Symmetric-Key

Cryptography

Objectives

To distinguish between two cryptosystems:

symmetric-key and asymmetric-key

To introduce trapdoor one-way functions and their

use in asymmetric-key cryptosystems

To introduce the knapsack cryptosystem as one of

the first ideas in asymmetric-key cryptography

To discuss the RSA cryptosystem

To discuss the Rabin cryptosystem

To discuss the ElGamal cryptosystem

To discuss the elliptic curve cryptosystem

INTRODUCTION

Symmetric and asymmetric-key cryptography will exist

in parallel and continue to serve the community. We

actually believe that they are complements of each

other; the advantages of one can compensate for the

disadvantages of the other.

1 Keys

2 General Idea

3 Need for Both

4 Trapdoor One-Way Function

5 Knapsack Cryptosystem

INTRODUCTION

Symmetric and asymmetric-key cryptography will exist

in parallel and continue to serve the community. We

actually believe that they are complements of each

other; the advantages of one can compensate for the

disadvantages of the other.

Symmetric-key cryptography is based on sharing secrecy;

asymmetric-key cryptography is based on personal secrecy.

Note

Asymmetric key cryptography uses two separate keys: one

private and one public.

Keys

Locking and unlocking in asymmetric-key cryptosystem

General Idea

General idea of asymmetric-key cryptosystem

Plaintext/Ciphertext

Unlike in symmetric-key cryptography, plaintext and

ciphertext are treated as integers in asymmetric-key

cryptography.

C = f (Kpublic , P) P = g(Kprivate , C)

Encryption/Decryption

There is a very important fact that is sometimes

misunderstood: The advent of asymmetric-key

cryptography does not eliminate the need for symmetric-

key cryptography.

Need for Both

The main idea behind asymmetric-key cryptography is the

concept of the trapdoor one-way function.

Trapdoor One-Way Function

Functions

A function as rule mapping a domain to a range

Trapdoor One-Way Function (TOWF)

One-Way Function (OWF)

1. f is easy to compute.

2. f −1 is difficult to compute.

3. Given y and a trapdoor, x can be

computed easily.

Example

Example

When n is large, n = p × q is a one-way function. Given p and

q , it is always easy to calculate n ; given n, it is very difficult to

compute p and q. This is the factorization problem.

When n is large, the function y = xk mod n is a trapdoor one-

way function. Given x, k, and n, it is easy to calculate y. Given

y, k, and n, it is very difficult to calculate x. This is the discrete

logarithm problem. However, if we know the trapdoor, k′ such

that k × k ′ = 1 mod f(n), we can use x = yk′ mod n to find x.

RSA CRYPTOSYSTEM

The most common public-key algorithm is the RSA

cryptosystem, named for its inventors (Rivest, Shamir,

and Adleman).

1 Introduction

2 Procedure

3 Some Trivial Examples

4 Attacks on RSA

5 Recommendations

6 Optimal Asymmetric Encryption Padding (OAEP)

7 Applications

Complexity of operations in RSA

Procedure

Encryption, decryption, and key generation in RSA

Two Algebraic Structures

Encryption/Decryption Ring: R = <Zn , +, × >

Key-Generation Group: G = <Z f(n)∗, × >

Encryption

Decryption

Proof of RSA

Some Trivial Examples Example

Bob chooses 7 and 11 as p and q and calculates n = 77. The

value of f(n) = (7 − 1)(11 − 1) or 60. Now he chooses two

exponents, e and d, from Z60∗. If he chooses e to be 13, then d

is 37. Note that e × d mod 60 = 1 (they are inverses of each

Now imagine that Alice wants to send the plaintext 5 to Bob.

She uses the public exponent 13 to encrypt 5.

Bob receives the ciphertext 26 and uses the private key 37 to

decipher the ciphertext:

Some Trivial Examples Example

Bob receives the ciphertext 28 and uses his private key 37 to

decipher the ciphertext:

Now assume that another person, John, wants to

send a message to Bob. John can use the same

public key announced by Bob (probably on his

website), 13; John’s plaintext is 63. John calculates

the following:

Example

Suppose Ted wants to send the message “NO” to

Jennifer. He changes each character to a number

(from 00 to 25), with each character coded as two

digits. He then concatenates the two coded

characters and gets a four-digit number. The plaintext

is 1314. Figure 10.7 shows the process.

Jennifer creates a pair of keys for herself. She

chooses p = 397 and q = 401. She calculates

n = 159197. She then calculates f(n) = 158400. She

then chooses e = 343 and d = 12007. Show how Ted

can send a message to Jennifer if he knows e and n.

Encryption and decryption

Attacks on RSA

Taxonomy of potential attacks on RSA

Attacks on RSA

Factorization

The security of RSA is based on the fact

that modulus is so large that it is

infeasible to factor it in reasonable time.

To be secure, RSA requires that n will be

300 decimal digits, then modulus must be

at least 1024 digits.

No factorization algorithm till date can

factorize such a large number in

reasonable amount of time.

Attacks on RSA Chosen-Ciphertext Attack

1. Eve intercepts c a ciphertext message from

Alice.

2. Eve chooses a random number r, r<n;

3. Eve finds Alice’s public key e.

4. Eve: x= r^e mod n

5. Eve: y = x c mod n

6. Eve: t = r^-1 mod n

7. If x = r^e mod n, then r = x^d mod n

8. Eve requests Alice to sign y with her private

key d.

9. Alices sends Eve, u = y^d mod n

10.Eve: t u mod n = r^-1 y^d mod n = r^-1 x^d

c^d mod n = c^d mod n = m.

Attacks on Encryption Component of RSA

To reduce encryption time, a low value of e

is used sometimes.

Coppersmith Theorem Attack:

In a mod n polynomial f(x) of degree e, one

can use an algorithm of complexity log n to

find the roots if one of the roots is smaller

than n^(1/e).

Attacks on Encryption Component of RSA

To reduce encryption time, a low value of e

is used sometimes.

Broadcast attack:

If an entity sends the same message to a

group of recipients with the same low

encryption exponent.

C1 = P^3 mod n1,

C2 = P^3 mod n2

C3 = P^3 mod n3

By CRT, C’ = P^3 mod n1 n2 n3.

Hence P^3 < n1 n2 n3, - C’ = P^3.

Attacks on Decryption Exponent of RSA

Revealed decryption component attack:

If Eve knows the value of d, she can use a

probabilistic algorithm to factor n and find

the value of p and q.

If Bob changes only the compromised

decryption exponent, but keeps the same

modulus n, then Eve will be able to decrypt

future messages because she has the

factorization n.

Timing attack

Attack is based on the fast-exponential

algorithm.

The algorithm uses only squaring if the

corresponding bit in the decryption

exponent is d is 0, else it uses both squaring

and multiplication.

Timing required for each iteration is longer if

the corresponding bit in d is 1.

The timing difference allows Eve to compute

the bits in d one by one.

Timing attack

Solutions:

1. Add random delays during

exponentiation.

2. Blinding:

1. Select a secret random number r

between 1 and n-1.

2. Calculate C1=C r ^e mod n

3. Calculate P1 = C1 ^d mod n

4. Calculate P = P1 r ^-1 mod n.

Power attack

Similar to timing attack.

Kocher showed that

If Eve can measure the power consumed

during decryption, then similar idea will be

used.

An iteration involving squaring and

multiplication requires more power.

Timing attack

Attack is based on the fast-exponential

algorithm.

The algorithm uses only squaring if the

corresponding bit in the decryption

exponent is d is 0, else it uses both squaring

and multiplication.

Timing required for each iteration is longer if

the corresponding bit in d is 1.

The timing difference allows Eve to compute

the bits in d one by one.