Information System Information System SecuritySecurity

Lecture 3Lecture 3

Asymmetric cryptographyAsymmetric cryptography

22

referencesreferences

[1] K. Martin’s Lecture (www.rhul.ac.uk).

[2] Cryptography and Network Security, By W. Stallings. Prentice Hall, 2003.

[3] Handbook of applied Cryptography by A. Menezes, P. Van Oorschot and S. Vanstone. 5th printing, 2001http://www.cacr.math.uwaterloo.ca/hac

[4] Cryptography: A Very Short Introduction (Very Short Introduction S.), by Fred Piper and Sean Murphy, Oxford University Press, 2002.

33

OutlineOutline

Basic mathematical conceptsBasic mathematical concepts

Public key cryptographyPublic key cryptography

OWFOWF

RSARSA

ElGamalElGamal

44

1. The modulo operation1. The modulo operation

DefinitionDefinition– Let Let aa, , rr, , nn be integers and let be integers and let mm > 0 > 0

– We write We write aa rr mod mod nn if if nn divides divides aa – – r r (or (or rr – – aa) and 0 ) and 0 rr < < nn

– nn is called the is called the modulusmodulus

– r r is called the is called the remainderremainder Note that Note that rr is positive or zero is positive or zero

– Note that Note that aa = = nn..qq + + r r where where qq is another integer ( is another integer (quotientquotient))

Example: 42 Example: 42 6 mod 9 6 mod 9– 9 divides 42 - 6 = 369 divides 42 - 6 = 36

– 9 also divides 6 - 42 = -369 also divides 6 - 42 = -36

– Note that 42= 9x4 + 6 Note that 42= 9x4 + 6 ((qq = 4) = 4)

55

Number TheoryNumber Theory

Natural numbers Natural numbers N = {1,2,3,…}N = {1,2,3,…} Whole numbers Whole numbers W = {0,1,2,3, …}W = {0,1,2,3, …} Integers Integers Z = {…,-2,-1,0,1,2,3, …}Z = {…,-2,-1,0,1,2,3, …}

DivisorsDivisors– A number A number bb is said to divide is said to divide aa if if aa = = mbmb for some for some m m where where aa,,bb,,mm Z Z

– We write this as We write this as bb||aa Read as “Read as “bb divides divides a”a”

66

DivisorsDivisors

Some common propertiesSome common properties– If If aa|1|1, , aa = +1 or –1 = +1 or –1

– If If aa||bb and and bb||aa then then aa = + = +b b or –or –bb

– Any Any bb Z Z divides 0 if divides 0 if b b 0 0

– If If bb||gg and and bb||hh then then bb|(|(mg + nhmg + nh) where ) where bb,,m,n,g,hm,n,g,h Z Z

Examples:Examples: – The positive divisors of 42 are 1,2,3,6,7,14,21,42The positive divisors of 42 are 1,2,3,6,7,14,21,42

– 3|6 and 3|21 => 3|213|6 and 3|21 => 3|21mm+6+6nn for for m,n m,n ZZ

77

Prime NumbersPrime Numbers

An integer An integer pp is said to be a prime number if its only positive is said to be a prime number if its only positive divisors are 1 and itselfdivisors are 1 and itself

– Examples 1, 3, 7, 11, ..Examples 1, 3, 7, 11, .. Any integer can be expressed as a Any integer can be expressed as a uniqueunique product of prime product of prime

numbers raised to positive integral powersnumbers raised to positive integral powers– n=pn=p11

ee1 1 pp22

ee2 …2 …ppkk

eekk // // n: ingterger, p n: ingterger, pii:prime, e:prime, e,,: positive integer: positive integer

ExamplesExamples– 7569 = 3 x 3 x 29 x 29 = 37569 = 3 x 3 x 29 x 29 = 322 x 29 x 2922

– 5886 = 2 x 27 x 109 = 2 x 35886 = 2 x 27 x 109 = 2 x 333 x 109 x 109

This process is called This process is called Prime FactorizationPrime Factorization

88

Greatest common divisor Greatest common divisor (GCD)(GCD)

Definition: Greatest Common DivisorDefinition: Greatest Common Divisor– This is the largest divisor of This is the largest divisor of bothboth aa and and bb

Given two integers Given two integers aa and and bb, the positive integer , the positive integer cc is called their is called their GCD or greatest common divisor if and only ifGCD or greatest common divisor if and only if– cc | | aa and and cc | | bb

– Any divisor of both Any divisor of both aa and and bb also divides also divides cc

Notation: Notation: gcd(a, b) = cgcd(a, b) = c Example: Example: gcd(49,63)gcd(49,63) = ? = ?

gcd(a,b)=gcd(b, a mod b)gcd(a,b)=gcd(b, a mod b) Exception:Exception: gcd(0,0)=0 gcd(0,0)=0

99

Relatively Prime NumbersRelatively Prime Numbers

Two numbers are said to be relatively prime if their Two numbers are said to be relatively prime if their gcdgcd is 1 is 1– Example: 63 and 22 are relatively primeExample: 63 and 22 are relatively prime

How do you determine if two numbers are relatively prime?How do you determine if two numbers are relatively prime?– Find their Find their gcdgcd or or

– Find their prime factorsFind their prime factors If they do not have a common prime factor other than 1, they are relatively primeIf they do not have a common prime factor other than 1, they are relatively prime

– Example: 63 = 9 x 7 = 3Example: 63 = 9 x 7 = 322 x 7 and 22 = 11 x 2 x 7 and 22 = 11 x 2

1010

Modular Arithmetic AgainModular Arithmetic Again

We say that We say that a a bb mod mod mm if if mm | | aa – – bb– Read as: Read as: aa is is congruentcongruent to to bb modulo modulo mm

– m m is called the is called the modulusmodulus

– Example: 27 Example: 27 2 mod 5 2 mod 5

Note that Note that bb is the is the remainderremainder after dividing after dividing aa by by mm– Example: 27 Example: 27 7 mod 5 and 7 7 mod 5 and 7 2 mod 5 2 mod 5

a a bb mod mod m => b m => b aa mod mod mm – Example: 2 Example: 2 27 mod 5 27 mod 5

We usually consider the We usually consider the smallest positive remainder smallest positive remainder which is which is sometimes called the sometimes called the residueresidue

1111

Modulo OperationModulo Operation

The modulo operation “reduces” the infinite set of integers to a The modulo operation “reduces” the infinite set of integers to a finite setfinite set

Example: modulo 5 operationExample: modulo 5 operation– We have five sets We have five sets

{…,-10, -5, 0, 5, 10, …} => {…,-10, -5, 0, 5, 10, …} => aa 0 mod 5 0 mod 5 {…,-9, -4, 1, 6, 11,…} => {…,-9, -4, 1, 6, 11,…} => aa 1 mod 5 1 mod 5 {…,-8, -3, 2, 7, 12,…} => {…,-8, -3, 2, 7, 12,…} => aa 2 mod 5 2 mod 5 {…,-7, -2, 3, 8, 13,…} => {…,-7, -2, 3, 8, 13,…} => aa 3 mod 5 3 mod 5 {…,-6, -1, 4, 9, 14…} => {…,-6, -1, 4, 9, 14…} => aa 4 mod 5 4 mod 5

– The set of residues of integers modulo 5 has five elements {0,1,2,3,4} and The set of residues of integers modulo 5 has five elements {0,1,2,3,4} and is denoted Zis denoted Z55..

1212

Euler phi (or totient) Euler phi (or totient) function function

For For n n ≥≥ 1, 1, (n)(n) : is the number of integers in [ : is the number of integers in [1,n1,n] which are ] which are relatively prime to relatively prime to n // n // (n)(n) is the is the Euler phiEuler phi or or totient functiontotient function

If If pp is prime, then is prime, then (p)=p-1(p)=p-1

If If gcd(m,n)=1gcd(m,n)=1, then , then (mn)= (mn)= (m).(m).(n)(n)

Examples: Examples: (21)= (21)= (3).(3).(7) = (3-1) * (7-1) =12(7) = (3-1) * (7-1) =12

1313

multiplicative group multiplicative group ZZnn**

Definition: the Definition: the multiplicative group multiplicative group ZZnn* * of Zof Znn

– ZZnn**={a={aZZnn || gcd(a,n)=1} gcd(a,n)=1}

– If If nn is prime then is prime then ZZnn**={a={aZZnn || 1 1 ≤≤ a a ≤≤ n-1} n-1}

(n)=(n)= ||ZZnn**||

Let Let n n ≥≥ 2 be an integer 2 be an integer– Euler’s theoremEuler’s theorem: : If If g g Z Znn

* * then then gg(n) (n) 1 (mod n) 1 (mod n)

– If If nn is a product of distinct primes, and if is a product of distinct primes, and if r r s mod ( s mod ((n))(n)), , then then ggrr g gss (mod n) (mod n) for all integers for all integers gg

– i.e.,i.e., when working modulo an when working modulo an n,n, exponents can be reduced modulo exponents can be reduced modulo (n)(n)

Let Let pp be a prime nubmer be a prime nubmer – Fermat’s theoremFermat’s theorem: : If If gcd(a,p)=1gcd(a,p)=1, then , then ggp-1p-1 1 (mod p) 1 (mod p)

– IfIf r r s mod (p-1) s mod (p-1) , then , then ggrr g gss (mod p) (mod p) for all integers for all integers gg i.e., i.e., when working modulo a prime when working modulo a prime pp, exponents can be reduced modulo , exponents can be reduced modulo p-1p-1

– Particular case: Particular case: ggpp g (mod p) g (mod p) for all integers for all integers gg

1414

Generator ofGenerator of ZZnn**

Let Let g g Z Znn**, the , the orderorder of of gg is the least positive integer is the least positive integer tt such that such that

ggtt1 mod n1 mod n

If the order of If the order of g g Z Znn** is is t, t, and and ggss1 (mod n), 1 (mod n), thenthen t t dividesdivides s s

– A particular case: A particular case: tt||(n)(n)

Let Let g g Z Znn**, if the order of , if the order of gg is is (n), (n), thenthen g g is said to be a is said to be a

generatorgenerator or aor a primitive elementprimitive element of of ZZnn**..

– IfIf g g is a generator ofis a generator of ZZnn**, then , then ZZnn

**={={ggii mod n mod n || 0 0 ≤≤ i i ≤≤ (n) -1} (n) -1}

1515

2. Public-key cryptography2. Public-key cryptography

Called also Called also asymmetric cryptographyasymmetric cryptography

The keys used to encrypt and decrypt are different.The keys used to encrypt and decrypt are different.

Anyone who wants to be a receiver needs to “publish” an Anyone who wants to be a receiver needs to “publish” an encryption key, which is known as the encryption key, which is known as the public key, public key, KUKU. .

Anyone who wants to be a receiver needs a unique decryption Anyone who wants to be a receiver needs a unique decryption key, which is known as thekey, which is known as the private key, private key, KRKR..

If B wants to send an enciphered text to A, B should knows If B wants to send an enciphered text to A, B should knows the the encryption algorithmencryption algorithm and A’s public key. and A’s public key.

1616

Confidentiality via Public Confidentiality via Public key cryptographykey cryptography

Alice wants to send a secret message Alice wants to send a secret message mm to Bob to Bob Bob should have 2 keys: publicBob should have 2 keys: public KUKUbb and privateand private KRKRbb

Prior to message encryption, Alice gets by some means an Prior to message encryption, Alice gets by some means an authentic copy of Bob’s public key (authentic copy of Bob’s public key (i.e.,i.e., the encryption key) the encryption key)

MessageSource

Encryption MessageSource

Decryptionm Ciphertext m

Alice

Key SourceKUKUbb

KRKRbb

Bob

1717

Public-key cryptographyPublic-key cryptography

It should not be possible to deduce the plaintext from knowledge It should not be possible to deduce the plaintext from knowledge of the ciphertext and the public key.of the ciphertext and the public key.

It should not be possible to deduce the private key from It should not be possible to deduce the private key from knowledge of the public key.knowledge of the public key.

Public-key cryptography is based onPublic-key cryptography is based on One-Way Functions One-Way Functions

1818

3. One-Way Functions 3. One-Way Functions (OWF)(OWF)

A one-way function is a function that is “easy” to compute and “difficult” to reverse

Examples of OWF that we’ll use in this lecture to explain public-key systems:– Multiplication of two primes

– Modular exponentiation

1919

OWF: Multiplying two OWF: Multiplying two primesprimes

Multiplication of two prime numbers is believed to be a one-way function.

Given two prime numbers p and q– It’s easy to find n=p.q

– However, starting from n, it’s difficult to find p and q

Is it prime factorization?

2020

OWF: Modular OWF: Modular exponentaitionexponentaition

The process of exponentiation just means raising numbers to a power.

Raising a to the power b, normally denoted ab just means multiplying a by itself b times. In other words: ab = a x a x a x … x a  

Modular exponentiation means computing ab modulo some other number n. We tend to write this as

ab mod n.

Modular exponentiation is “easy”.

2121

OWF: Modular OWF: Modular exponentaitionexponentaition

However, given a, and ab mod n (when n is prime), calculating b is regarded by mathematicians as a hard problem.

This difficult problem is often referred to as the discrete logarithm problem.

In other words, given a number a and a prime number n, the function

f(b) = ab mod n

  is believed to be a one-way function.

2222

4. RSA4. RSA

It is named after it inventors Ron Rivest, Adi Shamir and Len Adleman.

Published in 1978

It is the most widely used public-key encryption algorithm today.

It provides confidentiality and digital signatures.

Its security is based on the difficulty of integer factorization

2323

RSA algorithm RSA algorithm (key generation (key generation for RSA public-key encryption)for RSA public-key encryption)

Each entity A creates a public key and a corresponding private Each entity A creates a public key and a corresponding private key by doing the followingkey by doing the following

– Generate two large (at least 512 bits) primes Generate two large (at least 512 bits) primes pp and and qq– Compute Compute n=pqn=pq and and (n)=(p-1)(q-1)(n)=(p-1)(q-1) . .– Choose Choose ee < < relatively prime to relatively prime to (i.e., gcd (e, (i.e., gcd (e, )=1))=1)– Compute Compute dd such that such that ed mod ed mod (n) (n) 1 1

A’s Public key: (A’s Public key: (ee, , nn) // to be published.) // to be published.

A’s private key: A’s private key: d d ((or or ((dd, , nn)) // to be kept secretly by A)) // to be kept secretly by A

Who is capable of computing Who is capable of computing dd??

2424

RSA Encryption/decryptionRSA Encryption/decryption

Summary: B encrypts a message Summary: B encrypts a message mm for A. Upon reception, A for A. Upon reception, A decrypts it using its private key.decrypts it using its private key.

Encryption: B should do the followingEncryption: B should do the following– Obtain A’s authentic public key Obtain A’s authentic public key (n,e).(n,e).

– Represent the message as an integer in the interval [Represent the message as an integer in the interval [0,n-10,n-1]]

– Compute Compute cc = = mmee mod mod n n // // EncryptionEncryption

– Send the ciphertext c to ASend the ciphertext c to A

Decryption: Decryption: to recover plaintext to recover plaintext mm from from cc, A does the following, A does the following– Use the private key Use the private key dd to recover to recover mm = = ccdd mod mod n n // // DecryptionDecryption

How does B obtain A’s authentic key? How does B obtain A’s authentic key?

2525

Example: confidentialityExample: confidentiality

Take Take pp = 7, = 7, qq = 11, so = 11, so nn = 77 and = 77 and (n)(n) = 60 = 60 Say Bob chooses (Say Bob chooses (KUKUbb) ) ee = 17 = 17, making (, making (KRKRbb) ) dd = 53 = 53

– 17 x 53 mod 60 = ? 17 x 53 mod 60 = ?

Alice wants to secretly send Bob the message HELLO [07 04 11 Alice wants to secretly send Bob the message HELLO [07 04 11 11 14]11 14]– 07071717 mod 77 = 28 mod 77 = 28

– 04041717 mod 77 = 16 mod 77 = 16

– 11111717 mod 77 = 44 mod 77 = 44

– 11111717 mod 77 = 44 mod 77 = 44

– 14141717 mod 77 = 42 mod 77 = 42

Alice sends ciphertext [28 16 44 44 42]Alice sends ciphertext [28 16 44 44 42]

2626

Example: confidentialityExample: confidentiality

Bob receives [28 16 44 44 42]Bob receives [28 16 44 44 42]

Bob uses private key (Bob uses private key (KRKRbb), ), dd = 53 = 53, to decrypt the message:, to decrypt the message:– 28285353 mod 77 = 07 mod 77 = 07 HH

– 16165353 mod 77 = 04 mod 77 = 04 EE

– 44445353 mod 77 = 11 mod 77 = 11 LL

– 44445353 mod 77 = 11 mod 77 = 11 LL

– 42425353 mod 77 = 14 mod 77 = 14 OO

No one else could read it, as only Bob knows his private key and No one else could read it, as only Bob knows his private key and that is needed for decryptionthat is needed for decryption

2727

Attacking RSAAttacking RSA

1.1. Trying to decrypt a ciphertext without knowledge of the private Trying to decrypt a ciphertext without knowledge of the private keykey– The encryption process in RSA involves computing the function c =

me mod n, which is regarded as being easy

– An attacker who observes this ciphertext c, and has knowledge of e and n, needs to try to work out what m is.

– i.e., find m such that mmee = c mod n

– In other words, find the eth root of c mod n

Computing m from c, e and n is regarded as a hard problem and known as RSA problem.

2828

Attacking RSAAttacking RSA

2. If the attacker knows the public key of a user (e,n), what would she/he need to do in order to obtain the corresponding private key? He/she needs to find d such that ed mod ed mod (n) = 1(n) = 1 i.e., needs to know p and q In other words, he/she must factor n (problem of prime factorization)

Recommended size of n:– 768-bit is recommended

– 1024-bit or larger is required for long term security

– it is believed that factoring a 512 bit number is about as hard as searching for a 56 bit symmetric key.

2929

5. El Gamal5. El Gamal

ElGamal is another public-key encryption

We will also take a look at the ElGamal public key cipher system for a number of reasons:– To show that RSA is not the only public key systemTo show that RSA is not the only public key system

– To exhibit a public key system based on a different one way functionTo exhibit a public key system based on a different one way function

– ElGamal is the basis for several well-known cryptosystemsElGamal is the basis for several well-known cryptosystems

3030

ElGamal algorithm ElGamal algorithm (key generation)(key generation)

Key generation for ElGamal public-key encryptionKey generation for ElGamal public-key encryption Each entityEach entity A A creates a public key and a corresponding private creates a public key and a corresponding private

key.key.– Generate a large prime number Generate a large prime number pp (1024 bits) (1024 bits)

– Generate a generator Generate a generator gg of the multiplicative group of the multiplicative group ZZpp** of the integers of the integers

modulo modulo pp

– Select a random integer Select a random integer x, 1 x, 1 ≤≤ x x ≤≤ p-2 p-2

– Compute Compute y = gy = gxx mod p mod p

– A’s public key is A’s public key is (p, g, y)(p, g, y) To be published To be published

– A’s private key is A’s private key is xx To be kept secret by ATo be kept secret by A

3131

ElGamal algorithm ElGamal algorithm (key generation)(key generation)

ExampleExample Step 1: Let p = 2357

Step 2: Select a generator g = 2 of Z2357*

Step 3: Choose a private key x = 1751

Step 4: Compute y = 21751 (mod 2357) = 1185

Public key is (2357,2,1185) Private key is 1751

3232

ElGamal algorithm ElGamal algorithm (Encryption/decryption)(Encryption/decryption)

Summary: B encrypts a message Summary: B encrypts a message mm for A, which A decrypts for A, which A decrypts Encryption: B should de the followingEncryption: B should de the following

– Obtain A’s authentic public key Obtain A’s authentic public key (p, g, y).(p, g, y).

– Represent the message as an integer in the interval [Represent the message as an integer in the interval [0,p-10,p-1]]

– Select an integer Select an integer k, 1 k, 1 ≤≤ k k ≤≤ p-2 p-2

– Compute Compute =g=gk k mod pmod p and and =m.(y)=m.(y)kk mod p mod p

– Send the ciphertext c = (Send the ciphertext c = (, , ) to ) to AA

DecryptionDecryption– A uses the private key A uses the private key xx to compute to compute z= z= p-1-xp-1-x mod pmod p

– A computes A computes z.z. mod mod p (=m)p (=m)

3333

ElGamal algorithm ElGamal algorithm (Encryption/decryption)(Encryption/decryption)

Encryption– To encrypt m = 2035 using Public key (2357,2,1185)

– Generate a random number k = 1520

– Compute = 21520 mod 2357 = 1430

= 2035 x 11851520 mod 2357 =697

– Ciphertext c = (1430 , 697)

DecryptionDecryption– zz= = p-1-xp-1-x mod mod pp = 1430 = 1430605605 mod 2357 =872 mod 2357 =872

– 872x697 mod 2357 = 2035872x697 mod 2357 = 2035

3434

ElGamal PropertiesElGamal Properties

There is a There is a message expansionmessage expansion by a factor of 2 by a factor of 2– i.e.,i.e., the ciphertext is twice as long as the corresponding plaintext the ciphertext is twice as long as the corresponding plaintext

Requires a random number generator (k)Requires a random number generator (k)

Relies on discrete algorithm problem, Relies on discrete algorithm problem, i.e.i.e., having , having y= gy= gx x mod pmod p it’s hard to find it’s hard to find xx (the private key) (the private key)

ElGamal encryption is randomized (coming from the random ElGamal encryption is randomized (coming from the random number number kk), RSA encryption is deterministic.), RSA encryption is deterministic.

ElGamal is the basis of many other algorithms (ElGamal is the basis of many other algorithms (e.g.e.g., DSA), DSA)

3535

SummarySummary

RSA is a public key encryption algorithm whose security is RSA is a public key encryption algorithm whose security is believed to be based on the problem of factoring large numbers.believed to be based on the problem of factoring large numbers.

ElGamal is a public key encryption algorithm whose security is ElGamal is a public key encryption algorithm whose security is believed to be based on the discrete logarithm problem.believed to be based on the discrete logarithm problem.

RSA is generally favoured over ElGamal for practical rather RSA is generally favoured over ElGamal for practical rather than security reasons.than security reasons.

RSA and ElGamal are RSA and ElGamal are less efficient and fastless efficient and fast to operate than most to operate than most symmetric encryption algorithms because they involve modular symmetric encryption algorithms because they involve modular exponentiation.exponentiation.– Public key cryptography confined to key management and signature Public key cryptography confined to key management and signature

applications.applications.