8/12/2019 Assymtertic Key Introduction
1/34
Symmetric-KeyCryptography
8/12/2019 Assymtertic Key Introduction
2/34
Objectives
To distinguish between two cryptosystems:
symmetric-key and asymmetric-key
To introduce trapdoor one-way functions and their
use in asymmetric-key cryptosystems
To introduce the knapsack cryptosystem as one of
the first ideas in asymmetric-key cryptography
To discuss the RSA cryptosystem
To discuss the Rabin cryptosystem
To discuss the ElGamal cryptosystem
To discuss the elliptic curve cryptosystem
8/12/2019 Assymtertic Key Introduction
3/34
INTRODUCTION
Symmetr ic and asymmetr ic-key cryptography wil l exist
in parallel and continue to serve the community. We
actually believe that they are complements of each
other; the advantages of one can compensate for the
disadvantages of the other.
1 Keys2 General Idea
3 Need for Both
4 Trapdoor One-Way Function
5 Knapsack Cryptosystem
8/12/2019 Assymtertic Key Introduction
4/34
INTRODUCTION
Symmetr ic and asymmetr ic-key cryptography wil l exist
in parallel and continue to serve the community. We
actually believe that they are complements of each
other; the advantages of one can compensate for the
disadvantages of the other.
Symmetric-key cryptography is based on sharing secrecy;
asymmetric-key cryptography is based on personal secrecy.
Note
8/12/2019 Assymtertic Key Introduction
5/34
Asymmetr ic key cryptography uses two separate keys: one
private and one public.
Keys
Locking and unlocking in asymmetr ic-key cryptosystem
8/12/2019 Assymtertic Key Introduction
6/34
General I dea
General idea of asymmetr ic-key cryptosystem
8/12/2019 Assymtertic Key Introduction
7/34
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and
ciphertext are treated as integers in asymmetric-key
cryptography.
C = f (Kpublic , P) P = g(Kprivate , C)
Encryption/Decryption
8/12/2019 Assymtertic Key Introduction
8/34
There is a very important fact that is sometimesmisunderstood: The advent of asymmetric-key
cryptography does not el iminate the need for symmetr ic-
key cryptography.
Need for Both
8/12/2019 Assymtertic Key Introduction
9/34
The main idea behind asymmetr ic-key cryptography is the
concept of the trapdoor one-way function.
Trapdoor One-Way Function
Functions
A function as rule mapping a domain to a range
8/12/2019 Assymtertic Key Introduction
10/34
Trapdoor One-Way Function (TOWF)
One-Way Function (OWF)
1. f is easy to compute.
2. f 1is diff icult to compute.
3. Given y and a trapdoor, x can be
computed easi ly.
8/12/2019 Assymtertic Key Introduction
11/34
Example
Example
When nis large, n= p qis a one-way function. Given pand
q, it is always easy to calculate n; given n, it is very difficult to
compute pand q. This is the factorization problem.
When nis large, the function y= xkmod n is a trapdoor one-
way function. Given x, k, and n, it is easy to calculate y. Giveny, k, and n, it is very difficult to calculate x. This is the discrete
logarithm problem. However, if we know the trapdoor, ksuch
that k k= 1 mod f(n), we can use x = ykmod nto find x.
8/12/2019 Assymtertic Key Introduction
12/34
RSA CRYPTOSYSTEM
The most common public-key algor ithm is the RSA
cryptosystem, named for its inventors (Rivest, Shamir,
and Adleman).
1 Introduction
2 Procedure
3 Some Trivial Examples4 Attacks on RSA
5 Recommendations
6 Optimal Asymmetric Encryption Padding (OAEP)
7 Applications
8/12/2019 Assymtertic Key Introduction
13/34
Complexi ty of operations in RSA
8/12/2019 Assymtertic Key Introduction
14/34
Procedure
Encryption, decryption, and key generation in RSA
8/12/2019 Assymtertic Key Introduction
15/34
Two Algebraic Structures
Encryption/Decryption Ring: R =
Key-Generation Group: G =
8/12/2019 Assymtertic Key Introduction
16/34
8/12/2019 Assymtertic Key Introduction
17/34
Encryption
8/12/2019 Assymtertic Key Introduction
18/34
Decryption
8/12/2019 Assymtertic Key Introduction
19/34
Proof of RSA
8/12/2019 Assymtertic Key Introduction
20/34
Some Tr ivial ExamplesExample
Bob chooses 7 and 11 as pand qand calculates n= 77. The
value of f(n) = (7 1)(11 1) or 60. Now he chooses twoexponents, eand d, from Z60. If he chooses eto be 13, then d
is 37. Note that e dmod 60 = 1 (they are inverses of each
Now imagine that Alice wants to send the plaintext 5 to Bob.
She uses the public exponent 13 to encrypt 5.
Bob receives the ciphertext 26 and uses the private key 37 to
decipher the ciphertext:
8/12/2019 Assymtertic Key Introduction
21/34
Some Tr ivial ExamplesExample
Bob receives the ciphertext 28 and uses his private key 37 to
decipher the ciphertext:
Now assume that another person, John, wants to
send a message to Bob. John can use the same
public key announced by Bob (probably on his
website), 13; Johns plaintext is 63. John calculates
the following:
8/12/2019 Assymtertic Key Introduction
22/34
Example
Suppose Ted wants to send the message NO to
Jennifer. He changes each character to a number
(from 00 to 25), with each character coded as twodigits. He then concatenates the two coded
characters and gets a four-digit number. The plaintext
is 1314. Figure 10.7 shows the process.
Jennifer creates a pair of keys for herself. She
chooses p = 397 and q = 401. She calculates
n= 159197. She then calculates f(n) = 158400. She
then chooses e = 343 and d = 12007. Show how Ted
can send a message to Jennifer if he knows eand n.
8/12/2019 Assymtertic Key Introduction
23/34
Encryption and decryption
Att k RSA
8/12/2019 Assymtertic Key Introduction
24/34
Attacks on RSA
Taxonomy of potential attacks on RSA
Att k RSA
8/12/2019 Assymtertic Key Introduction
25/34
Attacks on RSA
Factorization
The security of RSA is based on the fact
that modulus is so large that it is
infeasible to factor it in reasonable time.
To be secure, RSA requires that n will be
300 decimal digits, then modulus must be
at least 1024 digits.
No factorization algorithm till date can
factorize such a large number in
reasonable amount of time.
8/12/2019 Assymtertic Key Introduction
26/34
Att k RSA
8/12/2019 Assymtertic Key Introduction
27/34
Attacks on RSAChosen-Ciphertext Attack
1. Eve intercepts c a ciphertext message fromAlice.
2. Eve chooses a random number r, r
8/12/2019 Assymtertic Key Introduction
28/34
Attacks on Encryption Component of RSA
To reduce encryption time, a low value of e
is used sometimes.
Coppersmith Theorem Attack:
In a mod n polynomial f(x) of degree e, one
can use an algorithm of complexity log n to
find the roots if one of the roots is smaller
than n^(1/e).
Att k E ti C t f RSA
8/12/2019 Assymtertic Key Introduction
29/34
Attacks on Encryption Component of RSA
To reduce encryption time, a low value of e
is used sometimes.
Broadcast attack:
If an entity sends the same message to a
group of recipients with the same low
encryption exponent.
C1 = P^3 mod n1,C2 = P^3 mod n2
C3 = P^3 mod n3
By CRT, C = P^3 mod n1 n2 n3.
Hence P^3 < n1 n2 n3, - C = P^3.
Att k D ti E t f RSA
8/12/2019 Assymtertic Key Introduction
30/34
Attacks on Decryption Exponent of RSA
Revealed decryption component attack:
If Eve knows the value of d, she can use a
probabilistic algorithm to factor n and find
the value of p and q.
If Bob changes only the compromised
decryption exponent, but keeps the same
modulus n, then Eve will be able to decryptfuture messages because she has the
factorization n.
Ti i tt k
8/12/2019 Assymtertic Key Introduction
31/34
Timing attack
Attack is based on the fast-exponential
algorithm.
The algorithm uses only squaring if the
corresponding bit in the decryption
exponent is d is 0, else it uses both squaring
and multiplication.
Timing required for each iteration is longer ifthe corresponding bit in d is 1.
The timing difference allows Eve to compute
the bits in d one by one.
Timing attack
8/12/2019 Assymtertic Key Introduction
32/34
Timing attack
Solutions:
1. Add random delays duringexponentiation.
2. Blinding:
1. Select a secret random number r
between 1 and n-1.
2. Calculate C1=C r ^e mod n
3. Calculate P1 = C1 ^d mod n4. Calculate P = P1 r -1 mod n.
Power attack
8/12/2019 Assymtertic Key Introduction
33/34
Power attack
Similar to timing attack.
Kocher showed that
If Eve can measure the power consumed
during decryption, then similar idea will be
used.
An iteration involving squaring andmultiplication requires more power.
Timing attack
8/12/2019 Assymtertic Key Introduction
34/34
Timing attack
Attack is based on the fast-exponential
algorithm.
The algorithm uses only squaring if the
corresponding bit in the decryption
exponent is d is 0, else it uses both squaring
and multiplication.
Timing required for each iteration is longer ifthe corresponding bit in d is 1.
The timing difference allows Eve to compute
the bits in d one by one
Top Related