Week6.

Public Key Cryptography

and RSA
Lecture slides by Zhanbolat Seitkulov

February IITU, Information Security 1

Outline
•  We will consider:
–  Principles of public-key cryptography
–  RSA algorithm
•  Implementation and security

February IITU, Information Security 2

Private-Key Cryptography
•  Traditional private/secret/single key
cryptography uses one key
•  shared by both sender and receiver
•  If this key is disclosed, communications are
compromised
•  Also is symmetric, parties are equal
•  Hence does not protect receiver from sender
imitating a message and claiming it’s sent by
sender (repudiation problem)
February IITU, Information Security 3
Public-Key Cryptography
•  Probably the most significant advance in the
3000 year history of cryptography
•  Uses two keys – a public & a private key
•  Asymmetric since parties are not equal
•  Uses clever application of number theoretic
concepts to function
•  Complements rather than replaces private key
cryptography (efficiency reasons)
February IITU, Information Security 4
Why Public-Key Cryptography
•  Developed to address two key issues:
–  Key distribution – how to have secure
communications in general without having to
trust KDC with your key
–  Digital signatures – how to verify a message
comes intact from the claimed sender
•  Public invention is due to Whitfield Diffie &
Martin Hellman at Stanford University in 1976
–  Known earlier in classified community (NSA (60’s
(claimed)), CESG (1970 (documented)))
February IITU, Information Security 5
Public-Key Cryptography
•  Public-key/two-key/asymmetric cryptography
involves the use of two keys:
–  a public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
–  a related private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
•  Infeasible to determine private key from public
(requires solving a hard problem)
•  Is asymmetric because
–  Those who encrypt messages or verify signatures cannot
decrypt messages or create signatures

February IITU, Information Security 6

Public-Key Cryptography

February IITU, Information Security 7

Public-Key Cryptography

February IITU, Information Security 8

Symmetric vs. Public-Key

February IITU, Information Security 9

Public-Key Cryptosystems: Secrecy

February IITU, Information Security 10

Public-Key Cryptosystems: Authentication

February IITU, Information Security 11

Public-Key Cryptosystems:
Combining Secrecy and Authentication

February IITU, Information Security 12

Public-Key Applications
•  Can classify uses into 3 categories:
–  Encryption/decryption (provide secrecy)
–  Digital signatures (provide authentication)
–  Key exchange (of session keys)
•  Some algorithms are suitable for all uses, others are
specific to one

February IITU, Information Security 13

Public-Key Requirements
•  Public-Key algorithms rely on two keys where:
–  It is computationally infeasible to find decryption key
knowing only algorithm and encryption key
–  It is computationally easy to encrypt/decrypt
messages when the relevant (encrypt/decrypt) key is
known
–  Either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
•  Only a few algorithms have satisfied these
requirements
February IITU, Information Security 14
Security of Public Key Schemes
•  Like private key schemes brute force exhaustive
search attack is always theoretically possible
•  But keys used are too large … > 512bits
•  Security relies on a large enough difference in
difficulty between easy (encryption/decryption)
and hard (cryptanalyse) problems
•  More generally the hard problem is “known”, but
is made hard enough to be impractical to break
•  Requires the use of very large numbers
•  Hence is slow compared to private key schemes

February IITU, Information Security 15

RSA
•  By Rivest, Shamir and Adleman of MIT in 1977
•  Best known & widely used public-key scheme
•  Based on exponentiation in a finite (Galois)
field over integers modulo a prime
•  Uses large integers (e.g. 1024 bits)
•  Security due to cost of factoring large
numbers
–  Factorization takes O(elog n log log n) operations
(hard)
February IITU, Information Security 16
RSA Encryption/Decryption
•  To encrypt a message M the sender:
–  Obtains public key of recipient PU = {e, n}
–  Computes: C = Me mod n, where 0 ≤ M < n
•  To decrypt the ciphertext C the owner:
–  Uses their private key PR = {d, n}
–  Computes: M = Cd mod n
•  Note that the message M must be smaller
than the modulus n (block if needed)

February IITU, Information Security 17

RSA Key Setup
Each user generates a public/private key pair by:
•  Selecting two large primes at random: p, q
•  Computing their system modulus: n = p * q
–  Note ø(n) = (p - 1) (q - 1)
•  Selecting at random the encryption key e
–  where 1 < e < ø(n), gcd(e, ø(n)) = 1
•  Solve following equation to find decryption key d
–  e*d = 1 mod ø(n) and 0 ≤ d ≤ n
•  Publish their public encryption key: PU = {e, n}
•  Keep secret private decryption key: PR = {d, n}
February IITU, Information Security 18
February IITU, Information Security 19
Why RSA Works
•  Because of Euler’s Theorem:
–  aø(n) mod n = 1 where GCD(a, n) = 1
•  In RSA have:
–  n = p*q
–  ø(n) = (p - 1) (q - 1)
–  Carefully chose e and d to be inverses mod ø(n)
–  Hence e*d = 1 + k*ø(n) for some k
•  Hence:
–  Cd = Me*d = M1+k*ø(n) = M1 * (Mø(n))k = M1 * (1)k = M1 =
M mod n (provided M and n coprime)
February IITU, Information Security 20
RSA Example: Key Setup
1.  Select primes: p = 17, q = 11;
2.  Calculate n = pq = 17*11 = 187
3.  Calculate ø(n) = (p - 1) (q - 1) = 16*10 = 160
4.  Select e: GCD(e, 160) = 1; chose e = 7
5.  Derive d: de = 1 mod 160 and d < 160;
Get d = 23 since 23*7 = 161 = 10*160 + 1
6.  Publish public key: PU = {7, 187}
7.  Keep private key secret: PR = {23, 187}

February IITU, Information Security 21

RSA Example: Encryption/Decryption
•  Sample RSA encryption/decryption is:
•  Given message M = 88 (88 < 187)
•  Encryption:
–  C = 887 mod 187 = 11
•  Decryption:
–  M = 1123 mod 187 = 88

February IITU, Information Security 22

Exponentiation
•  Can use the Square and Multiply Algorithm
•  a fast and efficient algorithm for exponentiation
•  Concept is based on repeatedly squaring base
•  and multiplying in the ones that are needed to
compute the result
•  Look at binary representation of exponent
•  only takes O(log2n) multiplies for number n
–  E.g. 75 = 74 * 71 = 3*7 = 10 mod 11
–  E.g. 3129 = 3128 * 31 = 5*3 = 4 mod 11

February IITU, Information Security 23

Efficient Encryption
•  Encryption uses exponentiation to power e
•  Hence if e small, this will be faster
–  Often choose e = 65537 (216 - 1)
–  Also see choices e = 3 or e = 17
•  But if e too small (e.g. e = 3) can attack
•  If e fixed must ensure GCD(e, ø(n)) = 1
–  i.e. reject any p and q where p – 1 and q – 1 are
not relatively prime to e

February IITU, Information Security 24

Efficient Decryption
•  Decryption uses exponentiation to power d
–  This is likely large, insecure if not
•  Can compute mod p and mod q separately;
then combine to get answer
–  Approx. 4 times faster than doing directly
•  Only owner of private key who knows the
values p and q can use this techniques

February IITU, Information Security 25

RSA Key Generation
•  Users of RSA must:
–  Determine two primes at random p, q
–  Select either e or d and compute the other
•  Primes p, q must not be easily derived from
modulus n = p*q
–  Means must be sufficiently large
–  Typically guess and use probabilistic test
•  Exponents e, d are inverses, so use Inverse
algorithm to compute the other
February IITU, Information Security 26
RSA Security
•  Possible approaches to attacking RSA are:
–  Brute force key search – infeasible given size of
numbers
–  Mathematical attacks – based on difficulty of
computing ø(n), by factoring modulus n
–  Timing attacks – on running of decryption
–  Chosen ciphertext attacks – given properties of
RSA

February IITU, Information Security 27

Factoring Problem
•  Mathematical approach takes 3 forms:
–  Factor n = p*q, hence compute ø(n) and d
–  Determine ø(n) directly and compute d
–  Find d directly
•  Currently believe all equivalent to factoring
–  have seen slow improvements over the years
–  Biggest improvement comes from improved algorithm
–  Currently assume 1024-2048 bit RSA is secure
•  Ensure p, q of similar size and matching other constraints

February IITU, Information Security 28

Timing Attacks
•  Developed by Paul Kocher in mid-1990’s
•  Uses timing variations in operations
–  E.g. multiplying by small vs. large numbers
•  Suppose operand size based on time taken
•  RSA uses time taken in exponentiation
•  Countermeasures:
–  Use constant exponentiation time
–  Add random delays
–  Blind values used in calculations

February IITU, Information Security 29

Summary
•  Private-Key Cryptography vs. Public-Key
Cryptography
•  Public-Key Cryptosystem principles and uses
•  RSA Public-Key algorithm
–  Implementation and security

February IITU, Information Security 30

Questions?

February IITU, Information Security 31

Reading
•  Cryptography and Network Security by
Stallings
–  Chapter 9

February IITU, Information Security 32

 Public Key Cryptography and RSA

Lecture slides by Zhanbolat Seitkulov

February IITU, Information Security 33