SlideShare a Scribd company logo

Alex WANG - What is the most effective cryptosystem for public-key encryption?

A
AlexWang212277

What is the most effective cryptosystem for public-key encryption?

Education
1 of 26
Download to read offline
TEMPLETON SCHOLARSHIP PROJECT What is the most effective cryptosystem for public-key encryption? Author Alex Wang Institution Wilson’s School July 2022
Contents 1 Introduction to cryptography 3 1.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . 3 1.2 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . 3 1.3 Trapdoor Functions: P vs NP . . . . . . . . . . . . . . . . . 4 2 Divisibility and Primes 5 2.1 Divisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 The Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . 6 2.3 Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Modular Arithmetic 8 3.1 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 The Chinese Remainder Theorem . . . . . . . . . . . . . . . 9 3.3 Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.4 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4 RSA 11 4.1 A history of RSA . . . . . . . . . . . . . . . . . . . . . . . . 12 4.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.4 Prime Factorisation . . . . . . . . . . . . . . . . . . . . . . . 13 4.5 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5 The Diffie-Hellman Key Exchange 14 5.1 A history of the Diffie-Hellman Key Exchange . . . . . . . . 14 1
5.2 The Key Exchange Protocol . . . . . . . . . . . . . . . . . . 14 5.3 The Discrete Logarithm Problem . . . . . . . . . . . . . . . 15 5.4 Attacks - The Pohlig-Hellman Algorithm . . . . . . . . . . . 15 6 Elliptic Curve Cryptography 16 6.1 What is an Elliptic Curve? . . . . . . . . . . . . . . . . . . . 16 6.2 The Key Exchange Protocol . . . . . . . . . . . . . . . . . . 19 6.3 The Elliptic Curve Discrete Logarithm Problem . . . . . . . 19 7 Comparing Cryptosystems 20 7.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.3 Effect of Large Adversaries . . . . . . . . . . . . . . . . . . . 22 8 Conclusion 22 2
1 Introduction to cryptography Cryptography is the study of the methods used to allow secure communica- tion between 2 parties on a network. Typically we refer to these 2 parties as Alice and Bob. The original data is called the plaintext and the encrypted data is called the ciphertext. 1.1 Symmetric Encryption Symmetric encryption is a data encryption method where the same key is used to encrypt and decrypt messages. Before the 1970s, it was the only form of encryption that existed and was widely used. Due to the same key being used for encryption and decryption, everyone involved in the data transfer process must know (or agree upon) the key. For this reason, symmetric encryption is generally used for so data at rest. This is when data is stored and encrypted locally, with no need to be sent across a network. Examples of this include confidential business data stored on a local server [22]. There are 2 main types of symmetric encryption: block ciphers and stream ciphers [1]. Block ciphers encrypts data in fixed length blocks, such as 64 bit or 128 bit. the most widely used block cipher is the AES (Advanced Encryption Standard). Stream ciphers use an additive cipher where each bit is replaced by another bit from a secret keystream. As a result, the ciphertext would be the same length as the plaintext. Stream ciphers are implemented in the RC4 ND HC-256 protocols. 1.2 Asymmetric Encryption Modern symmetric encryption is very secure: data encrypted with cryp- tosystems such as the AES have a 256-bit key. However, there remains a problem for sending data over the internet: how can 2 parties (who have never met before) agree on a key? Consider 2 parties called Alice and Bob. Alice wants to send a message to Bob. Internet transmission is public channel, so Alice cannot send Bob her key over the internet without others in the middle intercepting internet traffic. The only way for Alice and Bob to agree on a symmetric key is to use a private channel of communication – to meet up in person to exchange the key. If Alice and Bob can only communicate over a public channel, they 3
never have an opportunity to agree on a secret key without others listening in. If the key is publicly visible, then the symmetric encryption used would be useless [22]. Therefore, we need another way to send encrypted data over the internet. Before the 1960s, asymmetric encryption was thought to be impossible. All cryptographic transmission was by symmetric encryption. Any two parties who wanted to communicate secretly must have exchanged keys privately, perhaps through a courier. However, in the 1970s, several cryptosystems were developed independent of each other to deal with this problem. To develop an asymmetric cryptosystem, we need two keys: a public key and a private key. In general, the key used to encrypt the message is public, and the key used to decrypt the message is private. The encryption algorithms use one-way functions (also known as trapdoor functions) which only remain one-way if the decryption key is kept private. The encryption function can be computationally easily applied to cipher-text, but its inverse function (used for decryption) cannot be easily computed, without the decryption key. 1.3 Trapdoor Functions: P vs NP A trapdoor function is a function that is difficult to compute in the opposite direction (by finding the inverse function), without specific information such as the decryption key. The analogy to a ”trapdoor” comes from the fact that it is easy to fall through a trapdoor, but it is difficult to climb back out, unless you have a ladder (which represents the decryption key). A trapdoor function a problem is in the class NP (nondeterministic, poly- nomial time). These problems are characterised by the fact that it is easy to check the solution to an NP problem, but it is difficult to compute the problem. For an asymmetric encryption algorithm, it is easy to decrypt the algorithm if you have the decryption key (checking the answer to an NP problem), but it is difficult to solve the inverse function by brute force search [13]. As the size n of an NP problem increases, the computational resources re- quired to check the solution increases in proportion to a polynomial function of n, such as n2 . However, the computational resources required to compute the answer increases in proportion to an exponential function of n: typically 4
2n . Exponential functions increase much more rapidly than polynomial func- tions and so NP problems can become unsolvable when n is sufficiently large. Figure 1: 2n function (red) vs n2 function (black) 2 Divisibility and Primes 2.1 Divisibility We can say that an integer b is divisible by an integer a if there is an integer n such that b = an. We can write ”a divides b” as a|b. Properties of divisibility: [6] 1. a|b → a|bc c ∈ Z 2. a|b & b|c → a|c 3. a|b & a|c → a|(bx + cy) x, y ∈ Z 4. a|b & b|a → a = ±b 5. a|b, a > 0, b > 0 → a ≤ b 6. m ̸= 0, a|b ↔ ma|mb 5
The Division Algorithm: The division algorithm divides one integer b by another integer a which produces a quotient q and remainder r Let a, b ∈ N There exists q, r ∈ N such that b = qa + r, 0 ≤ r < a. Greatest Common Divisor: A common divisor of a and b is an integer n such that n|a and n|b. The greatest of the common divisors is called the greatest common divisor of a and b. This is often written as gcd(a, b). 2.2 The Euclidean Algorithm The Euclidean Algorithm is an algorithm used to efficiently compute the greatest common divisor of 2 integers, without factoring them. It is used in many applications such as breaking the RSA cryptosystem. [9] Prime factorisation of numbers is an computationally inefficient process. A computer must try to divide an integer by prime numbers until it finds a prime divisor. Therefore, finding the greatest common divisor of 2 integers using prime factorisation is inefficient and so we use the Euclidean Algorithm instead. The Euclidean Algorithm applies the division algorithm in a recursive pro- cess. Given a, b ∈ Z, b > 0 find d = gcd(a, b). Euclidean Algorithm Pseudocode: a = x b = y while y ̸= 0 x = yq + r, 0 ≤ r < y x = y y = r return x 6
Euclidean Algorithm Logic: a = bq1 + r1 0 < r1 < b (1) b = r1q2 + r2 0 < r2 < r1 (2) r1 = r2q3 + r3 0 < r3 < r2 (3) ... (4) rj = rj+1qj + rj 0 < rj < rj−1 (5) rj−1 = rjqj+1 + 0 (6) The greatest common divisor of a and b is rj, the last nonzero remainder in the division algorithm. Example gcd(745, 214) 745 = 214 × 3 + 103 214 = 103 × 2 + 8 103 = 8 × 12 + 7 8 = 7 × 1 + 1 7 = 1 × 7 + 0 (7) Hence gcd(745, 214) = 1, which means that they are coprime. 2.3 Primes Prime numbers are the building blocks of all natural numbers. Every integer can be expressed as a product of primes, in a unique way. Prime numbers have a special property called a trap-door function. It is very easy to find a number, given its prime factors, however, it is much more difficult to find all the prime factors of a given number. This principle is used in cryptosystems to create a locking mechanism, allowing a message to be easily decrypted with a key, but very difficult to decrypt by a brute force attack. An integer p ∈ N is a prime number if there is no divisor d ∈ N of p where 1 < d < p. If an integer is not a prime, then it is a composite number. The list of prime numbers seems to behave like a random list of numbers. It is very difficult to say when the next prime will be, or whether a given number is prime. There are models, however, to predict the behaviour and density of primes. For example, one model is that the approximate density of primes near any number is inversely proportional to how many digits the number has. 7
Fundamental Theorem of Arithmetic: The Fundamental Theorem of Arithmetic states that every integer n ∈ N can be expressed uniquely as a product of primes. Given an integer n, we can write n as a product of its prime factors: n = pa1 1 pa2 2 ...par r where p1, p2, ..., pr are distinct primes and a1, a2, ..., ar > 0 Infinitude of Primes The number of primes is infinite. This has been proven by many mathe- maticians such as Euclid, Furstenberg and Goldbach [10]. Euclid’s theorem is one of the more famous proofs for the infinitude of primes. It was proven by Euclid in his work ”Elements”. Euclid’s Theorem: 1. Assume the number of primes is finite. We have a finite list of primes: p1, p2, ..., pn 2. Consider the product P of all the primes: P = p1p2...pn 3. Now consider the number P + 1. P + 1 must be either a prime number or a composite number. 4. If P + 1 is prime, then we have another prime not in the finite list. 5. If P +1 is composite, then it must be divisible by some prime p. However, P and P +1 are coprime, so they do not share any prime factors. Therefore, the prime p cannot be in the finite list. 6. Both these options lead to a contradiction, proving that the number of primes is not finite. 3 Modular Arithmetic Modular arithmetic is a system of integer arithmetic, which considers the remainder of a number after division by another number. A common use of modular arithmetic is in a 24 hour clock system. If it is 15:00 now, then after 25 hours the time will be 16:00, but not 40:00. We can write this as 40 ≡ 16 (mod 24). 8
3.1 Congruences If we have m ∈ N, m ̸= 0 such that m|(a−b), we say that a is congruent to b modulo m. This means that they leave the same remainder upon division by m [18]. We can write this as a ≡ b (mod m) Properties of Congruences: 1. If a ≡ b (mod m) and c ≡ d (mod m), then a + c ≡ b + d (mod m) 2. If a ≡ b (mod m) and c ≡ d (mod m), then ac ≡ bd (mod m) 3. If a ≡ b (mod m) and d|m, d > 0, then a ≡ b (mod d) 4. If a ≡ b (mod m) then ac ≡ bc (mod mc) for c > 0 3.2 The Chinese Remainder Theorem The Chinese Remainder Theorem is used to solve simultaneous congruences, where the moduli are coprime: Find x that satisfies: x ≡ a1 (mod m1) x ≡ a2 (mod m2) ... x ≡ ar (mod mr) (8) Let m1, ..., mr represent r positive integers (moduli) that are coprime, and let a1, ..., ar ∈ Z. Then the congruences have common solutions. If x0 is one solution, then an integer x satisfies the congruences if and only if x = x0+km for some integer k and where m = m1m2...mr [20]. For any j between 1 and r, we see that m mj ∈ Z and that ( m mj , mj) = 1 as the moduli are coprime. Therefore, for each j there is an integer bj such that ( m mj , mj)bj ≡ 1 (mod mj), and so ( m mj , mj)bj ≡ 0 (mod mi) if i ̸≡ j. Then: x0 = r X j=1 m mj bjaj 9
We can consider this number in modulo m. x0 ≡ m mi biai ≡ ai (mod mi) Therefore, x0 is a solution of the system (8). If x0 and x1 are two solutions of the system (8), then x0 ≡ x1 (mod mi) for all the moduli and so x0 ≡ x1 (mod m) [20]. 3.3 Rings In modular arithmetic we work modulo some modulus m, and we can think of all the possible remainders as a complete residue system: Z/mZ = {0, 1, ..., m − 1} (9) The ring Z/mZ is the ring of integers modulo m. We can to add and multiply elements of this ring, then consider the result modulo m to obtain an element in Z/mZ. This satisfies the closure condition for a group under an addition or multiplication binary operation in modulo m [8]. Units of a Ring: An element a ∈ Z/mZ has a a modular multiplicative inverse if and only if gcd(a, m) = 1. The set of all numbers with modular inverses are denoted as (Z/mZ)∗. This is called the group of units modulo m; numbers which have inverses are called units. A unit must be coprime with the modulus m [8]. This is also sometimes called a reduced residue set modulo m. For example: (Z/15Z)∗ = {1, 2, 3, 4, 7, 8, 11, 13, 14} (10) 3.4 Fields If every element in Z/mZ has a modular inverse, then it is classed as a field [8]. A field is a ring in which division is possible and is usually denoted as Fp. p represents the modulus as the only possible values for the modulus of a field are prime numbers. A finite field (also known as a Galois field) is a field with finite elements, such as those used in modular arithmetic. 10
Euler’s Totient Function: Euler’s totient function returns the number of elements in the group of units modulo m [14]. This can also be thought of as the number of natural numbers smaller than m that are also coprime with m. Typically the symbol ”phi” (ϕ) is used to denote the function: ϕ(m) = #(Z/mZ)∗ = #{0 < a < m : gcd(a, m) = 1} (11) To compute the Totient function of an integer n, it must first be decomposed into its primes: n = pa1 1 pa2 2 ...par r (12) where p1, p2, ..., pr are distinct primes and a1, a2, ..., ar > 0. Now the following formula is used to compute the Totient function: ϕ(n) = n Y p|n (1 − 1 p ) (13) Euler’s Formula: If gcd(a, p) = 1 then: aϕ(p) ≡ 1(mod p) (14) Fermat’s Little Theorem: ap−1 ≡ 1(mod p) (15) Euler’s formula is a special case of Fermat’s Little Theorem as ϕ(p) = p − 1. 4 RSA RSA is the most widely used cryptosystem to this day, and it makes use of some elementary principles in number theory, including Fermat’s Little Theorem. 11
4.1 A history of RSA The RSA cryptosystem was invented by MIT colleagues Ron Rivest, Adi Shamir and Leonard Adleman in 1977. Clifford Cock had already invented the same system for GCHQ in 1973, but this remained secret until 1997. Rivest and Shamir are computer scientists, who generated ideas for the one- way function. Adelman is a rigorous mathematician and spotted the flaws in the ideas from Rivest and Sharmir. They spent a year coming up with ideas, with Adleman dismissing much of the ideas. In April 1977, Rivest was returning to his house after spending Passover with Shamir and Adleman. He couldn’t sleep so he lay in bed with a maths textbook, thinking about this one way function he had been trying to find. In the middle of the night, he had a breakthrough and spent the rest of the night writing up a paper. Although the breakthrough came from Rivest, he could not have done it without the help of Shamir and Adleman [7]. 4.2 Encryption Suppose Bob wants to send Alice a message. Alice generates 2 very large primes p and q and multiplies them together, giving N = pq. Alice then chooses the public exponent e, which should be coprime to ϕ(N) (i.e. gcd(ϕ(N), e) = 1). These two values of N and e are then made public as they are sent along a public channel to Bob [15]. Bob then encrypts his message with RSA using N and e: c ≡ me (mod N) (16) where c is the ciphertext and m is the plaintext. 4.3 Decryption Once Bob’s encrypted message has arrived, Alice must decrypt it. First, Alice calculates the totient function of N: ϕ(N) = (p − 1)(q − 1). Then Alice calculates the modular multiplicative inverse of e (mod ϕ(N)), 12
denoted by d: de ≡ 1 (mod ϕ(N)) (17) d can be efficiently calculated using the Extended Euclidean Algorithm. Now Alice can decrypt the ciphertext (denoted by c) into plaintext (denoted by m): m ≡ cd (mod N) (18) 4.4 Prime Factorisation The trapdoor function of RSA comes from the fact that prime factorisation is very computationally difficult. To find the prime factors of a composite number, a computer must brute force search through all the primes below it, to see if any of those divide the original number. Attackers would need to find the 2 prime factors p and q of N to compute ϕ(N). 4.5 Attacks Since RSA’s first publication in 1977, it has undergone extensive study, and innumerable attacks have been created that jeopardise its security [3]. The RSA algorithm can be implemented incorrectly in a variety of ways, includ- ing picking a public exponent that is too little, too large, or too close to p and q numerically. These implementation flaws are not uncommon even in large cryptography libraries (such as OpenSSL) used in the most important systems in the world. Hastad’s Broadcast Attack Hastad’s Broadcast Attack is used when the public exponent is too small. Sometimes, a user sends the same message to multiple people. In this case, the public exponent stays the same (it is often standardised) but the public key N may vary. The attack can be used when the same message m is sent to at least e people with the public modulii N1, N2, ..., Ne. This gives a system of linear congruences. 13
For example, if e = 3, then we have the following 3 congruences: me ≡ c1 (mod N1) (19) me ≡ c2 (mod N2) (20) me ≡ c3 (mod N3) (21) The Chinese Remainder Theorem is used for solving a set of simultaneous linear congruences where the moduli are coprime - in this example, it is a way of finding me (modN1N2N3) [3]. Note that m is less than the smallest Nx we have, therefore me < N1N2...Ne. This means we can simply take the regular eth root of me rather than the modular root as it is cannot be greater than the modulus. 5 The Diffie-Hellman Key Exchange The Diffie-Hellman Key Exchange (DHKE) is a protocol which allows 2 par- ties to privately agree on a symmetric decryption key over a public channel such as the internet. This means that files can be transferred over a public channel using secure symmetric encryption methods (such as the AES), the foremost symmetric cryptosystem. As the DHKE uses both asymmetric and symmetric encryption, it is considered a hybrid cryptosystem [16]. 5.1 A history of the Diffie-Hellman Key Exchange The Diffie-Hellman Key Exchange was developed in 1976 as a result of Whit- field Diffie and Martin Hellman’s collaboration. It was the first functional protocol for creating a shared secret across an open communication channel. The public key distribution work of Ralph Merkle had an large impact on its discovery [16]. John Gill suggested application of the discrete logarithm problem as a trapdoor function. An equivalent algorithm was initially de- veloped by Malcolm Williamson of GCHQ in the UK several years prior, but GCHQ decided to keep it a secret until 1997, by which time it had no impact on academic study. 5.2 The Key Exchange Protocol A large prime p and a generator g ∈ Fp, g ̸= 0 are made publicly known. Alice and Bob choose their secret integers a and b respectively [4]. They 14
then compute the following integers A and B: A = ga (mod p) (22) B = gb (mod p) (23) The integers A and B are exchanged between Alice and Bob over a public channel, e.g. the internet. Once they receive each other’s respective integers, they raise it to the power of their original integers. Alice computes Ba and Bob computes Ab , both in modulo p. Ab = (ga )b = gab = (gb )a = Ba (mod p) (24) This means that they have the same number (the key) once the protocol terminates, without the secret key being shared. 5.3 The Discrete Logarithm Problem The security of the Diffie-Hellman Key Exchange protocol comes from its trapdoor function [4] called the discrete logarithm problem (DLP): the dif- ficulty of computing x from: gx ≡ a (mod p) (25) In the DHKE protocol, the values of ga (mod p) and gb (mod p) are sent over a public channel, but an attacker is unable to solve for a or b due to the difficulty of solving the DLP. 5.4 Attacks - The Pohlig-Hellman Algorithm Attacks on Diffie-Hellman rely on situations in which you can efficiently compute the discrete logarithm problem. One such case is n the finite field Fp, where p-1 is a smooth number, meaning it has many small factors. The Pohlig-Hellman Algorithm can be used to efficiently solve the discrete logarithm when such a prime is used [19]. Euler’s Theorem states that aϕ(n) ≡ 1(mod n). Let ϕ(n) = pq, where gcd(p, q) = 1. We can now attempt to solve the DLP ax ≡ b(mod n). 15
Let x = a0 + a1p: ax ≡ b (mod n) (26) aqx ≡ bq (mod n) (27) aqa0+pqa1 ≡ bq (mod n) (28) aqa0 · apqa1 ≡ bq (mod n) (29) (aa0 )q · (apq )a1 ≡ bq (mod n) (30) By Euler’s Theorem: apq ≡ 1 (mod n) (31) (aa0 )q · 1a1 ≡ bq (mod n) (32) (aq )a0 ≡ bq (mod n) (33) Now we can brute force search for a0, since we already know what aq and bq are. Once we find a0, since x = a0 + a1p we know that x ≡ a0(modp), which gives a congruence. Repeating this the other way by raising both sides to the power of p will give a second congruence modulo q. The system of linear congruences can be solved for x by using the Chinese Remainder Theorem. The smoother a prime is, the smaller the factors of p1. The Pohlig-Hellman Algorithm is more efficient for solving the DLP in this case as the smaller the prime factors of ϕ(n), the faster the calculations can be computed. can be made. 6 Elliptic Curve Cryptography 6.1 What is an Elliptic Curve? An elliptic curve is a smooth, projective, algebraic curve of genus one. It is in the form: y2 = x3 + ax + b (34) where a and b are integers. On an elliptic curve, all of the points with rational x and y values are con- sidered rational points. An interesting property of these curves is that the rational points of these curves all form a group, which means they are all connected by an operation. 16
Figure 2: Here is an example of the elliptic curve y2 = x3 − 5x + 10 17
If we choose any two rational points, P and Q, a line between them intersects the curve at a third point R. If we reflect R in the x-axis, we get the point R and we say this point R is the result of the point addition of P and Q [21]. Point addition is the binary operation of the group; this is not the same as regular addition. Figure 3: Point addition of P + Q (Image courtesy of Joseph Silverman) If we wish to compute P + P, instead of drawing a line between 2 points we draw a tangent to the curve at P [21], which also intersects at a third point. We then reflect this in the x-axis to calculate P + P. Figure 4: Point addition of P + P (Image courtesy of Joseph Silverman) The numbers in the rational group can get infinitely large and so square rooting these numbers would be computationally unfeasible. In practice, we 18
use modular arithmetic with ECC. We work over a finite field Fp to reduce the x and y coordinates of the points in modulo p. The operation of point addition and the structure of the group still holds for elliptic curves over a finite field (or Galois field), which is denoted as E(Fp). 6.2 The Key Exchange Protocol If Alice and Bob wish to generate a shared secret, they first choose an elliptic curve E(Fp). The curve used is often a standard curve known to public. For example, the elliptic curve used by Bitcoin, Ethereum, and most other cryptocurrencies is called secp256k1. The equation for the secp256k1 curve is y2 = x3 + 7. Making the curve public does not compromise the security of the exchange. They choose a rational point (called the generator point) G ∈ Fp, which is made public. Now Alice and Bob generate a private number each, denoted by a and b respectively. Alice then calculates the rational point A, which is done by adding the generator G to itself a times, i.e. A = aG. Bob does the same with his private number to calculate B = bG. Once this is done, Alice sends A to Bob and Bob sends B back [12]. Note that the notation bG does not denote multiplication, it denotes b series of point additions (not regular addition) of G to itself. Once Alice receives B from Bob, Alice can now compute a point additions of G and add that to B: Sa = B + aG = bG + aG = (b + a)G. Bob also computes Sb = A + bG = aG + bG = (a + b)G. This means that Sa = Sb so Alice and Bob end up with the same number, which is a shared secret. The x coordinate of the point S can be used as a secret key. Then, the Elliptic Curve Cryptosystem can be used as a hybrid cryptosystem by using this secret key as a private key for a symmetric cryptosystem such as AES [12]. 6.3 The Elliptic Curve Discrete Logarithm Problem The The Elliptic Curve Discrete Logarithm Problem is defined as follows: Given G, A ∈ E(Fp) and A = aG, calculate a. 19
This problem is harder to solve than it seems - the problem uses point addition instead of multiplication. This essentially the same problem as the DLP from the DHKE, just with a different operation - point addition rather than multiplication [23]. The problem is abstracted into the group, and the generic Pohlig-Hellman algorithm can also be used on the curve if its order is smooth. 7 Comparing Cryptosystems 7.1 Security As shown in previous sections, the RSA cryptosystem is vulnerable to many attacks. This makes RSA very difficult to implement well; even major li- braries such as OpenSSL(the most commonly-used cryptographic library) can fail to do it correctly. For example, in 1998, Daniel Bleichenbacher discovered a vulnerability in the implementation of RSA in SSL. SSL stands for Secure Sockets Layer and was the main protocol for establishing encrypted channels between computers on a network, before it was succeeded by TLS (Transport Layer Security) in 1999. Bleichenbacher’s Attack crafted around 1 million messages and analysed error codes. This variant of attack has been refined and now Is called the ROBOT attack. Large websites such as Facebook have been shown to be vulnerable to this type of attack, from as recently as 2017. In contrast, protocols such as the Diffie-Hellman Key Exchange and Elliptic Curve Cryptography are vulnerable to far fewer attacks. Mathematical at- tacks on the protocols are easy to prevent – to prevent the Pohlig-Hellman attack, the public prime p is made a safe prime, a prime number in the form p = 2q + 1 where q is also a prime. 7.2 Efficiency To encrypt a message (called plaintext), a number of bits of data is to encrypt the message. This produces which produces a number of bits of security. Bit security represents the amount of computational resources, such as time, required to break an algorithm’s security [17]. If an algorithm has bit security of n, then it would take a maximum of 2n operations to break the security. 20
The number of bits of data used in encryption is often called the key/block size. For example, RSA-2048 has 2048 bits for the key size. This is different from the bit security – RSA-2048 only has 112 bits of security, despite having a key size of 2048. This difference comes from the progress made in attacking the maths behind the cryptographic primitives. As more efficient algorithms are developed to attack a cryptosystem, its bit security decreases. For ex- ample, improvements to prime factorisation algorithms undermines the bit security of the RSA cryptosystem. Why does key size matter? In general, the longer the key size for a given cryptosystem, the higher the bit security. The time complexity of solving a cryptosystem varies with the type of cryptographic primitive used. However, a longer key size requires more computational resources to en- crypt and decrypt. In addition, a longer key size requires more data to be transferred over a network, which may increase data transfer times. Modern implementations of cryptographic primitives typically use enough bits for key size for a high level of security, but increasing the number of bits would be unnecessary [5]. How many bits of security do we need? The predecessor of AES (a symmetric cryptosystem) was DES, which used 56 bits. 56-bit security is not sufficiently secure for modern computing. It requires 25 6 operations, which is approximately 7.2e16. If we use 1000 processors with clock speed (no. operations per second) of 2GHz, then DES can be cracked in a maximum of 7.2e4 seconds, or 20 hours. The general consensus among cryptographers is that 112-bit security is suffi- cient until 2030, and 128-bit security is sufficient until a major breakthrough in maths or computing. For this reason, NIST (National Institute of Stan- dards and Technology) recommends that more than 2048 bits for RSA is unnecessary. How is efficiency measured? Adversary defence efficiency is a measure of the ratio between key size and bit security. In this regard, RSA falls behind other cryptosystems such as ECC. Here is a table of recommended key sizes (in bits) according to the 21
NIST [2]: Bit Security RSA Size ECC Key Size DHKE Size 80 1024 160 1024 112 2048 224 2048 128 3072 256 3072 192 7680 384 7680 256 15360 521 15360 (35) 7.3 Effect of Large Adversaries Many large adversaries such as the NSA (National Security Agency) and GCHQ (Government Communications Headquarters) are suspected to have intellectual property that allows them to break encryption algorithms. For example, the RSA and DHKE algorithms were developed at GCHQ in secret years before they were discovered by the outside cryptography community. Eliptic Curve Cryptography is a relatively new cryptosystem, and many cryptographers are skeptical of its rigidity against unknown attacks. Cryp- tographic primitives are difficult to implement well and so many be vulner- able to attacks as shown with RSA implementations. In addition, many cryptographers are concerned that the NSA has inserted a kleptographic backdoor into one or more elliptic curve pseudo random generator, after Edward Snowden leaked internal memos from the NSA [11]. For this reason, many cryptographers prefer to minimise the risk of this and use RSA, even if it has a higher key size. During my interview with cryp- tography researcher Dr Daniel Gardham (at University of Surrey), he stated that he prefers to use RSA-2048, and sometimes even RSA-4096 when he is feeling paranoid. This is because RSA is a well documented and researched cryptosystem, so he is certain that breaking RSA-4096 is unfeasible, at least for the next 30 years. On the other hand, although ECC is theoretically very secure, he has concerns that it could be broken by large adversaries. 8 Conclusion In conclusion, RSA is an outdated crpytosystem. It suffers from problems such as its performance inefficiency, as well as being very difficult to im- plement correctly. Protocols such as TLS have already recognised this and begun to phase out RSA in favour of better alternatives, such as ECC. 22
However, ECC protocols are relatively new to market and their attacks and weaknesses have not been researched and exploited to the same extent as they have for RSA protocols. In addition to this, there are concerns that the NSA has implemented kleptographic backdoors into implementations of the ECC cryptosystem, which means that cryptographers are unaware of its real practical security. It may take several decades for the attacks and weaknesses of ECC to be fully discovered. But with the advent of quantum computing, it will be feasible solve the DLP and the ECDLP in polynomial time using Shor’s Al- gorithm. Therefore, current existing cryptosystems will have to be replaced by new crpytosystems. Research should be directed towards developing a new mathematical primitive resistant to post-quantum attacks. This should be the top priority as such a crpytosystem needs to exist before quantum computing becomes usable. For now, using RSA is still the safest choice, as it is the most widely re- searched algorithm. Although it is not the most efficient algorithm, crpy- tographers still use it for its safety against large adversaries. In the near future, RSA will continue to be used, until a crpytosystem resistant to post- quantum attacks is found. References [1] Diaa Salama Abd Elminaam, Hatem Mohamed Abdual-Kader, and Mo- hiy Mohamed Hadhoud. Evaluating the performance of symmetric en- cryption algorithms. Int. J. Netw. Secur., 10(3):216–222, 2010. [2] Elaine Barker and Quynh Dang. Nist special publication 800-57 part 1, revision 4. NIST, Tech. Rep, 16, 2016. [3] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs# 1. In Annual International Cryptology Conference, pages 1–12. Springer, 1998. [4] Dan Boneh. The decision diffie-hellman problem. In International al- gorithmic number theory symposium, pages 48–63. Springer, 1998. [5] Joppe Bos, Marcelo Kaihara, Thorsten Kleinjung, Arjen K Lenstra, and Peter L Montgomery. On the security of 1024-bit rsa and 160-bit elliptic curve cryptography. Technical report, 2009. 23
[6] Anne Brown, Karen Thomas, and Georgia Tolias. Conceptions of di- visibility: Success and understanding. Learning and teaching number theory: Research in cognition and instruction, pages 41–82, 2002. [7] Michael Calderbank. The rsa cryptosystem: history, algorithm, primes. Chicago: math. uchicago. edu, 2007. [8] Paul Moritz Cohn. Basic algebra: groups, rings and fields. Springer Science & Business Media, 2012. [9] John D Dixon. The number of steps in the euclidean algorithm. Journal of number theory, 2(4):414–422, 1970. [10] Larry J Goldstein. A history of the prime number theorem. The Amer- ican Mathematical Monthly, 80(6):599–615, 1973. [11] Thomas C Hales. The nsa back door to nist. Notices of the AMS, 61(2):190–192, 2013. [12] Darrel Hankerson, Alfred J Menezes, and Scott Vanstone. Guide to elliptic curve cryptography. Springer Science & Business Media, 2006. [13] Martin E Hellman. The mathematics of public-key cryptography. Sci- entific American, 241(2):146–157, 1979. [14] DH Lehmer. On euler’s totient function. Bulletin of the American Mathematical Society, 38(10):745–751, 1932. [15] Prerna Mahajan and Abhishek Sachdeva. A study of encryption algo- rithms aes, des and rsa for security. Global Journal of Computer Science and Technology, 2013. [16] Ueli M Maurer and Stefan Wolf. The diffie–hellman protocol. Designs, Codes and Cryptography, 19(2):147–171, 2000. [17] Daniele Micciancio and Michael Walter. On the bit security of crypto- graphic primitives. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 3–28. Springer, 2018. [18] MATTHEW Morgado. Modular arithmetic. On-line] Available: http://math. uchicago. edu/˜ may/REU2014/REUPapers/Morgado. pdf [Accessed 10 Sep. 2015]. [19] Paul C van Oorschot and Michael J Wiener. On diffie-hellman key agreement with short exponents. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 332–343. Springer, 1996. 24
[20] Dingyi Pei, Arto Salomaa, and Cunsheng Ding. Chinese remainder theorem: applications in computing, coding, cryptography. World Sci- entific, 1996. [21] Joseph H Silverman. The arithmetic of elliptic curves, volume 106. Springer, 2009. [22] Gustavus J Simmons. Symmetric and asymmetric encryption. ACM Computing Surveys (CSUR), 11(4):305–330, 1979. [23] Martin Lysoe Sommerseth and Haakon Hoeiland. Pohlig-hellman ap- plied in elliptic curve cryptography. Technical report, Technical Report, University of California Santa Barbara. 2015. Available . . . , 2015. 25

Recommended

DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Aina_final
Aina_finalAina_final
Aina_finalChandramowliswaran NARAYANASWAMY
 
Cryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using VerilogCryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using Verilogijcncs
 
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.pptChandraB15
 
A Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemA Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemIRJET Journal
 
G017625052
G017625052G017625052
G017625052IOSR Journals
 
Using NP Problems to Share Keys in Secret-Key Cryptography
Using NP Problems to Share Keys in Secret-Key CryptographyUsing NP Problems to Share Keys in Secret-Key Cryptography
Using NP Problems to Share Keys in Secret-Key Cryptographyiosrjce
 
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.pptDHANABALSUBRAMANIAN
 

Recommended

DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Aina_final
Aina_finalAina_final
Aina_finalChandramowliswaran NARAYANASWAMY
 
Cryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using VerilogCryptosystem An Implementation of RSA Using Verilog
Cryptosystem An Implementation of RSA Using Verilogijcncs
 
ch09_rsa_nemo.ppt
ch09_rsa_nemo.pptch09_rsa_nemo.ppt
ch09_rsa_nemo.pptChandraB15
 
A Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemA Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemIRJET Journal
 
G017625052
G017625052G017625052
G017625052IOSR Journals
 
Using NP Problems to Share Keys in Secret-Key Cryptography
Using NP Problems to Share Keys in Secret-Key CryptographyUsing NP Problems to Share Keys in Secret-Key Cryptography
Using NP Problems to Share Keys in Secret-Key Cryptographyiosrjce
 
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.pptDHANABALSUBRAMANIAN
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
B017631014
B017631014B017631014
B017631014IOSR Journals
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad Renas Rekany
 
Seminar report on symmetric key
Seminar report on symmetric keySeminar report on symmetric key
Seminar report on symmetric keyRajat Tripathi
 
Secure Encyrption Systems Chapter 2
Secure Encyrption Systems Chapter 2Secure Encyrption Systems Chapter 2
Secure Encyrption Systems Chapter 2AfiqEfendy Zaen
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora
 
Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptographySuresh Thammishetty
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET Journal
 
Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Mumbai Academisc
 
Why Should You Pay Attention To Quantum Computing?
Why Should You Pay Attention To Quantum Computing?Why Should You Pay Attention To Quantum Computing?
Why Should You Pay Attention To Quantum Computing?Milos Dunjic
 
50620130101002
5062013010100250620130101002
50620130101002IAEME Publication
 
Ch09
Ch09Ch09
Ch09Joe Christensen
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...IOSR Journals
 
I1803014852
I1803014852I1803014852
I1803014852IOSR Journals
 
Rsa
RsaRsa
Rsaismaelhaider
 
Hunting primes (a caccia di primi) 27 ott 2014
Hunting primes (a caccia di primi) 27 ott 2014Hunting primes (a caccia di primi) 27 ott 2014
Hunting primes (a caccia di primi) 27 ott 2014Vincenzo Sambito
 
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael CipherNeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael CipherSagun Man Singh Shrestha
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In CryptographyAadya Vatsa
 
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMINGANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMINGIJNSA Journal
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 

More Related Content

Similar to Alex WANG - What is the most effective cryptosystem for public-key encryption?

A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad Renas Rekany
 
Seminar report on symmetric key
Seminar report on symmetric keySeminar report on symmetric key
Seminar report on symmetric keyRajat Tripathi
 
Secure Encyrption Systems Chapter 2
Secure Encyrption Systems Chapter 2Secure Encyrption Systems Chapter 2
Secure Encyrption Systems Chapter 2AfiqEfendy Zaen
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystemSamdish Arora
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET Journal
 
Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Mumbai Academisc
 
Why Should You Pay Attention To Quantum Computing?
Why Should You Pay Attention To Quantum Computing?Why Should You Pay Attention To Quantum Computing?
Why Should You Pay Attention To Quantum Computing?Milos Dunjic
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...IOSR Journals
 
Hunting primes (a caccia di primi) 27 ott 2014
Hunting primes (a caccia di primi) 27 ott 2014Hunting primes (a caccia di primi) 27 ott 2014
Hunting primes (a caccia di primi) 27 ott 2014Vincenzo Sambito
 
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael CipherNeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael CipherSagun Man Singh Shrestha
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In CryptographyAadya Vatsa
 
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMINGANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMINGIJNSA Journal
 

Similar to Alex WANG - What is the most effective cryptosystem for public-key encryption? (20)

A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
 
B017631014
B017631014B017631014
B017631014
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad
 
Seminar report on symmetric key
Seminar report on symmetric keySeminar report on symmetric key
Seminar report on symmetric key
 
Secure Encyrption Systems Chapter 2
Secure Encyrption Systems Chapter 2Secure Encyrption Systems Chapter 2
Secure Encyrption Systems Chapter 2
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
 
Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptography
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
 
Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)
 
Why Should You Pay Attention To Quantum Computing?
Why Should You Pay Attention To Quantum Computing?Why Should You Pay Attention To Quantum Computing?
Why Should You Pay Attention To Quantum Computing?
 
50620130101002
5062013010100250620130101002
50620130101002
 
Ch09
Ch09Ch09
Ch09
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
 
I1803014852
I1803014852I1803014852
I1803014852
 
Rsa
RsaRsa
Rsa
 
Hunting primes (a caccia di primi) 27 ott 2014
Hunting primes (a caccia di primi) 27 ott 2014Hunting primes (a caccia di primi) 27 ott 2014
Hunting primes (a caccia di primi) 27 ott 2014
 
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael CipherNeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
NeuroCrypto: C++ Implementation of Neural Cryptography with Rijndael Cipher
 
Number Theory In Cryptography
Number Theory In CryptographyNumber Theory In Cryptography
Number Theory In Cryptography
 
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMINGANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING
 

Recently uploaded

Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 

Recently uploaded (20)

Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 

Alex WANG - What is the most effective cryptosystem for public-key encryption?

  • 1. TEMPLETON SCHOLARSHIP PROJECT What is the most effective cryptosystem for public-key encryption? Author Alex Wang Institution Wilson’s School July 2022
  • 2. Contents 1 Introduction to cryptography 3 1.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . 3 1.2 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . 3 1.3 Trapdoor Functions: P vs NP . . . . . . . . . . . . . . . . . 4 2 Divisibility and Primes 5 2.1 Divisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 The Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . 6 2.3 Primes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Modular Arithmetic 8 3.1 Congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 The Chinese Remainder Theorem . . . . . . . . . . . . . . . 9 3.3 Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.4 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4 RSA 11 4.1 A history of RSA . . . . . . . . . . . . . . . . . . . . . . . . 12 4.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.4 Prime Factorisation . . . . . . . . . . . . . . . . . . . . . . . 13 4.5 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5 The Diffie-Hellman Key Exchange 14 5.1 A history of the Diffie-Hellman Key Exchange . . . . . . . . 14 1
  • 3. 5.2 The Key Exchange Protocol . . . . . . . . . . . . . . . . . . 14 5.3 The Discrete Logarithm Problem . . . . . . . . . . . . . . . 15 5.4 Attacks - The Pohlig-Hellman Algorithm . . . . . . . . . . . 15 6 Elliptic Curve Cryptography 16 6.1 What is an Elliptic Curve? . . . . . . . . . . . . . . . . . . . 16 6.2 The Key Exchange Protocol . . . . . . . . . . . . . . . . . . 19 6.3 The Elliptic Curve Discrete Logarithm Problem . . . . . . . 19 7 Comparing Cryptosystems 20 7.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.3 Effect of Large Adversaries . . . . . . . . . . . . . . . . . . . 22 8 Conclusion 22 2
  • 4. 1 Introduction to cryptography Cryptography is the study of the methods used to allow secure communica- tion between 2 parties on a network. Typically we refer to these 2 parties as Alice and Bob. The original data is called the plaintext and the encrypted data is called the ciphertext. 1.1 Symmetric Encryption Symmetric encryption is a data encryption method where the same key is used to encrypt and decrypt messages. Before the 1970s, it was the only form of encryption that existed and was widely used. Due to the same key being used for encryption and decryption, everyone involved in the data transfer process must know (or agree upon) the key. For this reason, symmetric encryption is generally used for so data at rest. This is when data is stored and encrypted locally, with no need to be sent across a network. Examples of this include confidential business data stored on a local server [22]. There are 2 main types of symmetric encryption: block ciphers and stream ciphers [1]. Block ciphers encrypts data in fixed length blocks, such as 64 bit or 128 bit. the most widely used block cipher is the AES (Advanced Encryption Standard). Stream ciphers use an additive cipher where each bit is replaced by another bit from a secret keystream. As a result, the ciphertext would be the same length as the plaintext. Stream ciphers are implemented in the RC4 ND HC-256 protocols. 1.2 Asymmetric Encryption Modern symmetric encryption is very secure: data encrypted with cryp- tosystems such as the AES have a 256-bit key. However, there remains a problem for sending data over the internet: how can 2 parties (who have never met before) agree on a key? Consider 2 parties called Alice and Bob. Alice wants to send a message to Bob. Internet transmission is public channel, so Alice cannot send Bob her key over the internet without others in the middle intercepting internet traffic. The only way for Alice and Bob to agree on a symmetric key is to use a private channel of communication – to meet up in person to exchange the key. If Alice and Bob can only communicate over a public channel, they 3
  • 5. never have an opportunity to agree on a secret key without others listening in. If the key is publicly visible, then the symmetric encryption used would be useless [22]. Therefore, we need another way to send encrypted data over the internet. Before the 1960s, asymmetric encryption was thought to be impossible. All cryptographic transmission was by symmetric encryption. Any two parties who wanted to communicate secretly must have exchanged keys privately, perhaps through a courier. However, in the 1970s, several cryptosystems were developed independent of each other to deal with this problem. To develop an asymmetric cryptosystem, we need two keys: a public key and a private key. In general, the key used to encrypt the message is public, and the key used to decrypt the message is private. The encryption algorithms use one-way functions (also known as trapdoor functions) which only remain one-way if the decryption key is kept private. The encryption function can be computationally easily applied to cipher-text, but its inverse function (used for decryption) cannot be easily computed, without the decryption key. 1.3 Trapdoor Functions: P vs NP A trapdoor function is a function that is difficult to compute in the opposite direction (by finding the inverse function), without specific information such as the decryption key. The analogy to a ”trapdoor” comes from the fact that it is easy to fall through a trapdoor, but it is difficult to climb back out, unless you have a ladder (which represents the decryption key). A trapdoor function a problem is in the class NP (nondeterministic, poly- nomial time). These problems are characterised by the fact that it is easy to check the solution to an NP problem, but it is difficult to compute the problem. For an asymmetric encryption algorithm, it is easy to decrypt the algorithm if you have the decryption key (checking the answer to an NP problem), but it is difficult to solve the inverse function by brute force search [13]. As the size n of an NP problem increases, the computational resources re- quired to check the solution increases in proportion to a polynomial function of n, such as n2 . However, the computational resources required to compute the answer increases in proportion to an exponential function of n: typically 4
  • 6. 2n . Exponential functions increase much more rapidly than polynomial func- tions and so NP problems can become unsolvable when n is sufficiently large. Figure 1: 2n function (red) vs n2 function (black) 2 Divisibility and Primes 2.1 Divisibility We can say that an integer b is divisible by an integer a if there is an integer n such that b = an. We can write ”a divides b” as a|b. Properties of divisibility: [6] 1. a|b → a|bc c ∈ Z 2. a|b & b|c → a|c 3. a|b & a|c → a|(bx + cy) x, y ∈ Z 4. a|b & b|a → a = ±b 5. a|b, a > 0, b > 0 → a ≤ b 6. m ̸= 0, a|b ↔ ma|mb 5
  • 7. The Division Algorithm: The division algorithm divides one integer b by another integer a which produces a quotient q and remainder r Let a, b ∈ N There exists q, r ∈ N such that b = qa + r, 0 ≤ r < a. Greatest Common Divisor: A common divisor of a and b is an integer n such that n|a and n|b. The greatest of the common divisors is called the greatest common divisor of a and b. This is often written as gcd(a, b). 2.2 The Euclidean Algorithm The Euclidean Algorithm is an algorithm used to efficiently compute the greatest common divisor of 2 integers, without factoring them. It is used in many applications such as breaking the RSA cryptosystem. [9] Prime factorisation of numbers is an computationally inefficient process. A computer must try to divide an integer by prime numbers until it finds a prime divisor. Therefore, finding the greatest common divisor of 2 integers using prime factorisation is inefficient and so we use the Euclidean Algorithm instead. The Euclidean Algorithm applies the division algorithm in a recursive pro- cess. Given a, b ∈ Z, b > 0 find d = gcd(a, b). Euclidean Algorithm Pseudocode: a = x b = y while y ̸= 0 x = yq + r, 0 ≤ r < y x = y y = r return x 6
  • 8. Euclidean Algorithm Logic: a = bq1 + r1 0 < r1 < b (1) b = r1q2 + r2 0 < r2 < r1 (2) r1 = r2q3 + r3 0 < r3 < r2 (3) ... (4) rj = rj+1qj + rj 0 < rj < rj−1 (5) rj−1 = rjqj+1 + 0 (6) The greatest common divisor of a and b is rj, the last nonzero remainder in the division algorithm. Example gcd(745, 214) 745 = 214 × 3 + 103 214 = 103 × 2 + 8 103 = 8 × 12 + 7 8 = 7 × 1 + 1 7 = 1 × 7 + 0 (7) Hence gcd(745, 214) = 1, which means that they are coprime. 2.3 Primes Prime numbers are the building blocks of all natural numbers. Every integer can be expressed as a product of primes, in a unique way. Prime numbers have a special property called a trap-door function. It is very easy to find a number, given its prime factors, however, it is much more difficult to find all the prime factors of a given number. This principle is used in cryptosystems to create a locking mechanism, allowing a message to be easily decrypted with a key, but very difficult to decrypt by a brute force attack. An integer p ∈ N is a prime number if there is no divisor d ∈ N of p where 1 < d < p. If an integer is not a prime, then it is a composite number. The list of prime numbers seems to behave like a random list of numbers. It is very difficult to say when the next prime will be, or whether a given number is prime. There are models, however, to predict the behaviour and density of primes. For example, one model is that the approximate density of primes near any number is inversely proportional to how many digits the number has. 7
  • 9. Fundamental Theorem of Arithmetic: The Fundamental Theorem of Arithmetic states that every integer n ∈ N can be expressed uniquely as a product of primes. Given an integer n, we can write n as a product of its prime factors: n = pa1 1 pa2 2 ...par r where p1, p2, ..., pr are distinct primes and a1, a2, ..., ar > 0 Infinitude of Primes The number of primes is infinite. This has been proven by many mathe- maticians such as Euclid, Furstenberg and Goldbach [10]. Euclid’s theorem is one of the more famous proofs for the infinitude of primes. It was proven by Euclid in his work ”Elements”. Euclid’s Theorem: 1. Assume the number of primes is finite. We have a finite list of primes: p1, p2, ..., pn 2. Consider the product P of all the primes: P = p1p2...pn 3. Now consider the number P + 1. P + 1 must be either a prime number or a composite number. 4. If P + 1 is prime, then we have another prime not in the finite list. 5. If P +1 is composite, then it must be divisible by some prime p. However, P and P +1 are coprime, so they do not share any prime factors. Therefore, the prime p cannot be in the finite list. 6. Both these options lead to a contradiction, proving that the number of primes is not finite. 3 Modular Arithmetic Modular arithmetic is a system of integer arithmetic, which considers the remainder of a number after division by another number. A common use of modular arithmetic is in a 24 hour clock system. If it is 15:00 now, then after 25 hours the time will be 16:00, but not 40:00. We can write this as 40 ≡ 16 (mod 24). 8
  • 10. 3.1 Congruences If we have m ∈ N, m ̸= 0 such that m|(a−b), we say that a is congruent to b modulo m. This means that they leave the same remainder upon division by m [18]. We can write this as a ≡ b (mod m) Properties of Congruences: 1. If a ≡ b (mod m) and c ≡ d (mod m), then a + c ≡ b + d (mod m) 2. If a ≡ b (mod m) and c ≡ d (mod m), then ac ≡ bd (mod m) 3. If a ≡ b (mod m) and d|m, d > 0, then a ≡ b (mod d) 4. If a ≡ b (mod m) then ac ≡ bc (mod mc) for c > 0 3.2 The Chinese Remainder Theorem The Chinese Remainder Theorem is used to solve simultaneous congruences, where the moduli are coprime: Find x that satisfies: x ≡ a1 (mod m1) x ≡ a2 (mod m2) ... x ≡ ar (mod mr) (8) Let m1, ..., mr represent r positive integers (moduli) that are coprime, and let a1, ..., ar ∈ Z. Then the congruences have common solutions. If x0 is one solution, then an integer x satisfies the congruences if and only if x = x0+km for some integer k and where m = m1m2...mr [20]. For any j between 1 and r, we see that m mj ∈ Z and that ( m mj , mj) = 1 as the moduli are coprime. Therefore, for each j there is an integer bj such that ( m mj , mj)bj ≡ 1 (mod mj), and so ( m mj , mj)bj ≡ 0 (mod mi) if i ̸≡ j. Then: x0 = r X j=1 m mj bjaj 9
  • 11. We can consider this number in modulo m. x0 ≡ m mi biai ≡ ai (mod mi) Therefore, x0 is a solution of the system (8). If x0 and x1 are two solutions of the system (8), then x0 ≡ x1 (mod mi) for all the moduli and so x0 ≡ x1 (mod m) [20]. 3.3 Rings In modular arithmetic we work modulo some modulus m, and we can think of all the possible remainders as a complete residue system: Z/mZ = {0, 1, ..., m − 1} (9) The ring Z/mZ is the ring of integers modulo m. We can to add and multiply elements of this ring, then consider the result modulo m to obtain an element in Z/mZ. This satisfies the closure condition for a group under an addition or multiplication binary operation in modulo m [8]. Units of a Ring: An element a ∈ Z/mZ has a a modular multiplicative inverse if and only if gcd(a, m) = 1. The set of all numbers with modular inverses are denoted as (Z/mZ)∗. This is called the group of units modulo m; numbers which have inverses are called units. A unit must be coprime with the modulus m [8]. This is also sometimes called a reduced residue set modulo m. For example: (Z/15Z)∗ = {1, 2, 3, 4, 7, 8, 11, 13, 14} (10) 3.4 Fields If every element in Z/mZ has a modular inverse, then it is classed as a field [8]. A field is a ring in which division is possible and is usually denoted as Fp. p represents the modulus as the only possible values for the modulus of a field are prime numbers. A finite field (also known as a Galois field) is a field with finite elements, such as those used in modular arithmetic. 10
  • 12. Euler’s Totient Function: Euler’s totient function returns the number of elements in the group of units modulo m [14]. This can also be thought of as the number of natural numbers smaller than m that are also coprime with m. Typically the symbol ”phi” (ϕ) is used to denote the function: ϕ(m) = #(Z/mZ)∗ = #{0 < a < m : gcd(a, m) = 1} (11) To compute the Totient function of an integer n, it must first be decomposed into its primes: n = pa1 1 pa2 2 ...par r (12) where p1, p2, ..., pr are distinct primes and a1, a2, ..., ar > 0. Now the following formula is used to compute the Totient function: ϕ(n) = n Y p|n (1 − 1 p ) (13) Euler’s Formula: If gcd(a, p) = 1 then: aϕ(p) ≡ 1(mod p) (14) Fermat’s Little Theorem: ap−1 ≡ 1(mod p) (15) Euler’s formula is a special case of Fermat’s Little Theorem as ϕ(p) = p − 1. 4 RSA RSA is the most widely used cryptosystem to this day, and it makes use of some elementary principles in number theory, including Fermat’s Little Theorem. 11
  • 13. 4.1 A history of RSA The RSA cryptosystem was invented by MIT colleagues Ron Rivest, Adi Shamir and Leonard Adleman in 1977. Clifford Cock had already invented the same system for GCHQ in 1973, but this remained secret until 1997. Rivest and Shamir are computer scientists, who generated ideas for the one- way function. Adelman is a rigorous mathematician and spotted the flaws in the ideas from Rivest and Sharmir. They spent a year coming up with ideas, with Adleman dismissing much of the ideas. In April 1977, Rivest was returning to his house after spending Passover with Shamir and Adleman. He couldn’t sleep so he lay in bed with a maths textbook, thinking about this one way function he had been trying to find. In the middle of the night, he had a breakthrough and spent the rest of the night writing up a paper. Although the breakthrough came from Rivest, he could not have done it without the help of Shamir and Adleman [7]. 4.2 Encryption Suppose Bob wants to send Alice a message. Alice generates 2 very large primes p and q and multiplies them together, giving N = pq. Alice then chooses the public exponent e, which should be coprime to ϕ(N) (i.e. gcd(ϕ(N), e) = 1). These two values of N and e are then made public as they are sent along a public channel to Bob [15]. Bob then encrypts his message with RSA using N and e: c ≡ me (mod N) (16) where c is the ciphertext and m is the plaintext. 4.3 Decryption Once Bob’s encrypted message has arrived, Alice must decrypt it. First, Alice calculates the totient function of N: ϕ(N) = (p − 1)(q − 1). Then Alice calculates the modular multiplicative inverse of e (mod ϕ(N)), 12
  • 14. denoted by d: de ≡ 1 (mod ϕ(N)) (17) d can be efficiently calculated using the Extended Euclidean Algorithm. Now Alice can decrypt the ciphertext (denoted by c) into plaintext (denoted by m): m ≡ cd (mod N) (18) 4.4 Prime Factorisation The trapdoor function of RSA comes from the fact that prime factorisation is very computationally difficult. To find the prime factors of a composite number, a computer must brute force search through all the primes below it, to see if any of those divide the original number. Attackers would need to find the 2 prime factors p and q of N to compute ϕ(N). 4.5 Attacks Since RSA’s first publication in 1977, it has undergone extensive study, and innumerable attacks have been created that jeopardise its security [3]. The RSA algorithm can be implemented incorrectly in a variety of ways, includ- ing picking a public exponent that is too little, too large, or too close to p and q numerically. These implementation flaws are not uncommon even in large cryptography libraries (such as OpenSSL) used in the most important systems in the world. Hastad’s Broadcast Attack Hastad’s Broadcast Attack is used when the public exponent is too small. Sometimes, a user sends the same message to multiple people. In this case, the public exponent stays the same (it is often standardised) but the public key N may vary. The attack can be used when the same message m is sent to at least e people with the public modulii N1, N2, ..., Ne. This gives a system of linear congruences. 13
  • 15. For example, if e = 3, then we have the following 3 congruences: me ≡ c1 (mod N1) (19) me ≡ c2 (mod N2) (20) me ≡ c3 (mod N3) (21) The Chinese Remainder Theorem is used for solving a set of simultaneous linear congruences where the moduli are coprime - in this example, it is a way of finding me (modN1N2N3) [3]. Note that m is less than the smallest Nx we have, therefore me < N1N2...Ne. This means we can simply take the regular eth root of me rather than the modular root as it is cannot be greater than the modulus. 5 The Diffie-Hellman Key Exchange The Diffie-Hellman Key Exchange (DHKE) is a protocol which allows 2 par- ties to privately agree on a symmetric decryption key over a public channel such as the internet. This means that files can be transferred over a public channel using secure symmetric encryption methods (such as the AES), the foremost symmetric cryptosystem. As the DHKE uses both asymmetric and symmetric encryption, it is considered a hybrid cryptosystem [16]. 5.1 A history of the Diffie-Hellman Key Exchange The Diffie-Hellman Key Exchange was developed in 1976 as a result of Whit- field Diffie and Martin Hellman’s collaboration. It was the first functional protocol for creating a shared secret across an open communication channel. The public key distribution work of Ralph Merkle had an large impact on its discovery [16]. John Gill suggested application of the discrete logarithm problem as a trapdoor function. An equivalent algorithm was initially de- veloped by Malcolm Williamson of GCHQ in the UK several years prior, but GCHQ decided to keep it a secret until 1997, by which time it had no impact on academic study. 5.2 The Key Exchange Protocol A large prime p and a generator g ∈ Fp, g ̸= 0 are made publicly known. Alice and Bob choose their secret integers a and b respectively [4]. They 14
  • 16. then compute the following integers A and B: A = ga (mod p) (22) B = gb (mod p) (23) The integers A and B are exchanged between Alice and Bob over a public channel, e.g. the internet. Once they receive each other’s respective integers, they raise it to the power of their original integers. Alice computes Ba and Bob computes Ab , both in modulo p. Ab = (ga )b = gab = (gb )a = Ba (mod p) (24) This means that they have the same number (the key) once the protocol terminates, without the secret key being shared. 5.3 The Discrete Logarithm Problem The security of the Diffie-Hellman Key Exchange protocol comes from its trapdoor function [4] called the discrete logarithm problem (DLP): the dif- ficulty of computing x from: gx ≡ a (mod p) (25) In the DHKE protocol, the values of ga (mod p) and gb (mod p) are sent over a public channel, but an attacker is unable to solve for a or b due to the difficulty of solving the DLP. 5.4 Attacks - The Pohlig-Hellman Algorithm Attacks on Diffie-Hellman rely on situations in which you can efficiently compute the discrete logarithm problem. One such case is n the finite field Fp, where p-1 is a smooth number, meaning it has many small factors. The Pohlig-Hellman Algorithm can be used to efficiently solve the discrete logarithm when such a prime is used [19]. Euler’s Theorem states that aϕ(n) ≡ 1(mod n). Let ϕ(n) = pq, where gcd(p, q) = 1. We can now attempt to solve the DLP ax ≡ b(mod n). 15
  • 17. Let x = a0 + a1p: ax ≡ b (mod n) (26) aqx ≡ bq (mod n) (27) aqa0+pqa1 ≡ bq (mod n) (28) aqa0 · apqa1 ≡ bq (mod n) (29) (aa0 )q · (apq )a1 ≡ bq (mod n) (30) By Euler’s Theorem: apq ≡ 1 (mod n) (31) (aa0 )q · 1a1 ≡ bq (mod n) (32) (aq )a0 ≡ bq (mod n) (33) Now we can brute force search for a0, since we already know what aq and bq are. Once we find a0, since x = a0 + a1p we know that x ≡ a0(modp), which gives a congruence. Repeating this the other way by raising both sides to the power of p will give a second congruence modulo q. The system of linear congruences can be solved for x by using the Chinese Remainder Theorem. The smoother a prime is, the smaller the factors of p1. The Pohlig-Hellman Algorithm is more efficient for solving the DLP in this case as the smaller the prime factors of ϕ(n), the faster the calculations can be computed. can be made. 6 Elliptic Curve Cryptography 6.1 What is an Elliptic Curve? An elliptic curve is a smooth, projective, algebraic curve of genus one. It is in the form: y2 = x3 + ax + b (34) where a and b are integers. On an elliptic curve, all of the points with rational x and y values are con- sidered rational points. An interesting property of these curves is that the rational points of these curves all form a group, which means they are all connected by an operation. 16
  • 18. Figure 2: Here is an example of the elliptic curve y2 = x3 − 5x + 10 17
  • 19. If we choose any two rational points, P and Q, a line between them intersects the curve at a third point R. If we reflect R in the x-axis, we get the point R and we say this point R is the result of the point addition of P and Q [21]. Point addition is the binary operation of the group; this is not the same as regular addition. Figure 3: Point addition of P + Q (Image courtesy of Joseph Silverman) If we wish to compute P + P, instead of drawing a line between 2 points we draw a tangent to the curve at P [21], which also intersects at a third point. We then reflect this in the x-axis to calculate P + P. Figure 4: Point addition of P + P (Image courtesy of Joseph Silverman) The numbers in the rational group can get infinitely large and so square rooting these numbers would be computationally unfeasible. In practice, we 18
  • 20. use modular arithmetic with ECC. We work over a finite field Fp to reduce the x and y coordinates of the points in modulo p. The operation of point addition and the structure of the group still holds for elliptic curves over a finite field (or Galois field), which is denoted as E(Fp). 6.2 The Key Exchange Protocol If Alice and Bob wish to generate a shared secret, they first choose an elliptic curve E(Fp). The curve used is often a standard curve known to public. For example, the elliptic curve used by Bitcoin, Ethereum, and most other cryptocurrencies is called secp256k1. The equation for the secp256k1 curve is y2 = x3 + 7. Making the curve public does not compromise the security of the exchange. They choose a rational point (called the generator point) G ∈ Fp, which is made public. Now Alice and Bob generate a private number each, denoted by a and b respectively. Alice then calculates the rational point A, which is done by adding the generator G to itself a times, i.e. A = aG. Bob does the same with his private number to calculate B = bG. Once this is done, Alice sends A to Bob and Bob sends B back [12]. Note that the notation bG does not denote multiplication, it denotes b series of point additions (not regular addition) of G to itself. Once Alice receives B from Bob, Alice can now compute a point additions of G and add that to B: Sa = B + aG = bG + aG = (b + a)G. Bob also computes Sb = A + bG = aG + bG = (a + b)G. This means that Sa = Sb so Alice and Bob end up with the same number, which is a shared secret. The x coordinate of the point S can be used as a secret key. Then, the Elliptic Curve Cryptosystem can be used as a hybrid cryptosystem by using this secret key as a private key for a symmetric cryptosystem such as AES [12]. 6.3 The Elliptic Curve Discrete Logarithm Problem The The Elliptic Curve Discrete Logarithm Problem is defined as follows: Given G, A ∈ E(Fp) and A = aG, calculate a. 19
  • 21. This problem is harder to solve than it seems - the problem uses point addition instead of multiplication. This essentially the same problem as the DLP from the DHKE, just with a different operation - point addition rather than multiplication [23]. The problem is abstracted into the group, and the generic Pohlig-Hellman algorithm can also be used on the curve if its order is smooth. 7 Comparing Cryptosystems 7.1 Security As shown in previous sections, the RSA cryptosystem is vulnerable to many attacks. This makes RSA very difficult to implement well; even major li- braries such as OpenSSL(the most commonly-used cryptographic library) can fail to do it correctly. For example, in 1998, Daniel Bleichenbacher discovered a vulnerability in the implementation of RSA in SSL. SSL stands for Secure Sockets Layer and was the main protocol for establishing encrypted channels between computers on a network, before it was succeeded by TLS (Transport Layer Security) in 1999. Bleichenbacher’s Attack crafted around 1 million messages and analysed error codes. This variant of attack has been refined and now Is called the ROBOT attack. Large websites such as Facebook have been shown to be vulnerable to this type of attack, from as recently as 2017. In contrast, protocols such as the Diffie-Hellman Key Exchange and Elliptic Curve Cryptography are vulnerable to far fewer attacks. Mathematical at- tacks on the protocols are easy to prevent – to prevent the Pohlig-Hellman attack, the public prime p is made a safe prime, a prime number in the form p = 2q + 1 where q is also a prime. 7.2 Efficiency To encrypt a message (called plaintext), a number of bits of data is to encrypt the message. This produces which produces a number of bits of security. Bit security represents the amount of computational resources, such as time, required to break an algorithm’s security [17]. If an algorithm has bit security of n, then it would take a maximum of 2n operations to break the security. 20
  • 22. The number of bits of data used in encryption is often called the key/block size. For example, RSA-2048 has 2048 bits for the key size. This is different from the bit security – RSA-2048 only has 112 bits of security, despite having a key size of 2048. This difference comes from the progress made in attacking the maths behind the cryptographic primitives. As more efficient algorithms are developed to attack a cryptosystem, its bit security decreases. For ex- ample, improvements to prime factorisation algorithms undermines the bit security of the RSA cryptosystem. Why does key size matter? In general, the longer the key size for a given cryptosystem, the higher the bit security. The time complexity of solving a cryptosystem varies with the type of cryptographic primitive used. However, a longer key size requires more computational resources to en- crypt and decrypt. In addition, a longer key size requires more data to be transferred over a network, which may increase data transfer times. Modern implementations of cryptographic primitives typically use enough bits for key size for a high level of security, but increasing the number of bits would be unnecessary [5]. How many bits of security do we need? The predecessor of AES (a symmetric cryptosystem) was DES, which used 56 bits. 56-bit security is not sufficiently secure for modern computing. It requires 25 6 operations, which is approximately 7.2e16. If we use 1000 processors with clock speed (no. operations per second) of 2GHz, then DES can be cracked in a maximum of 7.2e4 seconds, or 20 hours. The general consensus among cryptographers is that 112-bit security is suffi- cient until 2030, and 128-bit security is sufficient until a major breakthrough in maths or computing. For this reason, NIST (National Institute of Stan- dards and Technology) recommends that more than 2048 bits for RSA is unnecessary. How is efficiency measured? Adversary defence efficiency is a measure of the ratio between key size and bit security. In this regard, RSA falls behind other cryptosystems such as ECC. Here is a table of recommended key sizes (in bits) according to the 21
  • 23. NIST [2]: Bit Security RSA Size ECC Key Size DHKE Size 80 1024 160 1024 112 2048 224 2048 128 3072 256 3072 192 7680 384 7680 256 15360 521 15360 (35) 7.3 Effect of Large Adversaries Many large adversaries such as the NSA (National Security Agency) and GCHQ (Government Communications Headquarters) are suspected to have intellectual property that allows them to break encryption algorithms. For example, the RSA and DHKE algorithms were developed at GCHQ in secret years before they were discovered by the outside cryptography community. Eliptic Curve Cryptography is a relatively new cryptosystem, and many cryptographers are skeptical of its rigidity against unknown attacks. Cryp- tographic primitives are difficult to implement well and so many be vulner- able to attacks as shown with RSA implementations. In addition, many cryptographers are concerned that the NSA has inserted a kleptographic backdoor into one or more elliptic curve pseudo random generator, after Edward Snowden leaked internal memos from the NSA [11]. For this reason, many cryptographers prefer to minimise the risk of this and use RSA, even if it has a higher key size. During my interview with cryp- tography researcher Dr Daniel Gardham (at University of Surrey), he stated that he prefers to use RSA-2048, and sometimes even RSA-4096 when he is feeling paranoid. This is because RSA is a well documented and researched cryptosystem, so he is certain that breaking RSA-4096 is unfeasible, at least for the next 30 years. On the other hand, although ECC is theoretically very secure, he has concerns that it could be broken by large adversaries. 8 Conclusion In conclusion, RSA is an outdated crpytosystem. It suffers from problems such as its performance inefficiency, as well as being very difficult to im- plement correctly. Protocols such as TLS have already recognised this and begun to phase out RSA in favour of better alternatives, such as ECC. 22
  • 24. However, ECC protocols are relatively new to market and their attacks and weaknesses have not been researched and exploited to the same extent as they have for RSA protocols. In addition to this, there are concerns that the NSA has implemented kleptographic backdoors into implementations of the ECC cryptosystem, which means that cryptographers are unaware of its real practical security. It may take several decades for the attacks and weaknesses of ECC to be fully discovered. But with the advent of quantum computing, it will be feasible solve the DLP and the ECDLP in polynomial time using Shor’s Al- gorithm. Therefore, current existing cryptosystems will have to be replaced by new crpytosystems. Research should be directed towards developing a new mathematical primitive resistant to post-quantum attacks. This should be the top priority as such a crpytosystem needs to exist before quantum computing becomes usable. For now, using RSA is still the safest choice, as it is the most widely re- searched algorithm. Although it is not the most efficient algorithm, crpy- tographers still use it for its safety against large adversaries. In the near future, RSA will continue to be used, until a crpytosystem resistant to post- quantum attacks is found. References [1] Diaa Salama Abd Elminaam, Hatem Mohamed Abdual-Kader, and Mo- hiy Mohamed Hadhoud. Evaluating the performance of symmetric en- cryption algorithms. Int. J. Netw. Secur., 10(3):216–222, 2010. [2] Elaine Barker and Quynh Dang. Nist special publication 800-57 part 1, revision 4. NIST, Tech. Rep, 16, 2016. [3] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs# 1. In Annual International Cryptology Conference, pages 1–12. Springer, 1998. [4] Dan Boneh. The decision diffie-hellman problem. In International al- gorithmic number theory symposium, pages 48–63. Springer, 1998. [5] Joppe Bos, Marcelo Kaihara, Thorsten Kleinjung, Arjen K Lenstra, and Peter L Montgomery. On the security of 1024-bit rsa and 160-bit elliptic curve cryptography. Technical report, 2009. 23
  • 25. [6] Anne Brown, Karen Thomas, and Georgia Tolias. Conceptions of di- visibility: Success and understanding. Learning and teaching number theory: Research in cognition and instruction, pages 41–82, 2002. [7] Michael Calderbank. The rsa cryptosystem: history, algorithm, primes. Chicago: math. uchicago. edu, 2007. [8] Paul Moritz Cohn. Basic algebra: groups, rings and fields. Springer Science & Business Media, 2012. [9] John D Dixon. The number of steps in the euclidean algorithm. Journal of number theory, 2(4):414–422, 1970. [10] Larry J Goldstein. A history of the prime number theorem. The Amer- ican Mathematical Monthly, 80(6):599–615, 1973. [11] Thomas C Hales. The nsa back door to nist. Notices of the AMS, 61(2):190–192, 2013. [12] Darrel Hankerson, Alfred J Menezes, and Scott Vanstone. Guide to elliptic curve cryptography. Springer Science & Business Media, 2006. [13] Martin E Hellman. The mathematics of public-key cryptography. Sci- entific American, 241(2):146–157, 1979. [14] DH Lehmer. On euler’s totient function. Bulletin of the American Mathematical Society, 38(10):745–751, 1932. [15] Prerna Mahajan and Abhishek Sachdeva. A study of encryption algo- rithms aes, des and rsa for security. Global Journal of Computer Science and Technology, 2013. [16] Ueli M Maurer and Stefan Wolf. The diffie–hellman protocol. Designs, Codes and Cryptography, 19(2):147–171, 2000. [17] Daniele Micciancio and Michael Walter. On the bit security of crypto- graphic primitives. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 3–28. Springer, 2018. [18] MATTHEW Morgado. Modular arithmetic. On-line] Available: http://math. uchicago. edu/˜ may/REU2014/REUPapers/Morgado. pdf [Accessed 10 Sep. 2015]. [19] Paul C van Oorschot and Michael J Wiener. On diffie-hellman key agreement with short exponents. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 332–343. Springer, 1996. 24
  • 26. [20] Dingyi Pei, Arto Salomaa, and Cunsheng Ding. Chinese remainder theorem: applications in computing, coding, cryptography. World Sci- entific, 1996. [21] Joseph H Silverman. The arithmetic of elliptic curves, volume 106. Springer, 2009. [22] Gustavus J Simmons. Symmetric and asymmetric encryption. ACM Computing Surveys (CSUR), 11(4):305–330, 1979. [23] Martin Lysoe Sommerseth and Haakon Hoeiland. Pohlig-hellman ap- plied in elliptic curve cryptography. Technical report, Technical Report, University of California Santa Barbara. 2015. Available . . . , 2015. 25