This document provides an overview of asymmetric cryptography and discusses one-way functions. It begins with an outline that covers basic mathematical concepts, public key cryptography, one-way functions, RSA, and ElGamal. It then discusses modular arithmetic and exponentiation. One-way functions like multiplying primes and modular exponentiation are presented as the basis for public key cryptography systems like RSA. Confidentiality is achieved by encrypting messages with the recipient's public key that can only be decrypted with their private key.
2. 22
referencesreferences
[1] K. Martin’s Lecture (www.rhul.ac.uk).
[2] Cryptography and Network Security, By W. Stallings.
Prentice Hall, 2003.
[3] Handbook of applied Cryptography by A. Menezes, P.
Van Oorschot and S. Vanstone. 5th
printing, 2001
http://www.cacr.math.uwaterloo.ca/hac
[4] Cryptography: A Very Short Introduction (Very Short
Introduction S.), by Fred Piper and Sean Murphy, Oxford
University Press, 2002.
4. 44
1. The modulo operation1. The modulo operation
DefinitionDefinition
– LetLet aa,, rr,, nn be integers and letbe integers and let mm > 0> 0
– We writeWe write aa ≡≡ rr modmod nn ifif nn dividesdivides aa –– rr (or(or rr –– aa) and 0) and 0 ≤≤ rr << nn
– nn is called theis called the modulusmodulus
– rr is called theis called the remainderremainder
Note thatNote that rr is positive or zerois positive or zero
– Note thatNote that aa == nn..qq ++ rr wherewhere qq is another integer (is another integer (quotientquotient))
Example: 42Example: 42 ≡≡ 6 mod 96 mod 9
– 9 divides 42 - 6 = 369 divides 42 - 6 = 36
– 9 also divides 6 - 42 = -369 also divides 6 - 42 = -36
– Note that 42= 9x4 + 6Note that 42= 9x4 + 6
((qq = 4)= 4)
5. 55
Number TheoryNumber Theory
Natural numbersNatural numbers N = {1,2,3,…}N = {1,2,3,…}
Whole numbersWhole numbers W = {0,1,2,3, …}W = {0,1,2,3, …}
IntegersIntegers Z = {…,-2,-1,0,1,2,3, …}Z = {…,-2,-1,0,1,2,3, …}
DivisorsDivisors
– A numberA number bb is said to divideis said to divide aa ifif aa == mbmb for somefor some mm wherewhere aa,,bb,,mm ∈∈ ZZ
– We write this asWe write this as bb||aa
Read as “Read as “bb dividesdivides a”a”
6. 66
DivisorsDivisors
Some common propertiesSome common properties
– IfIf aa|1|1,, aa = +1 or –1= +1 or –1
– IfIf aa||bb andand bb||aa thenthen aa = += +bb or –or –bb
– AnyAny bb ∈∈ ZZ divides 0 ifdivides 0 if bb ≠≠ 00
– IfIf bb||gg andand bb||hh thenthen bb|(|(mg + nhmg + nh) where) where bb,,m,n,g,hm,n,g,h ∈∈ ZZ
Examples:Examples:
– The positive divisors of 42 are 1,2,3,6,7,14,21,42The positive divisors of 42 are 1,2,3,6,7,14,21,42
– 3|6 and 3|21 => 3|213|6 and 3|21 => 3|21mm+6+6nn forfor m,nm,n ∈∈ ZZ
7. 77
Prime NumbersPrime Numbers
An integerAn integer pp is said to be a prime number if its only positiveis said to be a prime number if its only positive
divisors are 1 and itselfdivisors are 1 and itself
– Examples 1, 3, 7, 11, ..Examples 1, 3, 7, 11, ..
Any integer can be expressed as aAny integer can be expressed as a uniqueunique product of primeproduct of prime
numbers raised to positive integral powersnumbers raised to positive integral powers
– n=pn=p11
ee
11 pp22
ee
2…2…ppkk
ee
kk //// n: ingterger, pn: ingterger, pii:prime, e:prime, e,,: positive integer: positive integer
ExamplesExamples
– 7569 = 3 x 3 x 29 x 29 = 37569 = 3 x 3 x 29 x 29 = 322
x 29x 2922
– 5886 = 2 x 27 x 109 = 2 x 35886 = 2 x 27 x 109 = 2 x 333
x 109x 109
This process is calledThis process is called Prime FactorizationPrime Factorization
8. 88
Greatest common divisorGreatest common divisor
(GCD)(GCD)
Definition: Greatest Common DivisorDefinition: Greatest Common Divisor
– This is the largest divisor ofThis is the largest divisor of bothboth aa andand bb
Given two integersGiven two integers aa andand bb, the positive integer, the positive integer cc is called theiris called their
GCD or greatest common divisor if and only ifGCD or greatest common divisor if and only if
– cc || aa andand cc || bb
– Any divisor of bothAny divisor of both aa andand bb also dividesalso divides cc
Notation:Notation: gcd(a, b) = cgcd(a, b) = c
Example:Example: gcd(49,63)gcd(49,63) = ?= ?
gcd(a,b)=gcd(b, a mod b)gcd(a,b)=gcd(b, a mod b)
Exception:Exception: gcd(0,0)=0gcd(0,0)=0
9. 99
Relatively Prime NumbersRelatively Prime Numbers
Two numbers are said to be relatively prime if theirTwo numbers are said to be relatively prime if their gcdgcd is 1is 1
– Example: 63 and 22 are relatively primeExample: 63 and 22 are relatively prime
How do you determine if two numbers are relatively prime?How do you determine if two numbers are relatively prime?
– Find theirFind their gcdgcd oror
– Find their prime factorsFind their prime factors
If they do not have a common prime factor other than 1, they are relatively primeIf they do not have a common prime factor other than 1, they are relatively prime
– Example: 63 = 9 x 7 = 3Example: 63 = 9 x 7 = 322
x 7 and 22 = 11 x 2x 7 and 22 = 11 x 2
10. 1010
Modular Arithmetic AgainModular Arithmetic Again
We say thatWe say that aa ≡≡ bb modmod mm ifif mm || aa –– bb
– Read as:Read as: aa isis congruentcongruent toto bb modulomodulo mm
– mm is called theis called the modulusmodulus
– Example: 27Example: 27 ≡≡ 2 mod 52 mod 5
Note thatNote that bb is theis the remainderremainder after dividingafter dividing aa byby mm
– Example: 27Example: 27 ≡≡ 7 mod 5 and 77 mod 5 and 7 ≡≡ 2 mod 52 mod 5
aa ≡≡ bb modmod m => bm => b ≡≡ aa modmod mm
– Example: 2Example: 2 ≡≡ 27 mod 527 mod 5
We usually consider theWe usually consider the smallest positive remaindersmallest positive remainder which iswhich is
sometimes called thesometimes called the residueresidue
11. 1111
Modulo OperationModulo Operation
The modulo operation “reduces” the infinite set of integers to aThe modulo operation “reduces” the infinite set of integers to a
finite setfinite set
Example: modulo 5 operationExample: modulo 5 operation
– We have five setsWe have five sets
{…,-10, -5, 0, 5, 10, …} =>{…,-10, -5, 0, 5, 10, …} => aa ≡≡ 0 mod 50 mod 5
{…,-9, -4, 1, 6, 11,…} =>{…,-9, -4, 1, 6, 11,…} => aa ≡≡ 1 mod 51 mod 5
{…,-8, -3, 2, 7, 12,…} =>{…,-8, -3, 2, 7, 12,…} => aa ≡≡ 2 mod 52 mod 5
{…,-7, -2, 3, 8, 13,…} =>{…,-7, -2, 3, 8, 13,…} => aa ≡≡ 3 mod 53 mod 5
{…,-6, -1, 4, 9, 14…} =>{…,-6, -1, 4, 9, 14…} => aa ≡≡ 4 mod 54 mod 5
– The set of residues of integers modulo 5 has five elements {0,1,2,3,4} andThe set of residues of integers modulo 5 has five elements {0,1,2,3,4} and
is denoted Zis denoted Z55..
12. 1212
Euler phi (or totient) functionEuler phi (or totient) function
ForFor nn ≥≥ 1,1, φφ(n)(n) : is the number of integers in [: is the number of integers in [1,n1,n] which are] which are
relatively prime torelatively prime to n //n // φφ(n)(n) is theis the Euler phiEuler phi oror totient functiontotient function
IfIf pp is prime, thenis prime, then φφ(p)=p-1(p)=p-1
IfIf gcd(m,n)=1gcd(m,n)=1, then, then φφ(mn)=(mn)= φφ(m).(m).φφ(n)(n)
Examples:Examples:
φφ(21)=(21)= φφ(3).(3).φφ(7) = (3-1) * (7-1) =12(7) = (3-1) * (7-1) =12
13. 1313
multiplicative groupmultiplicative group ZZnn
**
Definition: theDefinition: the multiplicative groupmultiplicative group ZZnn
**
of Zof Znn
– ZZnn
**
={a={a∈∈ZZnn || gcd(a,n)=1}gcd(a,n)=1}
– IfIf nn is prime thenis prime then ZZnn
**
={a={a∈∈ZZnn || 11 ≤≤ aa ≤≤ n-1}n-1}
φφ(n)=(n)= ||ZZnn
**
||
LetLet nn ≥≥ 2 be an integer2 be an integer
– Euler’s theoremEuler’s theorem:: IfIf gg ∈∈ ZZnn
**
thenthen ggφφ(n)(n)
≡≡ 1 (mod n)1 (mod n)
– IfIf nn is a product of distinct primes, and ifis a product of distinct primes, and if rr ≡≡ s mod (s mod (φφ(n))(n)),,
thenthen ggrr
≡≡ ggss
(mod n)(mod n) for all integersfor all integers gg
– i.e.,i.e., when working modulo anwhen working modulo an n,n, exponents can be reduced moduloexponents can be reduced modulo φφ(n)(n)
LetLet pp be a prime nubmerbe a prime nubmer
– Fermat’s theoremFermat’s theorem:: IfIf gcd(a,p)=1gcd(a,p)=1, then, then ggp-1p-1
≡≡ 1 (mod p)1 (mod p)
– IfIf rr ≡≡ s mod (p-1)s mod (p-1) , then, then ggrr
≡≡ ggss
(mod p)(mod p) for all integersfor all integers gg
i.e.,i.e., when working modulo a primewhen working modulo a prime pp, exponents can be reduced modulo, exponents can be reduced modulo p-1p-1
pp
14. 1414
Generator ofGenerator of ZZnn
**
LetLet gg ∈∈ ZZnn
**
, the, the orderorder ofof gg is the least positive integeris the least positive integer tt such thatsuch that
ggtt
≡≡1 mod n1 mod n
If the order ofIf the order of gg ∈∈ ZZnn
**
isis t,t, andand ggss
≡≡1 (mod n),1 (mod n), thenthen tt dividesdivides ss
– A particular case:A particular case: tt||φφ(n)(n)
LetLet gg ∈∈ ZZnn
**
, if the order of, if the order of gg isis φφ(n),(n), thenthen gg is said to be ais said to be a
generatorgenerator or aor a primitive elementprimitive element ofof ZZnn
**
..
– IfIf gg is a generator ofis a generator of ZZnn
**
, then, then ZZnn
**
={={ggii
mod nmod n || 00 ≤≤ ii ≤≤ φφ(n) -1}(n) -1}
15. 1515
2. Public-key cryptography2. Public-key cryptography
Called alsoCalled also asymmetric cryptographyasymmetric cryptography
The keys used to encrypt and decrypt are different.The keys used to encrypt and decrypt are different.
Anyone who wants to be a receiver needs to “publish” anAnyone who wants to be a receiver needs to “publish” an
encryption key, which is known as theencryption key, which is known as the public key,public key, KUKU..
Anyone who wants to be a receiver needs a unique decryptionAnyone who wants to be a receiver needs a unique decryption
key, which is known as thekey, which is known as the private key,private key, KRKR..
If B wants to send an enciphered text to A, B should knowsIf B wants to send an enciphered text to A, B should knows thethe
encryption algorithmencryption algorithm and A’s public key.and A’s public key.
16. 1616
Confidentiality via Public keyConfidentiality via Public key
cryptographycryptography
Alice wants to send a secret messageAlice wants to send a secret message mm to Bobto Bob
Bob should have 2 keys: publicBob should have 2 keys: public KUKUbb and privateand private KRKRbb
Prior to message encryption, Alice gets by some means anPrior to message encryption, Alice gets by some means an
authentic copy of Bob’s public key (authentic copy of Bob’s public key (i.e.,i.e., the encryption key)the encryption key)
Message
Source
Encryption Message
Source
Decryption
m Ciphertext m
Alice
Key Source
KUKUbb
KRKRbb
Bob
17. 1717
Public-key cryptographyPublic-key cryptography
It should not be possible to deduce the plaintext from knowledgeIt should not be possible to deduce the plaintext from knowledge
of the ciphertext and the public key.of the ciphertext and the public key.
It should not be possible to deduce the private key fromIt should not be possible to deduce the private key from
knowledge of the public key.knowledge of the public key.
Public-key cryptography is based onPublic-key cryptography is based on One-Way FunctionsOne-Way Functions
18. 1818
3. One-Way Functions (OWF)3. One-Way Functions (OWF)
A one-way function is a function that is “easy” to compute and
“difficult” to reverse
Examples of OWF that we’ll use in this lecture to explain
public-key systems:
– Multiplication of two primes
– Modular exponentiation
19. 1919
OWF: Multiplying two primesOWF: Multiplying two primes
Multiplication of two prime numbers is believed to be a one-way
function.
Given two prime numbers p and q
– It’s easy to find n=p.q
– However, starting from n, it’s difficult to find p and q
Is it prime factorization?
20. 2020
OWF: Modular exponentaitionOWF: Modular exponentaition
The process of exponentiation just means raising numbers to a
power.
Raising a to the power b, normally denoted ab
just means
multiplying a by itself b times. In other words:
ab
= a x a x a x … x a
Modular exponentiation means computing ab
modulo some
other number n. We tend to write this as
ab
mod n.
Modular exponentiation is “easy”.
21. 2121
OWF: Modular exponentaitionOWF: Modular exponentaition
However, given a, and ab
mod n (when n is prime), calculating b
is regarded by mathematicians as a hard problem.
This difficult problem is often referred to as the discrete
logarithm problem.
In other words, given a number a and a prime number n, the
function
f(b) = ab
mod n
is believed to be a one-way function.
22. 2222
4. RSA4. RSA
It is named after it inventors Ron Rivest, Adi Shamir and Len
Adleman.
Published in 1978
It is the most widely used public-key encryption algorithm
today.
It provides confidentiality and digital signatures.
Its security is based on the difficulty of integer factorization
23. 2323
RSA algorithmRSA algorithm (key generation for(key generation for
RSA public-key encryption)RSA public-key encryption)
Each entity A creates a public key and a corresponding privateEach entity A creates a public key and a corresponding private
key by doing the followingkey by doing the following
– Generate two large (at least 512 bits) primesGenerate two large (at least 512 bits) primes pp andand qq
– ComputeCompute n=pqn=pq andand φφ(n)=(p-1)(q-1)(n)=(p-1)(q-1) ..
– ChooseChoose ee << φφ relatively prime torelatively prime to φφ (i.e., gcd (e,(i.e., gcd (e, φφ)=1))=1)
– ComputeCompute dd such thatsuch that ed moded mod φφ(n)(n) ≡≡ 11
A’s Public key: (A’s Public key: (ee,, nn) // to be published.) // to be published.
A’s private key:A’s private key: dd ((oror ((dd,, nn)) // to be kept secretly by A)) // to be kept secretly by A
Who is capable of computingWho is capable of computing dd??
24. 2424
RSA Encryption/decryptionRSA Encryption/decryption
Summary: B encrypts a messageSummary: B encrypts a message mm for A. Upon reception, Afor A. Upon reception, A
decrypts it using its private key.decrypts it using its private key.
Encryption: B should do the followingEncryption: B should do the following
– Obtain A’s authentic public keyObtain A’s authentic public key (n,e).(n,e).
– Represent the message as an integer in the interval [Represent the message as an integer in the interval [0,n-10,n-1]]
– ComputeCompute cc == mmee
modmod nn //// EncryptionEncryption
– Send the ciphertext c to ASend the ciphertext c to A
Decryption:Decryption: to recover plaintextto recover plaintext mm fromfrom cc, A does the following, A does the following
– Use the private keyUse the private key dd to recoverto recover mm == ccdd
modmod nn //// DecryptionDecryption
How does B obtain A’s authentic key?How does B obtain A’s authentic key?
25. 2525
Example: confidentialityExample: confidentiality
TakeTake pp = 7,= 7, qq = 11, so= 11, so nn = 77 and= 77 and φφ(n)(n) = 60= 60
Say Bob chooses (Say Bob chooses (KUKUbb)) ee = 17= 17, making (, making (KRKRbb)) dd = 53= 53
– 17 x 53 mod 60 = ?17 x 53 mod 60 = ?
Alice wants to secretly send Bob the message HELLO [07 04 11Alice wants to secretly send Bob the message HELLO [07 04 11
11 14]11 14]
– 07071717
mod 77 = 28mod 77 = 28
– 04041717
mod 77 = 16mod 77 = 16
– 11111717
mod 77 = 44mod 77 = 44
– 11111717
mod 77 = 44mod 77 = 44
– 14141717
mod 77 = 42mod 77 = 42
Alice sends ciphertext [28 16 44 44 42]Alice sends ciphertext [28 16 44 44 42]
26. 2626
Example: confidentialityExample: confidentiality
Bob receives [28 16 44 44 42]Bob receives [28 16 44 44 42]
Bob uses private key (Bob uses private key (KRKRbb),), dd = 53= 53, to decrypt the message:, to decrypt the message:
– 28285353
mod 77 = 07mod 77 = 07 HH
– 16165353
mod 77 = 04mod 77 = 04 EE
– 44445353
mod 77 = 11mod 77 = 11 LL
– 44445353
mod 77 = 11mod 77 = 11 LL
– 42425353
mod 77 = 14mod 77 = 14 OO
No one else could read it, as only Bob knows his private key andNo one else could read it, as only Bob knows his private key and
that is needed for decryptionthat is needed for decryption
27. 2727
Attacking RSAAttacking RSA
1.1. Trying to decrypt a ciphertext without knowledge of the privateTrying to decrypt a ciphertext without knowledge of the private
keykey
– The encryption process in RSA involves computing the function c =
me
mod n, which is regarded as being easy
– An attacker who observes this ciphertext c, and has knowledge of e and
n, needs to try to work out what m is.
– i.e., find m such that mmee
= c mod n
– In other words, find the eth
root of c mod n
Computing m from c, e and n is regarded as a hard problem and
known as RSA problem.
28. 2828
Attacking RSAAttacking RSA
2. If the attacker knows the public key of a user (e,n), what would
she/he need to do in order to obtain the corresponding private
key?
He/she needs to find d such that ed moded mod φφ(n) = 1(n) = 1
i.e., needs to know p and q
In other words, he/she must factor n (problem of prime factorization)
Recommended size of n:
– 768-bit is recommended
– 1024-bit or larger is required for long term security
– it is believed that factoring a 512 bit number is about as hard as
searching for a 56 bit symmetric key.
29. 2929
5. El Gamal5. El Gamal
ElGamal is another public-key encryption
We will also take a look at the ElGamal public key cipher
system for a number of reasons:
– To show that RSA is not the only public key systemTo show that RSA is not the only public key system
– To exhibit a public key system based on a different one way functionTo exhibit a public key system based on a different one way function
– ElGamal is the basis for several well-known cryptosystemsElGamal is the basis for several well-known cryptosystems
30. 3030
ElGamal algorithmElGamal algorithm (key generation)(key generation)
Key generation for ElGamal public-key encryptionKey generation for ElGamal public-key encryption
Each entityEach entity AA creates a public key and a corresponding privatecreates a public key and a corresponding private
key.key.
– Generate a large prime numberGenerate a large prime number pp (1024 bits)(1024 bits)
– Generate a generatorGenerate a generator gg of the multiplicative groupof the multiplicative group ZZpp
**
of the integersof the integers
modulomodulo pp
– Select a random integerSelect a random integer x, 1x, 1 ≤≤ xx ≤≤ p-2p-2
– ComputeCompute y = gy = gxx
mod pmod p
– A’s public key isA’s public key is (p, g, y)(p, g, y)
To be publishedTo be published
– A’s private key isA’s private key is xx
To be kept secret by ATo be kept secret by A
31. 3131
ElGamal algorithmElGamal algorithm (key generation)(key generation)
ExampleExample
Step 1: Let p = 2357
Step 2: Select a generator g = 2 of Z2357
*
Step 3: Choose a private key x = 1751
Step 4: Compute y = 21751
(mod 2357)
= 1185
Public key is (2357,2,1185)
Private key is 1751
32. 3232
ElGamal algorithmElGamal algorithm (Encryption/decryption)(Encryption/decryption)
Summary: B encrypts a messageSummary: B encrypts a message mm for A, which A decryptsfor A, which A decrypts
Encryption: B should de the followingEncryption: B should de the following
– Obtain A’s authentic public keyObtain A’s authentic public key (p, g, y).(p, g, y).
– Represent the message as an integer in the interval [Represent the message as an integer in the interval [0,p-10,p-1]]
– Select an integerSelect an integer k, 1k, 1 ≤≤ kk ≤≤ p-2p-2
– ComputeCompute γγ=g=gkk
mod pmod p andand δδ=m.(y)=m.(y)kk
mod pmod p
– Send the ciphertext c = (Send the ciphertext c = (γγ,, δδ) to) to AA
DecryptionDecryption
– A uses the private keyA uses the private key xx to computeto compute z=z= γγp-1-xp-1-x
mod pmod p
– A computesA computes z.z.δδ modmodp (=m)p (=m)
33. 3333
ElGamal algorithmElGamal algorithm (Encryption/decryption)(Encryption/decryption)
Encryption
– To encrypt m = 2035 using Public key (2357,2,1185)
– Generate a random number k = 1520
– Compute γγ = 21520
mod 2357 = 1430
δδ = 2035 x 11851520
mod 2357 =697
– Ciphertext c = (1430 , 697)
DecryptionDecryption
– zz== γγp-1-xp-1-x
modmod pp = 1430= 1430605605
mod 2357 =872mod 2357 =872
– 872x697 mod 2357 = 2035872x697 mod 2357 = 2035
34. 3434
ElGamal PropertiesElGamal Properties
There is aThere is a message expansionmessage expansion by a factor of 2by a factor of 2
– i.e.,i.e., the ciphertext is twice as long as the corresponding plaintextthe ciphertext is twice as long as the corresponding plaintext
Requires a random number generator (k)Requires a random number generator (k)
Relies on discrete algorithm problem,Relies on discrete algorithm problem, i.e.i.e., having, having y= gy= gxx
mod pmod p it’s hard to findit’s hard to find xx (the private key)(the private key)
ElGamal encryption is randomized (coming from the randomElGamal encryption is randomized (coming from the random
numbernumber kk), RSA encryption is deterministic.), RSA encryption is deterministic.
ElGamal is the basis of many other algorithms (ElGamal is the basis of many other algorithms (e.g.e.g., DSA), DSA)
35. 3535
SummarySummary
RSA is a public key encryption algorithm whose security isRSA is a public key encryption algorithm whose security is
believed to be based on the problem of factoring large numbers.believed to be based on the problem of factoring large numbers.
ElGamal is a public key encryption algorithm whose security isElGamal is a public key encryption algorithm whose security is
believed to be based on the discrete logarithm problem.believed to be based on the discrete logarithm problem.
RSA is generally favoured over ElGamal for practical ratherRSA is generally favoured over ElGamal for practical rather
than security reasons.than security reasons.
RSA and ElGamal areRSA and ElGamal are less efficient and fastless efficient and fast to operate than mostto operate than most
symmetric encryption algorithms because they involve modularsymmetric encryption algorithms because they involve modular
exponentiation.exponentiation.
– Public key cryptography confined to key management and signaturePublic key cryptography confined to key management and signature
applications.applications.
Editor's Notes
Pp. 287 for why the choice of these number in this way