SlideShare a Scribd company logo
1 of 35
Download to read offline
January 31, 2012 1
Cryptography and Network Security
Lecture 7: Public-key cryptography and RSA
Ion Petre
Department of IT, Åbo Akademi University
Spring 2012
http://users.abo.fi/ipetre/crypto/
http://users.abo.fi/ipetre/crypto/
January 31, 2012 2
Some unanswered questions on symmetric
cryptosystems
 Key management: changing the secret key or establishing one is
nontrivial
 Change the keys two users share (should be done reasonably often)
 Establish a secret key with somebody you do not know and cannot meet
in person: (e.g., visiting secure websites such as e-shops)
 This could be done via a trusted Key Distribution Center (details in a
future lecture)
 Can (or should) we really trust the KDC?
 “What good would it do after all to develop impenetrable cryptosystems, if
their users were forced to share their keys with a KDC that could be
compromised by either burglary or subpoena?” – Diffie, 1988
 Digital signatures
http://users.abo.fi/ipetre/crypto/
January 31, 2012 3
A breakthrough idea
 Rather than having a secret key that the two users must share, each
users has two keys
 One key is secret and he is the only one who knows it
 The other key is public and anyone who wishes to send him a
message uses that key to encrypt the message
 Diffie and Hellman first (publicly) introduced the idea in 1976 – this was
radically different than all previous efforts
 NSA claims to have known it since mid-1960s!
 Communications-Electronic Security Group (the British counterpart of
NSA) documented the idea in a classified report in 1970
http://users.abo.fi/ipetre/crypto/
January 31, 2012 4
A word of warning
 Public-key cryptography complements rather than replaces
symmetric cryptography
 There is nothing in principle to make public-key crypto more secure than
symmetric crypto
 Public-key crypto does not make symmetric crypto obsolete: it has its
advantages but also its (major) drawbacks such as speed
 Due to its low speed, it is mostly confined to key management and
digital signatures
http://users.abo.fi/ipetre/crypto/
January 31, 2012 5
The idea of public-key cryptography
 The concept was proposed in 1976 by Diffie and Hellman although
no practical way to design such a system was suggested
 Each user has two keys: one encryption key that he makes public
and one decryption key that he keeps secret
 Clearly, it should be computationally infeasible to determine the
decryption key given only the encryption key and the cryptographic
algorithm
 Some algorithms (such as RSA) satisfy also the following useful
characteristic:
 Either one of the two keys can be used for encryption – the other one
should then be used to decrypt the message
 First we will investigate the concept with no reference yet to practical
design of a public-key system
http://users.abo.fi/ipetre/crypto/
January 31, 2012 6
Essential steps in public-key encryption
 Each user generates a pair of keys to be used for encryption and
decryption
 Each user places one of the two keys in a public register and the
other key is kept private
 If B wants to send a confidential message to A, B encrypts the
message using A’s public key
 When A receives the message, she decrypts it using her private key
 Nobody else can decrypt the message because that can only be done
using A’s private key
 Deducing a private key should be infeasible
 If a user wishes to change his keys – generate another pair of keys
and publish the public one: no interaction with other users is needed
http://users.abo.fi/ipetre/crypto/
January 31, 2012 7
Bob sends an encrypted message to Alice
http://users.abo.fi/ipetre/crypto/
January 31, 2012 8
Some notation
 The public key of user A will be denoted KUA
 The private key of user A will be denoted KRA
 Encryption method will be a function E
 Decryption method will be a function D
 If B wishes to send a plain message X to A, then he sends the
cryptotext Y=E(KUA,X)
 The intended receiver A will decrypt the message: D(KRA,Y)=X
http://users.abo.fi/ipetre/crypto/
January 31, 2012 9
A first attack on the public-key scheme –
authenticity
 Immediate attack on this scheme:
 An attacker may impersonate user B: he sends a message E(KUA,X)
and claims in the message to be B – A has no guarantee this is so
 This was guaranteed in classical cryptosystems simply through knowing
the key (only A and B are supposed to know the symmetric key)
 The authenticity of user B can be established as follows:
 B will encrypt the message using his private key: Y=E(KRB,X)
 This shows the authenticity of the sender because (supposedly) he is the
only one who knows the private key
 The entire encrypted message serves as a digital signature
 Note: this may not be the best possible solution: ideally, digital signatures
should be rather small so that one can preserve many of them over a
long period of time
 Better schemes will be presented a couple of lectures on
http://users.abo.fi/ipetre/crypto/
January 31, 2012 10
A scheme to authenticate the sender of the message
http://users.abo.fi/ipetre/crypto/
January 31, 2012 11
Encryption and authenticity
 Still a drawback: the scheme on the previous slide authenticate but
does not ensure security: anybody can decrypt the message using
B’s public key
 One can provide both authentication and confidentiality using the
public-key scheme twice:
 B encrypts X with his private key: Y=E(KRB,X)
 B encrypts Y with A’s public key: Z=E(KUA,Y)
 A will decrypt Z (and she is the only one capable of doing it):
Y=D(KRA,Z)
 A can now get the plaintext and ensure that it comes from B (he is the
only one who knows his private key): decrypt Y using B’s public key:
X=E(KUB,Y)
http://users.abo.fi/ipetre/crypto/
January 31, 2012 12
Secrecy and authentication using public-key schemes
http://users.abo.fi/ipetre/crypto/
January 31, 2012 13
Applications for public-key cryptosystems
1. Encryption/decryption: sender encrypts the message with the
receiver’s public key
2. Digital signature: sender “signs” the message (or a representative
part of the message) using his private key
3. Key exchange: two sides cooperate to exchange a secret key for
later use in a secret-key cryptosystem
http://users.abo.fi/ipetre/crypto/
January 31, 2012 14
Requirements for public-key cryptosystems
 Generating a key pair (public key, private key) is computationally
easy
 Encrypting a message using a known key (his own private or
somebody else’s public) is computationally easy
 Decrypting a message using a known key (his own private or
somebody else’s public) is computationally easy
 Knowing the public key, it is computationally infeasible for an
opponent to deduce the private key
 Knowing the public key and a ciphertext, it is computationally
infeasible for an opponent to deduce the private key
 Useful extra feature: encryption and decryption can be applied in
any order:
E( KUA, D(KRA,X) ) =D(KRA, E( KUA, X) )
http://users.abo.fi/ipetre/crypto/
January 31, 2012 15
Designing a public-key cryptosystem
 Computationally easy usually means polynomial-time algorithm
 Computationally infeasible more difficult to define
 Usually means super-polynomial-time algorithms, e.g., exponential-time algorithms
 Classical complexity analysis (worst-case complexity or average-case complexity) are
worthless in cryptography – one should make sure a problem is difficult for virtually all
inputs and not just in the worse or in the average case
 Public-key cryptosystems usually rely on difficult math functions rather than S-P
networks as classical cryptosystems
 One-way function: easy to calculate in one direction, infeasible to calculate in the
other direction (i.e., the inverse is infeasible to compute)
 Trap-door function: difficult function that becomes easy if some extra information is
known
 Aim: find a trap-door one-way function for encryption – decryption will be the inverse
http://users.abo.fi/ipetre/crypto/
January 31, 2012 16
RSA
 One of the first proposals on implementing the concept of public-key
cryptography was that of Rivest, Shamir, Adleman – 1977: RSA
 The RSA scheme is a block cipher in which the plaintext and the ciphertext
are integers between 0 and n-1 for some fixed n
 Typical size for n is 1024 bits (or 309 decimal digits)
 To be secure with today’s technology size should between 1024 and 2048 bits
 Idea of RSA: it is a difficult math problem to factorize (large) integers
 Choose p and q odd primes, n=pq
 Choose integers d,e such that Med=M mod n, for all M<n
 Plaintext: block of k bits, where 2k<n≤2k+1 – can be considered a number M with
M<n
 Encryption: C=Me mod n
 Decryption: Cd mod n = Mde mod n = M
 Public key: KU={e,n}
 Private key: KR={d,n}
 Questions: How do we find d,e? How do we find large primes?
 Answer: Number Theory!
http://users.abo.fi/ipetre/crypto/
January 31, 2012 17
Motto for our introduction to Number Theory
The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything
in the world you ask for."
Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has
no non-trivial solution in the integers."
They agreed on a three-day period for the labour, and the Devil disappeared.
At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel
Webster said to him, "Well, how did you do at my task? Did you prove the theorem?'
"Eh? No . . . no, I haven't proved it."
"Then I can have whatever I ask for? Money? The Presidency?'
"What? Oh, that—of course. But listen! If we could just prove the following two lemmas—"
—The Mathematical Magpie, Clifton Fadiman
http://users.abo.fi/ipetre/crypto/
January 31, 2012 18
Notions of number theory
 Fermat’s little theorem: if p is prime and a is positive integer not divisible
by p, then ap-1 ≡ 1 mod p
 Corollary: For any positive integer a and prime p, ap ≡ a mod p
 Comments:
 This is a first step in our quest to find Med=M mod n – not quite enough though
 Fermat’s little theorem provides a necessary condition for an integer p to be
prime – the condition is not sufficient
 We will turn this theorem into a (probabilistic) test for primality
 Example:
 p=5, a=3, 35=243=3 mod 5
 p=5, a=10, 105=100000=10 mod 5 = 0 mod 5
 Fermat’s theorem, as useful as it will turn out to be, it does not provide us
with integers d,e we are looking for – Euler’s theorem (a refinement of
Fermat’s) does
http://users.abo.fi/ipetre/crypto/
January 31, 2012 19
Euler’s totient function
 Euler’s function associates to any positive integer n a number φ(n): the
number of positive integers smaller than n and relatively prime to n
 Example:
 φ(37)=36
 φ(p)=p-1, for any prime p
 φ(35)=24: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}
 Easy to see that for any two distinct primes p,q, φ(pq)=(p-1)(q-1)
 All numbers smaller than pq are relatively primes with pq except for multiples of
p (q-1 of them) and multiples of q (p-1 of them): pq-(q-1)-(p-1)=(p-1)(q-1)
 Euler’s theorem: for any relatively prime integers a,n we have
aφ(n)≡1 mod n
 Corollary: For any integers a,n we have aφ(n)+1≡ a mod n
 Corollary: Let p,q be two odd primes and n=pq. Then:
 φ(n)=(p-1)(q-1)
 For any integer m with 0<m<n, m(p-1)(q-1)+1≡m mod n
 For any integers k,m with 0<m<n, mk(p-1)(q-1)+1≡m mod n
http://users.abo.fi/ipetre/crypto/
January 31, 2012 20
Back to RSA
 Euler’s theorem provides us the numbers d,e such that Med=M mod n
 We have to choose d,e such that ed=kφ(n)+1 for some k
 Equivalently, d≡e-1 mod φ(n)
 To calculate the modular inverse of an interger: the extended Euclid’s algorithm!
 see Lecture 5
 The RSA scheme
 Key generation
 Choose two odd primes p,q – keep private. Compute n=pq – make public
 Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 – make public
 Compute d≡e-1 mod φ(n) – keep private
 Private key is {d,n}
 Public key is {e,n}
 Encryption
 Plaintext: block of k bits, where 2k<n≤2k+1 – can be considered a number M with M<n
 Ciphertext: C=Me mod n
 Decryption:
 Ciphertext: C
 Plaintext: Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 21
Example
 Key generation
 Select primes p=17, q=11
 Compute n=pq=187
 Compute φ(n)=(p-1)(q-1)=160
 Select e=7
 Compute d: d=23 (use the extended
Euclid’s algorithm)
 KU={7,187}
 KR={23,187}
 Encrypt M=88: 887 mod 187
 887 mod 187 = [ (884 mod 187)(882 mod
187) (88 mod 187) ] = 11
 Decrypt C=11: 1123 mod 187
 M=1123 mod 187= [ (1116 mod 187)(114
mod 187) (112 mod 187)(11 mod 187)]
 112 mod 187 =121
 114 mod 187= 1212 mod 187=55
 118 mod 187=552 mod 187= 33
 1116 mod 187=332 mod 187=154
 M=154 x 55 x 121 x 11 mod 187 = 88
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 22
Computational aspects – RSA implementation
Fast modular exponentiation
 Take each step in turn and discuss how
can it be implemented efficiently
 For encryption and decryption we must be
able to do quick modular exponentiations
– two ideas are useful:
 (ab mod n) = [(a mod n)(b mod n)] (mod n)
 To compute x16 mod n we do not have to
do 15 multiplication but only 4: compute x2
mod n, x4 mod n, x8 mod n, x16 mod n
 Apply this to compute quickly any
exponent, not just powers of 2
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 23
Fast modular exponentiation
 Square-and-multiply algorithm
 Input: n,x,b (b is in base 2 (bk-1,…,b1,b0), b≠0
 Output: xb mod n
1. z=1
2. for i=k-1 downto 0
3. z=z2 mod n
4. if bi=1 then z=zx mod n
 Complexity O(r3), where r=[log2n]
 Example: encrypt 9726 with
KU={3533,11413}: 97263533mod 11413
 3533=(1,1,0,1,1,1,0,0,1,1,0,1)
 Ciphertext: 5761
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
i bi z
11 1 9726
10 1 97262x9726=2659
9 0 26592=5634
8 1 56342x9726=9167
7 1 91672x9726=4958
6 1 49582x9726=7783
i bi z
5 0 77832=6298
4 0 62982=4629
3 1 46292x9726=10185
2 1 101852x9726=105
1 0 1052=11025
0 1 110252x9726=5761
http://users.abo.fi/ipetre/crypto/
January 31, 2012 24
Computational aspects – RSA implementation
Key generation
 The highlighted part in the algorithm is
easy to implement
 Generate a series of random numbers
and test each against φ(n) for relative
primality
 Testing whether or not two integers
are relatively prime and finding a
modular inverse can be done with the
extended Euclid’s algorithm
 Very few tests are needed before a
usable e is found: the probability that
two random numbers are relatively
prime is 0.6
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 25
Computational aspects – RSA implementation
Key generation
 No practical techniques to yield large
prime numbers
 Procedure: generate random odd
numbers and test whether that integer is
prime
 Testing whether or not an integer n is a
prime is a difficult problem (“primality is
difficult”)
 There has been a long standing question
in math whether or not primality can be
tested in polynomial deterministic time
 Answer (2002): YES!
 Manindra Agrawal, Neeraj Kayal and Nitin
Saxena, “PRIMES is in P”, Ann. of Math.
(2), 160:2 (2004) 781--793.
 Drawback: high complexity – O(log12n
f(log log n)), where f is a polynomial
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 26
Miller-Rabin primality test
 Faster methods of testing primality exist – they are all probabilistic
 Such an algorithm can give two answers to the question “Is n prime?”
1. No, it is not
2. n is probably prime
 The probability can be made arbitrarily large
 Other algorithms may give precise answer but with low probability they
may take a long time to finish
 Most popular primality test: Miller- Rabin, based on Fermat’s little
theorem
http://users.abo.fi/ipetre/crypto/
January 31, 2012 27
Miller-Rabin primality test
 Fermat’s little theorem: if p is prime and a is positive integer not divisible by p, then ap-1 ≡ 1 mod p
 Idea of the Miller-Rabin test:
 We need to test if the odd integer n is prime: test the equality in Fermat’s little theorem
for n and a random a
 A speedup may be done so that we do not have to compute all powers of a – details bellow
 n-1 is even, i.e., of the form n-1=2kq, with k>0, q odd: k and q easy to find
 Choose an integer a such that 1<a<n-1
 Compute modulo n the values a2jq, 0≤j≤q: aq, a2q,…, a2k-1q, a2kq
 By Fermat’s theorem, if n is prime, then the last value in the sequence is 1 – the
sequence may have some other 1s, consider the first 1 in the sequence
 Case 1: the first number in the sequence is 1 – then all other powers are also 1
 Case 2: some number a2jq in the sequence is 1 – in this case a2j-1q = n-1 mod n
 0 = (a2jq -1) mod n = (a2j-1q – 1) (a2j-1q + 1) mod n, i.e., n divides (a2j-1q – 1) or (a2j-1q + 1)
 Since we took the first 1 in the sequence, it follows that n divides (a2j-1q + 1): a2j-1q = n-1 mod n
 The test: if either the first element in the sequence is 1, or some other element is n-1,
then n could be prime. Otherwise n is certainly not prime
http://users.abo.fi/ipetre/crypto/
January 31, 2012 28
Miller-Rabin primality test
TEST(n)
1. n-1=2kq: compute k and q
2. Select a random integer a,
1<a<n-1
3. If aqmod n=1 then return
“probably prime”
4. For j=0 to k-1 do
5. If a2jq mod n = n-1, then return
“probably prime”
6. Return “not a prime”
•Question: for how many integers a does the test fail?
•Failure: n is not prime but the algorithm return
“probably prime”
•Answer: for at most (n-1)/4 integers a with 1≤a≤n-1
•Thus, the probability of failure is at most ¼
•Practical implementation:
•Repeatedly invoke TEST(n) using random
choices for a
•If TEST(n) return at least once “not a prime”,
then n is not a prime
•If t executions of TEST(n) return “probably
prime”, then the probability that n is indeed a
prime is larger than 1-4-t
•t=10 gives probability larger than 0.999999
http://users.abo.fi/ipetre/crypto/
January 31, 2012 29
Computational aspects – RSA implementation
Key generation
 To choose primes p,q we generate random
numbers p,q on the desired scale of magnitude
and test the primality with Miller-Rabin
 Question: How many trials should we expect to
do before we find a prime?
 Distribution of primes
 Prime number theorem: for any integer x, the
primes near x are spaced in average one every
log(x) integers
 On average we have to test log(x) integers before
we find a prime – reject immediately even integers
and integers ending in 5
 Correct rate: we need to test in average 0.4 log(x)
integers before we find a prime of the order of x
 Example: if we look for a prime on the order of
magnitude 2200 we need to do in average 55 trials,
order of magnitude 21024: in average 284 trials
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e, 1<e<φ(n) with
gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 30
Attacking RSA
 Brute force attacks: try all possible private keys
 As in the other cases defend using large keys:
nowadays integers between 1024 and 2048 bits
 Mathematical attacks
 Factor n into its two primes p,q: this is a hard problem
for large n
 Challenges by RSA Labs to factorize large integers
 Last solved challenge: 768 bits (2009)
 Determine φ(n) directly without first determining p,q:
this math problem is equivalent to factoring
 Determine d directly, without first determining φ(n): this
is believed to be at least as difficult as factoring
 Suggestions for design
 The larger the keys, the better but also the slower the
algorithm
 Choosing p,q badly may weaken the algorithm
 p,q should differ in length by only a few bits: for a 1024-bit
key, p,q should be on the order of magnitude 1075 to 10100
 p-1 and q-1 should both contain a large prime factor
 gcd(p-1,q-1) should be small
 d should be larger than n1/4
RSA scheme
–Key generation
•Choose primes p,q
•Compute n=pq
•Choose e with gcd(φ(n),e)=1
•Compute d≡e-1 mod φ(n)
•Private key is {d,n}
•Public key is {e,n}
–Encryption
•C=Me mod n
–Decryption:
•Cd mod n = Mde mod n = M
http://users.abo.fi/ipetre/crypto/
January 31, 2012 31
Attacks on RSA
 Timing attacks: determine a private key by keeping track
of how long a computer takes to decipher a message
(ciphertext-only attack) – this is essentially an attack on the
fast exponentiation algorithm but can be adapted for any
other algorithm
 Whenever a bit is 1 the algorithm has more computations to
do and takes more time
 Countermeasures:
 Ensure that all exponentiations take the same time before
returning a result: degrade performance of the algorithm
 Add some random delay: if there is not enough noise the
attack succeeds
 Blinding: multiply the ciphertext by a random number before
performing exponentiation – in this way the attacker does not
know the input to the exponentiation algorithm. (implemented
in the commercial products from RSA Data Security Inc.)
 Decryption M=Cd mod n is modified as follows:
 Generate a secret random number r between 0 and n-1
 Compute C’=C(re) mod n where e is the public exponent
 Compute M’=(C’d) mod n with the ordinary exponentiation
 Compute M=M’r-1 mod n
 Reported performance penalty: 2 to 10%
Square-and-multiply algorithm
– Input: n,x,b
(b is in base 2 (bk-1 ,…,b1,b0)
– Output: xb mod n
1. z=1
2. for i=k-1 downto 0
3. z=z2 mod n
4. if bi=1 then z=zx mod n
http://users.abo.fi/ipetre/crypto/
January 31, 2012 32
Pseudo-random number generators
 Essential in RSA (and elsewhere) to be able to generate pseudo-
random numbers
 A sequence of numbers is random if they have uniform distribution and
are independent (no value can be deduced from the others)
 We generally use algorithmic techniques to generate such numbers –
they will not be independent and thus not random
 The whole point is to make them “look” random, i.e., make them pass many
test of randomness
 Three tests to be used in evaluating a pseudo-random number
generator
 The function should be full-period generating function: generate all numbers
in its range before repeating
 The generated sequence should appear random: pass many statistical tests
 The function should implement efficiently with 32-bit arithmetic
http://users.abo.fi/ipetre/crypto/
January 31, 2012 33
Pseudo-random number generators
 The most widely used technique is the linear congruential method (Lehmer
1951)
Xn+1=(aXn+c) mod m
 One should be very careful in choosing constants a, c, m: a=c=1 is bad
choice!
 Value of m should be as large as possible: usually close to 231, very often
chosen to be the prime number 231-1; in this case one can take c=0
 There are very few good choices for a: for m= 231-1 only a handful of choices
are advisable – very often used is a=75=16807
Xn+1=16807 Xn mod (231-1)
 Using this in cryptography needs extra care:
 If the attacker finds one single value, then he will be able to compute all
subsequent values
 Idea: restart the sequence often, using the clock as seed (initial value)
http://users.abo.fi/ipetre/crypto/
January 31, 2012 34
Cryptographically generated pseudo-random numbers
 Idea: use cryptographic primitives to generate
pseudo-random numbers
 One possibility: Use a counter and encrypt each
value for the counter, e.g., with DES – the
cryptotext will be the key
 Stronger version: instead of a counter use a
PRNG (pseudo-random number generator)
 Technique can be made stronger using a more
sophisticated scheme and 3DES, see ANSI
X9.17 PRNG
http://users.abo.fi/ipetre/crypto/
January 31, 2012 35
Another speed-up in RSA implementation
 Operations modulo big integers become more time-consuming as
the integers grows bigger
 Efficient implementation: use Chinese Remainder Theorem (CRT)
 In its simplest formulation, CRT essentially says that if n=pq, then
instead of addition/difference/multiplication modulo n one can perform
the same modulo p and modulo q and then compute the result mod n
 Big advantage because the modules are much smaller
http://users.abo.fi/ipetre/crypto/

More Related Content

Similar to paper1.pdf

Security Issues related with cloud computing
Security Issues related with cloud computingSecurity Issues related with cloud computing
Security Issues related with cloud computingIJERA Editor
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Petar Radanliev
 
Cryptography based chat system
Cryptography based chat systemCryptography based chat system
Cryptography based chat systemJagsir Singh
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...IOSR Journals
 
Lightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETSLightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETSIJCNCJournal
 
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARDDATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARDijait
 
A Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemA Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemIRJET Journal
 
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...Persistent Systems Ltd.
 
Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...
Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...
Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...Pratyush Rao
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 

Similar to paper1.pdf (20)

Unit - 3.ppt
Unit - 3.pptUnit - 3.ppt
Unit - 3.ppt
 
Security Issues related with cloud computing
Security Issues related with cloud computingSecurity Issues related with cloud computing
Security Issues related with cloud computing
 
Module2.pptx
Module2.pptxModule2.pptx
Module2.pptx
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
 
Cryptography based chat system
Cryptography based chat systemCryptography based chat system
Cryptography based chat system
 
KEY MGMT.ppt
KEY MGMT.pptKEY MGMT.ppt
KEY MGMT.ppt
 
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
Generate an Encryption Key by using Biometric Cryptosystems to secure transfe...
 
Lightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETSLightweight Cryptography for Distributed PKI Based MANETS
Lightweight Cryptography for Distributed PKI Based MANETS
 
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARDDATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
DATA SECURITY ANALYSIS AND SECURITY EXTENSION FOR SMART CARDS USING JAVA CARD
 
A Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto SystemA Novel Key Distribution Scheme f or a Visual Crypto System
A Novel Key Distribution Scheme f or a Visual Crypto System
 
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing10...
 
Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...
Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...
Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonar...
 
Network security
Network securityNetwork security
Network security
 
Nt1330 Unit 4 Dthm Paper
Nt1330 Unit 4 Dthm PaperNt1330 Unit 4 Dthm Paper
Nt1330 Unit 4 Dthm Paper
 
paper9.pdf
paper9.pdfpaper9.pdf
paper9.pdf
 
sheet2.pdf
sheet2.pdfsheet2.pdf
sheet2.pdf
 
doc2.pdf
doc2.pdfdoc2.pdf
doc2.pdf
 
paper2.pdf
paper2.pdfpaper2.pdf
paper2.pdf
 
lecture1.pdf
lecture1.pdflecture1.pdf
lecture1.pdf
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 

More from aminasouyah (20)

paper10.pdf
paper10.pdfpaper10.pdf
paper10.pdf
 
paper8.pdf
paper8.pdfpaper8.pdf
paper8.pdf
 
paper7.pdf
paper7.pdfpaper7.pdf
paper7.pdf
 
paper6.pdf
paper6.pdfpaper6.pdf
paper6.pdf
 
paper5.pdf
paper5.pdfpaper5.pdf
paper5.pdf
 
paper4.pdf
paper4.pdfpaper4.pdf
paper4.pdf
 
paper3.pdf
paper3.pdfpaper3.pdf
paper3.pdf
 
sheet7.pdf
sheet7.pdfsheet7.pdf
sheet7.pdf
 
sheet6.pdf
sheet6.pdfsheet6.pdf
sheet6.pdf
 
sheet5.pdf
sheet5.pdfsheet5.pdf
sheet5.pdf
 
sheet4.pdf
sheet4.pdfsheet4.pdf
sheet4.pdf
 
sheet3.pdf
sheet3.pdfsheet3.pdf
sheet3.pdf
 
sheet1.pdf
sheet1.pdfsheet1.pdf
sheet1.pdf
 
doc4.pdf
doc4.pdfdoc4.pdf
doc4.pdf
 
doc7.pdf
doc7.pdfdoc7.pdf
doc7.pdf
 
doc6.pdf
doc6.pdfdoc6.pdf
doc6.pdf
 
doc5.pdf
doc5.pdfdoc5.pdf
doc5.pdf
 
doc5.pdf
doc5.pdfdoc5.pdf
doc5.pdf
 
doc4.pdf
doc4.pdfdoc4.pdf
doc4.pdf
 
doc3.pdf
doc3.pdfdoc3.pdf
doc3.pdf
 

Recently uploaded

VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 

Recently uploaded (20)

VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 

paper1.pdf

  • 1. January 31, 2012 1 Cryptography and Network Security Lecture 7: Public-key cryptography and RSA Ion Petre Department of IT, Åbo Akademi University Spring 2012 http://users.abo.fi/ipetre/crypto/ http://users.abo.fi/ipetre/crypto/
  • 2. January 31, 2012 2 Some unanswered questions on symmetric cryptosystems  Key management: changing the secret key or establishing one is nontrivial  Change the keys two users share (should be done reasonably often)  Establish a secret key with somebody you do not know and cannot meet in person: (e.g., visiting secure websites such as e-shops)  This could be done via a trusted Key Distribution Center (details in a future lecture)  Can (or should) we really trust the KDC?  “What good would it do after all to develop impenetrable cryptosystems, if their users were forced to share their keys with a KDC that could be compromised by either burglary or subpoena?” – Diffie, 1988  Digital signatures http://users.abo.fi/ipetre/crypto/
  • 3. January 31, 2012 3 A breakthrough idea  Rather than having a secret key that the two users must share, each users has two keys  One key is secret and he is the only one who knows it  The other key is public and anyone who wishes to send him a message uses that key to encrypt the message  Diffie and Hellman first (publicly) introduced the idea in 1976 – this was radically different than all previous efforts  NSA claims to have known it since mid-1960s!  Communications-Electronic Security Group (the British counterpart of NSA) documented the idea in a classified report in 1970 http://users.abo.fi/ipetre/crypto/
  • 4. January 31, 2012 4 A word of warning  Public-key cryptography complements rather than replaces symmetric cryptography  There is nothing in principle to make public-key crypto more secure than symmetric crypto  Public-key crypto does not make symmetric crypto obsolete: it has its advantages but also its (major) drawbacks such as speed  Due to its low speed, it is mostly confined to key management and digital signatures http://users.abo.fi/ipetre/crypto/
  • 5. January 31, 2012 5 The idea of public-key cryptography  The concept was proposed in 1976 by Diffie and Hellman although no practical way to design such a system was suggested  Each user has two keys: one encryption key that he makes public and one decryption key that he keeps secret  Clearly, it should be computationally infeasible to determine the decryption key given only the encryption key and the cryptographic algorithm  Some algorithms (such as RSA) satisfy also the following useful characteristic:  Either one of the two keys can be used for encryption – the other one should then be used to decrypt the message  First we will investigate the concept with no reference yet to practical design of a public-key system http://users.abo.fi/ipetre/crypto/
  • 6. January 31, 2012 6 Essential steps in public-key encryption  Each user generates a pair of keys to be used for encryption and decryption  Each user places one of the two keys in a public register and the other key is kept private  If B wants to send a confidential message to A, B encrypts the message using A’s public key  When A receives the message, she decrypts it using her private key  Nobody else can decrypt the message because that can only be done using A’s private key  Deducing a private key should be infeasible  If a user wishes to change his keys – generate another pair of keys and publish the public one: no interaction with other users is needed http://users.abo.fi/ipetre/crypto/
  • 7. January 31, 2012 7 Bob sends an encrypted message to Alice http://users.abo.fi/ipetre/crypto/
  • 8. January 31, 2012 8 Some notation  The public key of user A will be denoted KUA  The private key of user A will be denoted KRA  Encryption method will be a function E  Decryption method will be a function D  If B wishes to send a plain message X to A, then he sends the cryptotext Y=E(KUA,X)  The intended receiver A will decrypt the message: D(KRA,Y)=X http://users.abo.fi/ipetre/crypto/
  • 9. January 31, 2012 9 A first attack on the public-key scheme – authenticity  Immediate attack on this scheme:  An attacker may impersonate user B: he sends a message E(KUA,X) and claims in the message to be B – A has no guarantee this is so  This was guaranteed in classical cryptosystems simply through knowing the key (only A and B are supposed to know the symmetric key)  The authenticity of user B can be established as follows:  B will encrypt the message using his private key: Y=E(KRB,X)  This shows the authenticity of the sender because (supposedly) he is the only one who knows the private key  The entire encrypted message serves as a digital signature  Note: this may not be the best possible solution: ideally, digital signatures should be rather small so that one can preserve many of them over a long period of time  Better schemes will be presented a couple of lectures on http://users.abo.fi/ipetre/crypto/
  • 10. January 31, 2012 10 A scheme to authenticate the sender of the message http://users.abo.fi/ipetre/crypto/
  • 11. January 31, 2012 11 Encryption and authenticity  Still a drawback: the scheme on the previous slide authenticate but does not ensure security: anybody can decrypt the message using B’s public key  One can provide both authentication and confidentiality using the public-key scheme twice:  B encrypts X with his private key: Y=E(KRB,X)  B encrypts Y with A’s public key: Z=E(KUA,Y)  A will decrypt Z (and she is the only one capable of doing it): Y=D(KRA,Z)  A can now get the plaintext and ensure that it comes from B (he is the only one who knows his private key): decrypt Y using B’s public key: X=E(KUB,Y) http://users.abo.fi/ipetre/crypto/
  • 12. January 31, 2012 12 Secrecy and authentication using public-key schemes http://users.abo.fi/ipetre/crypto/
  • 13. January 31, 2012 13 Applications for public-key cryptosystems 1. Encryption/decryption: sender encrypts the message with the receiver’s public key 2. Digital signature: sender “signs” the message (or a representative part of the message) using his private key 3. Key exchange: two sides cooperate to exchange a secret key for later use in a secret-key cryptosystem http://users.abo.fi/ipetre/crypto/
  • 14. January 31, 2012 14 Requirements for public-key cryptosystems  Generating a key pair (public key, private key) is computationally easy  Encrypting a message using a known key (his own private or somebody else’s public) is computationally easy  Decrypting a message using a known key (his own private or somebody else’s public) is computationally easy  Knowing the public key, it is computationally infeasible for an opponent to deduce the private key  Knowing the public key and a ciphertext, it is computationally infeasible for an opponent to deduce the private key  Useful extra feature: encryption and decryption can be applied in any order: E( KUA, D(KRA,X) ) =D(KRA, E( KUA, X) ) http://users.abo.fi/ipetre/crypto/
  • 15. January 31, 2012 15 Designing a public-key cryptosystem  Computationally easy usually means polynomial-time algorithm  Computationally infeasible more difficult to define  Usually means super-polynomial-time algorithms, e.g., exponential-time algorithms  Classical complexity analysis (worst-case complexity or average-case complexity) are worthless in cryptography – one should make sure a problem is difficult for virtually all inputs and not just in the worse or in the average case  Public-key cryptosystems usually rely on difficult math functions rather than S-P networks as classical cryptosystems  One-way function: easy to calculate in one direction, infeasible to calculate in the other direction (i.e., the inverse is infeasible to compute)  Trap-door function: difficult function that becomes easy if some extra information is known  Aim: find a trap-door one-way function for encryption – decryption will be the inverse http://users.abo.fi/ipetre/crypto/
  • 16. January 31, 2012 16 RSA  One of the first proposals on implementing the concept of public-key cryptography was that of Rivest, Shamir, Adleman – 1977: RSA  The RSA scheme is a block cipher in which the plaintext and the ciphertext are integers between 0 and n-1 for some fixed n  Typical size for n is 1024 bits (or 309 decimal digits)  To be secure with today’s technology size should between 1024 and 2048 bits  Idea of RSA: it is a difficult math problem to factorize (large) integers  Choose p and q odd primes, n=pq  Choose integers d,e such that Med=M mod n, for all M<n  Plaintext: block of k bits, where 2k<n≤2k+1 – can be considered a number M with M<n  Encryption: C=Me mod n  Decryption: Cd mod n = Mde mod n = M  Public key: KU={e,n}  Private key: KR={d,n}  Questions: How do we find d,e? How do we find large primes?  Answer: Number Theory! http://users.abo.fi/ipetre/crypto/
  • 17. January 31, 2012 17 Motto for our introduction to Number Theory The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for." Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has no non-trivial solution in the integers." They agreed on a three-day period for the labour, and the Devil disappeared. At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you do at my task? Did you prove the theorem?' "Eh? No . . . no, I haven't proved it." "Then I can have whatever I ask for? Money? The Presidency?' "What? Oh, that—of course. But listen! If we could just prove the following two lemmas—" —The Mathematical Magpie, Clifton Fadiman http://users.abo.fi/ipetre/crypto/
  • 18. January 31, 2012 18 Notions of number theory  Fermat’s little theorem: if p is prime and a is positive integer not divisible by p, then ap-1 ≡ 1 mod p  Corollary: For any positive integer a and prime p, ap ≡ a mod p  Comments:  This is a first step in our quest to find Med=M mod n – not quite enough though  Fermat’s little theorem provides a necessary condition for an integer p to be prime – the condition is not sufficient  We will turn this theorem into a (probabilistic) test for primality  Example:  p=5, a=3, 35=243=3 mod 5  p=5, a=10, 105=100000=10 mod 5 = 0 mod 5  Fermat’s theorem, as useful as it will turn out to be, it does not provide us with integers d,e we are looking for – Euler’s theorem (a refinement of Fermat’s) does http://users.abo.fi/ipetre/crypto/
  • 19. January 31, 2012 19 Euler’s totient function  Euler’s function associates to any positive integer n a number φ(n): the number of positive integers smaller than n and relatively prime to n  Example:  φ(37)=36  φ(p)=p-1, for any prime p  φ(35)=24: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}  Easy to see that for any two distinct primes p,q, φ(pq)=(p-1)(q-1)  All numbers smaller than pq are relatively primes with pq except for multiples of p (q-1 of them) and multiples of q (p-1 of them): pq-(q-1)-(p-1)=(p-1)(q-1)  Euler’s theorem: for any relatively prime integers a,n we have aφ(n)≡1 mod n  Corollary: For any integers a,n we have aφ(n)+1≡ a mod n  Corollary: Let p,q be two odd primes and n=pq. Then:  φ(n)=(p-1)(q-1)  For any integer m with 0<m<n, m(p-1)(q-1)+1≡m mod n  For any integers k,m with 0<m<n, mk(p-1)(q-1)+1≡m mod n http://users.abo.fi/ipetre/crypto/
  • 20. January 31, 2012 20 Back to RSA  Euler’s theorem provides us the numbers d,e such that Med=M mod n  We have to choose d,e such that ed=kφ(n)+1 for some k  Equivalently, d≡e-1 mod φ(n)  To calculate the modular inverse of an interger: the extended Euclid’s algorithm!  see Lecture 5  The RSA scheme  Key generation  Choose two odd primes p,q – keep private. Compute n=pq – make public  Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 – make public  Compute d≡e-1 mod φ(n) – keep private  Private key is {d,n}  Public key is {e,n}  Encryption  Plaintext: block of k bits, where 2k<n≤2k+1 – can be considered a number M with M<n  Ciphertext: C=Me mod n  Decryption:  Ciphertext: C  Plaintext: Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 21. January 31, 2012 21 Example  Key generation  Select primes p=17, q=11  Compute n=pq=187  Compute φ(n)=(p-1)(q-1)=160  Select e=7  Compute d: d=23 (use the extended Euclid’s algorithm)  KU={7,187}  KR={23,187}  Encrypt M=88: 887 mod 187  887 mod 187 = [ (884 mod 187)(882 mod 187) (88 mod 187) ] = 11  Decrypt C=11: 1123 mod 187  M=1123 mod 187= [ (1116 mod 187)(114 mod 187) (112 mod 187)(11 mod 187)]  112 mod 187 =121  114 mod 187= 1212 mod 187=55  118 mod 187=552 mod 187= 33  1116 mod 187=332 mod 187=154  M=154 x 55 x 121 x 11 mod 187 = 88 RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 22. January 31, 2012 22 Computational aspects – RSA implementation Fast modular exponentiation  Take each step in turn and discuss how can it be implemented efficiently  For encryption and decryption we must be able to do quick modular exponentiations – two ideas are useful:  (ab mod n) = [(a mod n)(b mod n)] (mod n)  To compute x16 mod n we do not have to do 15 multiplication but only 4: compute x2 mod n, x4 mod n, x8 mod n, x16 mod n  Apply this to compute quickly any exponent, not just powers of 2 RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 23. January 31, 2012 23 Fast modular exponentiation  Square-and-multiply algorithm  Input: n,x,b (b is in base 2 (bk-1,…,b1,b0), b≠0  Output: xb mod n 1. z=1 2. for i=k-1 downto 0 3. z=z2 mod n 4. if bi=1 then z=zx mod n  Complexity O(r3), where r=[log2n]  Example: encrypt 9726 with KU={3533,11413}: 97263533mod 11413  3533=(1,1,0,1,1,1,0,0,1,1,0,1)  Ciphertext: 5761 RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M i bi z 11 1 9726 10 1 97262x9726=2659 9 0 26592=5634 8 1 56342x9726=9167 7 1 91672x9726=4958 6 1 49582x9726=7783 i bi z 5 0 77832=6298 4 0 62982=4629 3 1 46292x9726=10185 2 1 101852x9726=105 1 0 1052=11025 0 1 110252x9726=5761 http://users.abo.fi/ipetre/crypto/
  • 24. January 31, 2012 24 Computational aspects – RSA implementation Key generation  The highlighted part in the algorithm is easy to implement  Generate a series of random numbers and test each against φ(n) for relative primality  Testing whether or not two integers are relatively prime and finding a modular inverse can be done with the extended Euclid’s algorithm  Very few tests are needed before a usable e is found: the probability that two random numbers are relatively prime is 0.6 RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 25. January 31, 2012 25 Computational aspects – RSA implementation Key generation  No practical techniques to yield large prime numbers  Procedure: generate random odd numbers and test whether that integer is prime  Testing whether or not an integer n is a prime is a difficult problem (“primality is difficult”)  There has been a long standing question in math whether or not primality can be tested in polynomial deterministic time  Answer (2002): YES!  Manindra Agrawal, Neeraj Kayal and Nitin Saxena, “PRIMES is in P”, Ann. of Math. (2), 160:2 (2004) 781--793.  Drawback: high complexity – O(log12n f(log log n)), where f is a polynomial RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 26. January 31, 2012 26 Miller-Rabin primality test  Faster methods of testing primality exist – they are all probabilistic  Such an algorithm can give two answers to the question “Is n prime?” 1. No, it is not 2. n is probably prime  The probability can be made arbitrarily large  Other algorithms may give precise answer but with low probability they may take a long time to finish  Most popular primality test: Miller- Rabin, based on Fermat’s little theorem http://users.abo.fi/ipetre/crypto/
  • 27. January 31, 2012 27 Miller-Rabin primality test  Fermat’s little theorem: if p is prime and a is positive integer not divisible by p, then ap-1 ≡ 1 mod p  Idea of the Miller-Rabin test:  We need to test if the odd integer n is prime: test the equality in Fermat’s little theorem for n and a random a  A speedup may be done so that we do not have to compute all powers of a – details bellow  n-1 is even, i.e., of the form n-1=2kq, with k>0, q odd: k and q easy to find  Choose an integer a such that 1<a<n-1  Compute modulo n the values a2jq, 0≤j≤q: aq, a2q,…, a2k-1q, a2kq  By Fermat’s theorem, if n is prime, then the last value in the sequence is 1 – the sequence may have some other 1s, consider the first 1 in the sequence  Case 1: the first number in the sequence is 1 – then all other powers are also 1  Case 2: some number a2jq in the sequence is 1 – in this case a2j-1q = n-1 mod n  0 = (a2jq -1) mod n = (a2j-1q – 1) (a2j-1q + 1) mod n, i.e., n divides (a2j-1q – 1) or (a2j-1q + 1)  Since we took the first 1 in the sequence, it follows that n divides (a2j-1q + 1): a2j-1q = n-1 mod n  The test: if either the first element in the sequence is 1, or some other element is n-1, then n could be prime. Otherwise n is certainly not prime http://users.abo.fi/ipetre/crypto/
  • 28. January 31, 2012 28 Miller-Rabin primality test TEST(n) 1. n-1=2kq: compute k and q 2. Select a random integer a, 1<a<n-1 3. If aqmod n=1 then return “probably prime” 4. For j=0 to k-1 do 5. If a2jq mod n = n-1, then return “probably prime” 6. Return “not a prime” •Question: for how many integers a does the test fail? •Failure: n is not prime but the algorithm return “probably prime” •Answer: for at most (n-1)/4 integers a with 1≤a≤n-1 •Thus, the probability of failure is at most ¼ •Practical implementation: •Repeatedly invoke TEST(n) using random choices for a •If TEST(n) return at least once “not a prime”, then n is not a prime •If t executions of TEST(n) return “probably prime”, then the probability that n is indeed a prime is larger than 1-4-t •t=10 gives probability larger than 0.999999 http://users.abo.fi/ipetre/crypto/
  • 29. January 31, 2012 29 Computational aspects – RSA implementation Key generation  To choose primes p,q we generate random numbers p,q on the desired scale of magnitude and test the primality with Miller-Rabin  Question: How many trials should we expect to do before we find a prime?  Distribution of primes  Prime number theorem: for any integer x, the primes near x are spaced in average one every log(x) integers  On average we have to test log(x) integers before we find a prime – reject immediately even integers and integers ending in 5  Correct rate: we need to test in average 0.4 log(x) integers before we find a prime of the order of x  Example: if we look for a prime on the order of magnitude 2200 we need to do in average 55 trials, order of magnitude 21024: in average 284 trials RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 30. January 31, 2012 30 Attacking RSA  Brute force attacks: try all possible private keys  As in the other cases defend using large keys: nowadays integers between 1024 and 2048 bits  Mathematical attacks  Factor n into its two primes p,q: this is a hard problem for large n  Challenges by RSA Labs to factorize large integers  Last solved challenge: 768 bits (2009)  Determine φ(n) directly without first determining p,q: this math problem is equivalent to factoring  Determine d directly, without first determining φ(n): this is believed to be at least as difficult as factoring  Suggestions for design  The larger the keys, the better but also the slower the algorithm  Choosing p,q badly may weaken the algorithm  p,q should differ in length by only a few bits: for a 1024-bit key, p,q should be on the order of magnitude 1075 to 10100  p-1 and q-1 should both contain a large prime factor  gcd(p-1,q-1) should be small  d should be larger than n1/4 RSA scheme –Key generation •Choose primes p,q •Compute n=pq •Choose e with gcd(φ(n),e)=1 •Compute d≡e-1 mod φ(n) •Private key is {d,n} •Public key is {e,n} –Encryption •C=Me mod n –Decryption: •Cd mod n = Mde mod n = M http://users.abo.fi/ipetre/crypto/
  • 31. January 31, 2012 31 Attacks on RSA  Timing attacks: determine a private key by keeping track of how long a computer takes to decipher a message (ciphertext-only attack) – this is essentially an attack on the fast exponentiation algorithm but can be adapted for any other algorithm  Whenever a bit is 1 the algorithm has more computations to do and takes more time  Countermeasures:  Ensure that all exponentiations take the same time before returning a result: degrade performance of the algorithm  Add some random delay: if there is not enough noise the attack succeeds  Blinding: multiply the ciphertext by a random number before performing exponentiation – in this way the attacker does not know the input to the exponentiation algorithm. (implemented in the commercial products from RSA Data Security Inc.)  Decryption M=Cd mod n is modified as follows:  Generate a secret random number r between 0 and n-1  Compute C’=C(re) mod n where e is the public exponent  Compute M’=(C’d) mod n with the ordinary exponentiation  Compute M=M’r-1 mod n  Reported performance penalty: 2 to 10% Square-and-multiply algorithm – Input: n,x,b (b is in base 2 (bk-1 ,…,b1,b0) – Output: xb mod n 1. z=1 2. for i=k-1 downto 0 3. z=z2 mod n 4. if bi=1 then z=zx mod n http://users.abo.fi/ipetre/crypto/
  • 32. January 31, 2012 32 Pseudo-random number generators  Essential in RSA (and elsewhere) to be able to generate pseudo- random numbers  A sequence of numbers is random if they have uniform distribution and are independent (no value can be deduced from the others)  We generally use algorithmic techniques to generate such numbers – they will not be independent and thus not random  The whole point is to make them “look” random, i.e., make them pass many test of randomness  Three tests to be used in evaluating a pseudo-random number generator  The function should be full-period generating function: generate all numbers in its range before repeating  The generated sequence should appear random: pass many statistical tests  The function should implement efficiently with 32-bit arithmetic http://users.abo.fi/ipetre/crypto/
  • 33. January 31, 2012 33 Pseudo-random number generators  The most widely used technique is the linear congruential method (Lehmer 1951) Xn+1=(aXn+c) mod m  One should be very careful in choosing constants a, c, m: a=c=1 is bad choice!  Value of m should be as large as possible: usually close to 231, very often chosen to be the prime number 231-1; in this case one can take c=0  There are very few good choices for a: for m= 231-1 only a handful of choices are advisable – very often used is a=75=16807 Xn+1=16807 Xn mod (231-1)  Using this in cryptography needs extra care:  If the attacker finds one single value, then he will be able to compute all subsequent values  Idea: restart the sequence often, using the clock as seed (initial value) http://users.abo.fi/ipetre/crypto/
  • 34. January 31, 2012 34 Cryptographically generated pseudo-random numbers  Idea: use cryptographic primitives to generate pseudo-random numbers  One possibility: Use a counter and encrypt each value for the counter, e.g., with DES – the cryptotext will be the key  Stronger version: instead of a counter use a PRNG (pseudo-random number generator)  Technique can be made stronger using a more sophisticated scheme and 3DES, see ANSI X9.17 PRNG http://users.abo.fi/ipetre/crypto/
  • 35. January 31, 2012 35 Another speed-up in RSA implementation  Operations modulo big integers become more time-consuming as the integers grows bigger  Efficient implementation: use Chinese Remainder Theorem (CRT)  In its simplest formulation, CRT essentially says that if n=pq, then instead of addition/difference/multiplication modulo n one can perform the same modulo p and modulo q and then compute the result mod n  Big advantage because the modules are much smaller http://users.abo.fi/ipetre/crypto/