this key is disclosed communications are compromised.
Hence, does not protect sender from receiver forging a
message & claiming is sent by sender.
Symmetric key cryptography is based on applying substitution
and permutation of symbols (characters or bits).
In a community of n people, N (N-1)/2 shared secrets are
needed fro symmetric key cryptography.

Need for Both

There is a very important fact that is sometimes misunderstood: The
advent of asymmetric-key cryptography does not eliminate the need
for symmetric-key cryptography.

Public-Key Cryptography
uses two keys a public & a private key
asymmetric since parties are not equal
complements rather than replaces private key crypto
Public-key/two-key/Asymmetric cryptography involves the use
of two keys
Public-key, which may be known by anybody, and can be
used to Encrypt messages and verify signatures
Private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
is Asymmetric because
those who encrypt messages or verify signatures cannot
decrypt messages or create signatue

Conventional and Public-Key Cryptography

Conventional and Public-Key Cryptography

Conventional Encryption
Needed to Work
The same algorithm with the same
key is used for encryption and
decryption.
The sender and receiver must
share the algorithm and the key
Needed for Security
The key must be kept secrete
It must be impossible or at least
impractical to decipher a message
if no other information is
available.
Knowledge of the algorithm plus
samples of ciphertext must be
insufficient to determine the key

Public key Encryption

Needed to Work
One algorithm is used for
encryption and decryption with a
pair of keys, one for encryption and
one for decryption.
The Sender and Receiver must have
one of the matched pair of keys.
Needed for Security
One of the two keys must be kept
secret.
It must be impossible or at least
impractical to decipher a message if
no other information is available.
Knowledge of the algorithm plus of
the keys plus samples of ciphertext
musty be insufficient to determine
the other key.

Public-Key Characteristics

Public-Key Characteristics

Public-Key algorithms rely on two keys with the

characteristics that it is
computationally infeasible to find decryption key knowing
only algorithm & encryption key
computationally easy to encrypt/decrypt messages when
the relevant (encrypt/decrypt) key is known
either of the two related keys can be used for encryption
with the other used for decryption (in some schemes)

Security of Public Key Schemes

Security of Public Key Schemes

like private key schemes brute force exhaustive search attack
is always theoretically possible
but keys used are too large (>512bits)
security relies on a large enough difference in difficulty
between easy (encrypt/decrypt) and hard (cryptanalyse)
problems
more generally the hard problem is known, its just made too
hard to do in practise
Requires the use of very large numbers. Hence, slow
compared to private key schemes

Public-Key Applications

Public-Key Applications

can classify uses into 3 categories

Encryption/Decryption (provide secrecy)
Digital Signatures (provide authentication)
Key Exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one

Why Public-Key Cryptography?

developed to address two key issues

Key Distribution how to have secure communications in
general without having to trust a KDC with your key
Digital Signatures how to verify a message comes intact
from the claimed sender

Asymmetric key cry

ptography uses two separate keys: one private and one public.
Locking and unlocking in asymmetric-key cryptosystem

General Idea of Asymmetric-key Cryptosystem

Public-Key Cryptosystems

Integer Multiplication & Factoring

as a One Way Function.

easy

p,q

N=pq
hard

Trapdoor One-Way Function

The main idea behind asymmetric-key cryptography is the concept of
the trapdoor one-way function.

Functions
A function as rule mapping a domain to a range

Trap-Door OWF
Definition: f:DR is a trap-door one way function if there is a
trap-door s such that:
Without knowledge of s, the function f is a one way
function
Given s, inverting f is easy
Example: fg,p(x) = gx mod p is not a trap-door one way
function.
Example: RSA is a trap-door OWF.

One-Way Function (OWF)

1. f is easy to compute.
2. f 1 is difficult to compute
Trapdoor One-Way Function (TOWF)
3. Given y and a trapdoor, x can be computed easily.

RSA (Rivest, Shamir & Adleman )

Each user generates a public/private key pair by

selecting two large primes at random - p, q
computing their system modulus N=p.q
note (N)=(p-1)(q-1)
selecting at random the encryption key e
where 1<e<(N), gcd(e, (N))=1
solve following equation to find decryption key d
e.d=1 mod (N) and 0dN
publish their public encryption key: KU={e, N}
keep secret private decryption key: KR={d, p, q}

RSA (Rivest, Shamir & Adleman )

to encrypt a message M the sender:

obtains public key of recipient KU={e,N}
computes: C=Me mod N, where 0M<N
to decrypt the ciphertext C the owner:
uses their private key KR={d,p,q}
computes: M=Cd mod N
note that the message M must be smaller than the modulus N
(block if needed)

Why RSA Works

because of Euler's Theorem
a(n)mod N = 1
where gcd(a,N)=1
in RSA have
N=p.q
(N)=(p-1)(q-1)
carefully chosen e & d to be inverses mod (N)
hence e.d=1+k.(N) for some k
Hence
Cd = (Me)d = M1+k.(N) = M1.(M(N))q = M1.(1)q = M1 = M mod N

RSA Example
1.
2.
3.
4.
5.
6.
7.

Select primes: p=17 & q=11

Compute n = pq =1711=187
Compute (n)=(p1)(q-1)=1610=160
Select e : gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23
since 237=161= 10160+1
Publish public key KU={7,187}
Keep secret private key KR={23,17,11}

RSA Example Contd.

sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88

Exponentiation

can use the Square and Multiply Algorithm

a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to compute the
result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
eg. 75 = 74.71 = 3.7 = 10 mod 11
eg. 3129 = 3128.31 = 5.3 = 4 mod 11

Exponentiation

RSA Key Generation

users of RSA must
determine two primes at random - p, q
select either e or d and compute the other
primes p, q must not be easily derived from modulus N=p.q
means must be sufficiently large
typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse algorithm to
compute the other

RSA Security
Three approaches to attacking RSA
brute force key search (infeasible given size of numbers)
mathematical attacks (based on difficulty of computing
(N), by factoring modulus N)
timing attacks (on running of decryption)

Factoring Problem
mathematical approach takes 3 forms:
factor N=p.q, hence find (N) and then d
determine (N) directly and find d
find d directly
currently believe all equivalent to factoring
have seen slow improvements over the years
as of Aug-99 best is 130 decimal digits (512) bit with GNFS
biggest improvement comes from improved algorithm
cf Quadratic Sieve to Generalized Number Field Sieve
barring dramatic breakthrough 1024+ bit RSA secure
ensure p, q of similar size and matching other constraints

Timing Attacks
developed in mid-1990s
exploit timing variations in operations
eg. multiplying by small vs large number
or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
use constant exponentiation time
add random delays
blind values used in calculations

The Multiplicative Group Zpq*

Let p and q be two large primes.
Denote their product N = pq .
The multiplicative group ZM* =Zpq* contains
all integers in the range [1,pq-1] that are
relatively prime to both p and q.
The size of the group is
(pq) = (p-1) (q-1) = N - (p+q) + 1,
so for every x Zpq*, x(p-1)(q-1) = 1.

Exponentiation in Zpq*
Motivation: We want to exponentiation for
encryption.
Let e be an integer, 1 < e < (p-1) (q-1).
Question: When is exponentiation to the eth
power, x --> xe, a one-to-one op in Zpq* ?

Exponentiation in Zpq*
Claim: If e is relatively prime to (p-1)(q-1)
then x --> xe is a one-to-one op in Zpq*
Constructive proof: Since gcd(e, (p-1)(q-1))=1,
e has a multiplicative inverse mod (p-1)(q-1).
Denote it by d, then ed=1 + C(p-1)(q-1).
Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =x
meaning y --> yd is the inverse of x-->xe QED

RSA Public Key Cryptosystem

Let N=pq be the product of two primes

Choose e such that gcd(e,(N))=1
Let d be such that de1 mod (N)
The public key is (N,e)
The private key is d
Encryption of MZN* by C=E(M)=Me mod N
Decryption of CZN* by M=D(C)=Cd mod N

Constructing an instance of RSA PKC

Alice first picks at random two large primes, p and q.
Alice then picks at random a large d that is relatively prime to (p1)(q-1) ( gcd(d,(N))=1 ).
Alice computes e such that de1 mod (N)
Let N=pq be the product of p and q.
Alice publishes the public key (N,e).
Alice keeps the private key d, as well as the primes p, q and the
number (N), in a safe place.

A Small Example
Let p=47, q=59, N=pq=2773. (N)= 46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 is
the inverse of 157 mod 2668.
For N =2773 we can encode two letters per
Block, using a two digit number per letter:
blank=00, A=01,B=02,,Z=26.
Message: ITS ALL GREEK TO ME is encoded
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

A Small Example
N=2773, e=17 (10001 in binary).
ITS ALL GREEK TO ME is encoded as
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)
The whole message (10 blocks) is encrypted as
0948 2342 1084 1444 2663 2390 0778 0774 0219 1655
Indeed 0948d=0948157=920 (mod 2773), etc.

RSA as a One Way Trapdoor Function.

easy

xe mod N
hard

Easy with trapdoor info ( d )

Attacks on RSA
1.

Factor N=pq. This is believed hard unless p, q have

some bad properties. To Avoid such primes, it is
recommended to
Take p, q large enough (100 digits each).
Make sure p, q are not too close together.
Make sure both (p-1), (q-1) have large prime factors (to
foil Pollards rho algorithm).

Basic Scheme
A public key encryption scheme includes the following
elements:
A private key k
A public key k
An encryption algorithm, which is a trap door OWF. The
trap-door info is the private key
Public key is published
Encryption uses the public key (anyone can encrypt)
Decryption requires the private key

Properties of RSA
The requirement (e,(n))=1 is important for uniqueness
Finding d, given p and q is easy. Finding d given only n and e is
assumed to be hard (the RSA assumption)
The public exponent e may be small. Typically its value is either
3 (problematic) or 216+1
Each encryption involves several modular multiplications.
Decryption is longer.

Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and ciphertext are
treated as integers in asymmetric-key cryptography.
Encryption/Decryption
C = f (Kpublic , P)

P = g(Kprivate , C)

Problem No. 1
In the RSA public-key encryption scheme, each user has
a public key, e, and a private key, d. Suppose Bob leaks
his private key. Rather than generating a new modulus, he
decides to generate a new public and a new private
key. Is this safe?

Solution to Problem No. 1

Problem No. 2
Suppose we have a set of blocks encoded with the RSA
algorithm and we dont have the private key.Assume n = pq, e
is the public key. Suppose also someone tells us they know
one of the plaintext blocks has a common factor with n. Does
this help us in any way?

Solution to Problem No. 2

Yes.
If a plaintext block has a common factor with n modulo n then
the encoded block will also have a common factor with n modulo
n.
Because we encode blocks, which are smaller than pq, the factor
must be p or q and the plaintext block must be a multiple of p or
q. We can test each block for primality. If prime, it is p or q. In
this case we divide into n to find the other factor. If not prime, we
factor it and try the factors as divisors of n.