Leksion 8 Public Key Algorithms

8/12/2019 Leksion 8 Public Key Algorithms

http://slidepdf.com/reader/full/leksion-8-public-key-algorithms 1/49

Public Key Algorithms I

MsC, Ing. Ezmerina [email protected]



Overview

Why Public Key Cryptography?

Public Key Cryptography Applications

Modular arithmetic RSA

Diffie-Hellman Key Exchange



Private-KeyCryptography

Traditional private/secret/single key cryptography

uses one key Shared by both sender and receiver

If this key is disclosed communications are

compromised

Also is symmetric, parties are equal Hence does not protect sender from receiver forging a

message & claiming is sent by sender



Encryption



Authentication



Why Public-KeyCryptography?

Developed to address two key issues:

o key distribution – how to have securecommunications in general without having to trust

a KDC with your key

o digital signatures – how to verify a message

comes intact from the claimed sender Public invention due to Whitfield Diffie & Martin

Hellman at Stanford Uni in 1976

o known earlier in classified community



Public-KeyCharacteristics

Public-Key algorithms rely on two keys with the

characteristics that it is:

o computationally infeasible to find decryption keyknowing only algorithm & encryption key

o computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is knowno either of the two related keys can be used for

encryption, with the other used for decryption (in

some schemes)



Private vs. Public KeyEncryption



Public-Key Applications

Can classify uses into 3 categories:

o encryption/decryption (provide secrecy)

o digital signatures (provide authentication)

o key exchange (of session keys) Some algorithms are suitable for all uses, others are

specific to one



Algorithms’ use



Security of Public KeySchemes

Like private key schemes brute force exhaustive search

attack is always theoretically possible But keys used are too large (>512bits)

Security relies on a large enough difference in difficulty

between easy (en/decrypt) and hard (cryptanalyse)

problemsMore generally the hard problem is known, its just

made too hard to do in practise

Requires the use of very large numbers

Hence is slow compared to private key schemes



Modular Arithmetic

Public key algorithms are based on modular

arithmetic.

Modular addition.

Modular multiplication.

Modular exponentiation.



Modular Addition

Addition modulo (mod) K

o Poor cipher with (dk +dm) mod K , e.g., if K =10 and

dk is the key.

o Examples: 5+5=0, 9+9=8Additive inverse: addition mod K yields 0.

“Decrypt” by adding inverse.

o 7+4 =1 1+6 =7



Modular Multiplication

Multiplication modulo K

Multiplicative inverse: multiplication mod K yields 1

Only some numbers have inverse for example 3 - 7

Use Euclid ’s algorithm to find inverseo Given x, n, it finds y such that x∗y mod n = 1

All number relatively prime to n will have mod n

multiplicative inverse



Prime Numbers

Prime numbers only have divisors of 1 and self

o they cannot be written as a product of other

numbers

o note: 1 is prime, but is generally not of interest eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

Prime numbers are central to number theory

List of prime number less than 200 is:



Prime Factorisation

to factor a number n is to write it as a product of

other numbers: n=a × b × c

note that factoring a number is relatively hard

compared to multiplying the factors together togenerate the number

the prime factorisation of a number n is when its

written as a product of primes

eg. 91=7×13 ; 3600=24×32×52



Fermat's Theorem

a p-1 mod p = 1

o where p is prime and gcd(a,p)=1

Also known as Fermat’s Little Theorem

Useful in public key and primality testing



Totient Function

x, m relative prime: no other common factor than 1 Totient function ø(n): number of integers less than n

relatively prime to n

o if n is prime, ø(n)=n-1o if n=p∗q, and p, q are primes, ø(n)=(p-1)(q-1)



Euler Totient Functionø(n)

When doing arithmetic modulo n

complete set of residues is: 0..n-1 reduced set of residues is those numbers (residues)

which are relatively prime to n

o eg for n=10,

o complete set of residues is {0,1,2,3,4,5,6,7,8,9}o reduced set of residues is {1,3,7,9}

Number of elements in reduced set of residues is called

the Euler Totient Function ø(n)



Euler Totient Functionø(n)

To compute ø(n) need to count number of elements to

be excluded in general need prime factorization, but

o for p (p prime) ø(p) = p-1

o for p.q (p,q prime) ø(p.q) = (p-1)(q-1)

eg.o ø(37) = 36

o ø(21) = (3–1)×(7–1) = 2×6 = 12



Euler's Theorem

A generalisation of Fermat's Theorem aø(n)mod N = 1

where gcd(a,N)=1

eg.a=3; n=10; ø(10)=4;

hence 34 = 81 = 1 mod 10

a 2 n 11 ø(11) 10

a=2;n=11; 11)=10;hence 210 = 1024 = 1 mod 11



Modular Exponentiation

x y mod n = x y mod ø(n) mod n for n prime and for square free

if y = 1 mod ø(n) then x y mod n = x mod n



RSA (Rivest, Shamir,Adleman)

The most popular one.

Support both public key encryption and digital signature.

Assumption/theoretical basis:o Factoring a big number is hard.

Variable key length (usually 512 bits).

Variable plaintext block size.

o Plaintext must be “smaller” than the key.

o Ciphertext block size is the same as the key length.



What Is RSA?

To generate key pair:o Pick large primes (>= 256 bits each) p and q

o Let n = p*q, keep your p and q to yourself!

o For public key, choose e that is relatively prime to

ø(n) =(p-1)(q-1), let pub = <e,n>o For private key, find d that is the multiplicative

inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv

= <d,n>



How Does RSA Work?

Given pub = <e, n> and priv = <d, n>o encryption: c = me mod n, m < n

o decryption: m = cd mod n

o signature: s = md mod n, m < n

o verification: m = se mod n



Why Does RSA Work?

Given pub = <e, n> and priv = <d, n>o n =p*q, ø(n) =(p-1)(q-1)

o e*d = 1 mod ø(n)

o xe∗d = x mod n

o encryption: c = me mod no decryption: m = cd mod n = me∗ d mod n = m mod n = m

(since m < n)

o digital signature (similar)



Why Is RSA Secure?

Factoring 512-bit number is very hard!

But if you can factor big number n then given public

key <e,n>, you can find d , hence the private key by:

o Knowing factors p, q, such that, n = p*q

o Then ø(n) =(p-1)(q-1)o Then d such that e*d = 1 mod ø(n)

Factoring n might not be the only way to break RSA



RSA Example

1. Select primes: p=17 & q=112. Compute n = pq =17×11=187

3. Compute ø(n)=( p– 1)(q-1)=16×10=160

4. Select e : gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d < 160 Value isd=23 since 23×7=161= 10×160+1

6. Publish public key KU={7,187}

7. Keep secret private key KR={23,187}



RSA Example cont

sample RSA encryption/decryption is:

given message M = 88 (nb. 88<187)

encryption:

C = 887 mod 187 = 11

decryption:M = 1123 mod 187 = 88



Example 2

Communication between Alice and Bob

Alice chooses:

o p=7, q=11. So n=77 and ø(n)=60

o gcd(e, 60)=1; choose e = 17

o de=1 mod 60 and d < 60 Value is d=53 since53×17=901= 15×60+1

Plaintext: HELLO WORLD

A – 00, …, Z -25, blank – 26

Plaintext: 07 04 11 11 14 26 22 14 17

11 03



Example 2 (cont.)

07

17

mod 77 =28, …, 0317

mod 77 = 75 Ciphertext : 28 16 44 44 42 38 22 42 19 44 75

No one would use RSA on blocks of small size

Open to rearrangements of blocks and language analysis

The plaintext is padded with random data to make up a block Include information about the order of blocks. If

rearranged the receiver will be aware



Example 3

RSA used for authenticationAlice encrypts HELLO WORLD with her private key:

o 0753 mod 77 =35, …, 0353 mod 77 = 75

o 35 09 44 93 12 24 94 04 05

Providing both confidentiality and authentication. Bob’s public key is 37 and private key is 13

The ciphertext is:

o (0753 mod 77)37 mod 77 = 07 … (0353 mod 77)37 mod 77

= 47

Bob decrypts: (0713 mod 77)17 mod 77 = 07 …

(4713 mod 77)17 mod 77 = 03



How Efficient are theRSA Operations?

Encryption and decryption should be very efficient,

because they will be routinely performed

Finding RSA keys (n,d,e) not very critical – it is doneless frequently.

Encryption and decryption:

o Raising a large number to a large power for example

12354 mod 678

o For RSA to be secure number with 150 digits raised in

power of 150 – it will take more than the life of the

universe



RSA Key Generation

Users of RSA must:o determine two primes at random - p, q

o select either e or d and compute the other

primes p,q must not be easily derived from modulus

N=p.qo means must be sufficiently large

o typically guess and use probabilistic test

exponents e, d are inverses, so use Inverse algorithm

to compute the other (Euclid’s algorithm)



RSA Security

Three approaches to attacking RSA:o brute force key search (infeasible given size of numbers)

o mathematical attacks (based on difficulty of computing

ø(N), by factoring modulus N)

o timing attacks (on running of decryption)



Factoring Problem

Mathematical approach takes 3 forms:o factor N=p.q, hence find ø(N) and then d

o determine ø(N) directly and find d

o find d directly

Currently believe all equivalent to factoringo have seen slow improvements over the years

• as of Aug-99 best is 130 decimal digits (512) bit with GNFS

o biggest improvement comes from improved algorithm

• cf “Quadratic Sieve” to “Generalized Number Field Sieve”

o barring dramatic breakthrough 1024+ bit RSA secure• ensure p, q of similar size and matching other constraints



Timing Attacks

Developed in mid-1990’s Exploit timing variations in operations

o eg. multiplying by small vs large number

o or time varying which instructions executed

Infer operand size based on time taken RSA exploits time taken in exponentiation

Countermeasures

o use constant exponentiation time

o add random delays

o blind values used in calculations



Diffie-Hellman KeyExchange

Shared key, public communication

No authentication of partners

What’s involved?o p is a prime (about 512 bits), and g < p

o p and g are publicly known



Diffie-Hellman KeyExchange

Procedure



DH Security - DiscreteLogarithm Is Hard

T = gs mod p

Conjecture: given T, g, p, it is extremely hard to

compute the value of s (discrete logarithm)



Diffie-Hellman Scheme Security factors

o Discrete logarithm very difficult.

o Shared key (the secret) itself never transmitted.

Disadvantages:

o Expensive exponential operation• DoS possible.

o The scheme itself cannot be used to encrypt anything – it

is for secret key establishment.

o No authentication, so you can not sign anything …



Diffie-Hellman in PhoneBook Mode

DH was subject to active man-in-the-middle attack

because their public key-component was intercepted

and substituted Phone book mode allows everyone to generate the

public key-component in advance and publish them

through other reliable means, e.g. <T B> for bob

All communicating parties agree on their common <g, p>



Encryption With Diffie-Hellman



Example



Summary

Public Key Cryptography?

Public Key Cryptography Applications

Modular arithmetic

RSA

Diffie-Hellman Key Exchange

Leksion 8 Public Key Algorithms

Documents

Transcript of Leksion 8 Public Key Algorithms