1
Public Key Algorithms
2
Public Key Algorithms• It is necessary to know some number theory to really
understand how and why public key algorithms work
– Most of the public key algorithms are based on modular arithmetic
3
Use of Public Key Cryptosystems
• Encryption/decryption– Sender encrypts a message with the receiver’s public key– Only the receiver can decrypt the message
• Digital signature– The sender signs a message with its private key– Authentication and non-repudiation
• Key exchange– Two sides cooperate to exchange a session key– Secret key cryptosystems are often used with the session
key
4
Modular Arithmetic
• Modular Addition– Addition modulo (mod) n
• x mod n: the remainder of x when divided by n
– mod 10 addition• 5+5 = 0• 2+2 = 4
– An additive inverse of x is the number that adds to x to get 0
• 4’s inverse (mod 10) is 6• Decrypt by adding inverse
5
Addition Modulo 10
6
Modular Multiplication• Mod 10 multiplication table
• Multiplication by 1, 3, 7, 9 works as cipher
• Multiplicative inverse x-1: y * x = 1
• Use Euclid’s Algorithm to find inverse
7
Totient Function
• x, m relative prime (rp) = no other common factor than 1
• relatively prime ≠ prime (9 rp 10)
• totient function Φ(n): number of numbers less than n rp to n– if n prime: {1, 2, …, n-1}. Φ(n) = n-1
– if n=p * q, p, q distinct prime => Φ(n) = (p-1)(q-1)
8
Modular Exponentiation (Exponentiation Modulo 10)
9
Modular Exponentiation
• Encryption: x3 works, x2 does not
• Exponential inverse y of x: (ax)y = a
• Columns: 1=5, 2=6, 3=7…
• xy mod n = x(y mod Φ(n)) mod n: the ith column is the same as the i+4th column– rp to 10 are {1, 3, 7, 9}
• Totient function Φ(n): number of numbers less than n relatively prime to n
10
RSA (Rivest, Shamir, Adleman)
• A very popular public key cryptographic algorithm
• Support public key encryption and digital signature
• Variable key length – 512 bits, 1024 bits
• Variable plaintext block size– Plaintext block must be smaller than the key length
– Ciphertext block size is the length of the key
• Ciphertext length = key length
• Much slower to compute than DES/IDEA
• Assumption/theoretical basis:– Factoring a large number is practically impossible
11
RSA Algorithm
• To generate a public key and a corresponding private key– Pick large primes p and q (around 256 bits)– Let n=p*q (512 bits), factors p and q remain secret– Public key: choose e that is relatively prime to ø(n) =(p-
1)(q-1), let pub = <e,n>– Private key: find the number d that is the multiplicative
inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n>
– Encryption: of m < n, c = me mod n– Decryption: m = cd mod n– Verification
• Sign: s = md mod n• Verify: m = se mod n
12
RSA Example
Bob chooses p=7, q=11. Then n=77, z= ø(n) =60.e=7 (so e, z relatively prime).d=43 (so ed-1 exactly divisible by z).
m me c = m mod ne
9 97 37
c m = c mod nd37 3743 9
cd
encrypt:
decrypt:
13
Why Does RSA Work?
(m mod n)e mod n = m mod nd ed
Useful number theory result: If p,q prime and n = pq, then:
x mod n = x mod ny y mod (p-1)(q-1)
= m mod ned mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
• Will decrypting an encrypted message get the original message back?
14
Why Does RSA Work?
• That is: will decrypting an encrypted message get the original message back?
• Given pub = <e, n> and priv = <d, n>– n =p*q, ø(n) =(p-1)(q-1)
– de = 1 mod ø(n)
– For any x, xde = x mod n
– encryption: c = me mod n
– decryption: m = cd mod n = me∗d mod n = m mod n = m(since m < n)
– digital signature (similar)
15
Why is RSA Secure?
• Based on the Fundamental Tenet of Cryptography
• Factoring 512-bit number is very hard!– If you can factor quickly, you can break RSA!
• But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by:– Knowing factors p, q, such that, n = p*q
– Then ø(n) =(p-1)(q-1)
– Then d such that e*d = 1 mod ø(n)
16
Diffie-Hellman
• Allows two individuals to agree on a shared key, public communication
• No authentication of partners– Alice might be establishing a secret key with a bad guy
• What is involved?– A large prime p, and g < p
– p and g are publicly known
– Alice and Bob choose random SA and SB, kept secret
– next slide..
17
Diffie-Hellman Key Exchange
• Procedure
Alice Bob
pick secret SA randomly pick secret SB randomly
compute TA=gSA mod p compute TB=gSB mod p
send TA to Bob send TB to Alice
compute TBSA mod p compute TASB mod p
Alice and Bob reached the same secret gSASB mod p, which is then used as the shared key.
not secure against bucket-brigade/man-in-the-middle attacks.
18
DH Security – Discrete Logarithm is Hard
• T = gs mod p
• Given T, g, and p, it is computationally infeasible to compute the value of s (discrete logarithm)
19
The Bucket Brigade/Man-in-the-Middle Attack
• Mr. X plays Alice to Bob and Bob to Alice
20
Defense against Man-in-the-Middle Attack• Diffie-Hellman in Phone Book Mode
– Have a somewhat permanent public and secret number– Everyone has to agree on a common p and g– Everyone generates the public key components and publish them
through other reliable means, e.g., <Tb> for Bob– Essential Requirement: authenticity of public key
• Authenticated Diffie-Hellman– Alice and Bob know some sort of secret
• Use this secret to prove they generate their DH value• Following DH exchange, transmit a hash of the agreed-upon shared
DH value, name, and the pre-shared secret• Following DH exchange, transmit a hash of the pre-shared secret
and the DH value• …
21
Encryption with Diffie-Hellman• To avoid the active exchange• Everyone computes and publishes a public key <p, g, T> for
the private key s– T=gS mod p
• Alice communicates with Bob:– Bob has published <pb, gb, Tb>– Alice
• Picks a random secret Sa• Computes gb
Sa mod pb
• Use Kab = TbSa mod pb (the encryption key) to encrypt message
• Send encrypted message along with gbSa mod pb
– Bob• (gb
Sa)Sb mod pb = (gbSb)Sa mod pb = Tb
Sa mod pb = Kab
• Use Kab to decrypt
• Essentially key distribution + encryption
22
Digital Signature Standard (DSS)
• By NIST
• Based on ElGamal
• Speeded up for signer rather than verifier: smart cards
• Use SHA-1 to generate the hash value and Digital Signature Algorithm (DSA) to generate the digital signature
23
DSS Algorithm
24
DSS Algorithm
Calculate X-1 and dm
25
Why is DSA Secure?• No revealing of the private key S• Nobody should be able to generate a signature for a
given message without knowing S• Nobody should be able to generate a message that
matches a given signature• Nobody should be able to modify a signed message in
a way that keeps the same signature valid• Need a per-message secret number Sm
– If Sm is known, the private key S can be computed• (XmSm – dm)Tm
-1 mod q = S mod q (refer to step 6): the attacker can forge DSS signature
– If two messages share the same Sm, the private key S can be revealed
• (Xm – Xm’)-1(dm-dm’) mod q = Sm mod q (refer to step 6 ) => Sm