ISS and Cryptography

Public-Key Cryptography
and

RSA
Department of Computer Science & Engineering
NIT Jalandhar
 Private-Key Cryptography

 Traditional private / secret / single key

cryptography uses one key shared by both
sender and receiver
 if this key is disclosed communications are
compromised
 also is symmetric, parties are equal
 hence does not protect sender from
receiver forging a message & claiming is
sent by sender
 Public-Key Cryptography

Probably most significant advance in the

3000 year history of cryptography
uses two keys – a public & a private key
asymmetric since parties are not equal
uses clever application of number theoretic
concepts to function
complements rather than replaces private
key cryptography
Both also have issues with key distribution,
requiring the use of some suitable protocol.
 Why Public-Key Cryptography?

developed to address two key issues:

» key distribution – how to have secure
communications in general without having to
trust a KDC with your key
» digital signatures – how to verify a message
comes intact from the claimed sender
public invention due to Whitfield Diffie &
Martin Hellman at Stanford University in
1976
» known earlier in classified community
 Public-Key Cryptography
Public-key/two-key / Asymmetric cryptography
involves the use of two keys:
» A public-key, which may be known by
anybody, and can be used to encrypt
messages, and verify signatures
» a related Private-key, known only to the
recipient, used to decrypt messages, and
sign (create) signatures
infeasible to determine private key from public
is Asymmetric because
» those who encrypt messages or verify
signatures cannot decrypt messages or
create signatures
Public-Key Cryptography
Public Key Cryptography and RSA

Every Egyptian received two names, which

were known respectively as the true name
and the good name, or the great name and
the little name; and while the good or little
name was made public, the true or great
name appears to have been carefully
concealed.
—The Golden Bough, Sir James George
Frazer
 Symmetric vs Public-Key

In Symmetric Cryptography Symbols are permuted /

Substituted
In Asymmetric Cryptography Numbers are Manipulated
 Public-Key Applications
can classify uses into 3 categories:
» Encryption / decryption (provide secrecy)
» digital signatures (provide authentication)
» key exchange (of session keys)

some algorithms are suitable for all uses,

others are specific to one
 Public-Key Requirements
Public-Key algorithms rely on two keys
where:
» it is computationally infeasible to find decryption
key knowing only algorithm & encryption key
» it is computationally easy to En / decrypt
messages when the relevant (En / decrypt) key is
known
» either of the two related keys can be used for
encryption, with the other used for decryption
(for some algorithms)
these are formidable requirements which
only a few algorithms have satisfied
 Public-Key Requirements
Need a trapdoor one-way function
one-way function has
» Y = f(X) easy
» X = f –1 (Y) infeasible
a trap-door one-way function has
» Y = fk (X) easy, if k and X are known
» X = fk–1 (Y) easy, if k and Y are known
» X = fk–1 (Y) infeasible, if Y known but k not known
a practical public-key scheme depends on a
suitable trap-door one-way function
 Security of Public Key Schemes

Four possible approaches to attacking RSA :

 like private key schemes brute force exhaustive
search attack is always theoretically possible
but keys used are too large ( > 512bits )
 security relies on a large enough difference in
difficulty between easy (En / Decrypt) and hard
(cryptanalyses) problems
 more generally the hard problem is known, but
is made hard enough to be impractical to break
 requires the use of very large numbers
 hence is slow compared to private key schemes
 RSA

 by Rivest, Shamir & Adleman of MIT in 1977

 best known & widely used public-key scheme
 based on exponentiation in a finite (Galois)
field over integers modulo a prime
 Exponentiation takes O ((log n)3) operations (easy)
 uses large integers (eg. 1024 bits)
 security due to cost of factoring large
numbers
 Factorization takes O(e log n log log n) operations
(hard)
 RSA En / Decryption
to encrypt a message M the sender:
It is a Block Cipher . PT and CT uses integers
between 0 and n-1
» Typical size of n = 1024 bits and n < 21024
» Easy to find and Multiply large Prime
Numbers
» But difficult to factor their product
» Private and public key of ( 100 or more digits
and must be Prime number)
Message M must be smaller than the modulus n
(block if needed)
RSA
 In RSA, e and n
are announced to
the public;
d and F are kept
secret.
 RSA Key Setup

each user generates a public / private key pair

Following are the steps used by RSA:
Select / choose two large primes at random: P,Q
Compute / Calculate their system modulus N = P X Q
Note ø(N)=(P-1)(Q-1)
selecting at random the encryption / Public key E
» where 1<E<ø(N), GCD(E, ø(N)) =1
Such that it is not a factor of (P-1) and (Q-1)
Select Private key D such that solve following equation
to find decryption key D
» (D X E)mod (P-1) X (Q-1) = 1 0 ≤ D ≤ N
Calculate CT from PT as CT = PTD Mod N
Send CT
For Decryption calculate PT from CT as PT = CTD Mod N
 Why RSA Works?
because of Euler's Theorem:
» aø(N) Mod N = 1 where gcd (a,N) =1
in RSA have:
» N = p.q
» ø(N) = (p-1)(q-1)
» carefully chose E & D to be inverses
mod ø(N)
» hence E . D = 1+k.ø(N) for some k
hence :
CD = ME . D = M1+k.ø(N) = M1.(Mø(N))k
= M1.(1)k = M1 = M mod N
 RSA Example - Key Setup
1. Select primes: p = 17 & q =11
2. Calculate N = PQ =17 x 11=187
3. Calculate ø(N) = (P–1)(Q-1)=16x10=160
4. Select E ( such that e is relatively prime to ø(N) which
is 160):
5. GCD (E,160) =1; choose E = 7
6. Determine D: D . E = 1 Mod 160 and D < 160
7. Value is D = 23 (since 23 x 7 = 161= 1 x 160+1)
8. ( D can be calculated using Extended Euclid’s
Algorithm)
9. Publish public key PU = {7,187}
10. Keep secret private key PR = {23,187}
 RSA Example - En/Decryption
 sample RSA encryption / decryption
is:
 given message (PT) M = 88
 (number 88 < 187)
 encryption:
CT = 887 mod 187 = ( 88X77X132)
Mod 187 = 894432 Mod 187 = 11
 decryption:
M (PT) = 1123 mod 187 = 88
 RSA Example - En/Decryption
 Fordecryption:
M (PT) = 1123 mod 187 = 88
1123 mod 187 = [(111 mod 187 ) X (112
mod 187) X (114 mod 187 ) X (118
mod 187 )X (118 mod 187 )] mod 187
(111 mod 187 ) = 1
(112 mod 187 ) = 121
(114 mod 187 ) = 14641 mod 187 = 55
(118 mod 187 )= 214,358,881 mod 187 = 33
1123 mod 187 = ( 11x121x55x33x33) mod 187 =
79,720,245 mod 187 =88
 RSA Another example
1. Let two primes : P = 7 & Q = 17
2. Calculate N = PQ = 7 x 17 = 119
3. Calculate ø(N) = (P–1)(Q-1) = 6x16 = 96
4. Factors of 96 are 2, 2, 2, 2, 2, 3
5. Public key E must not have factors of relative prime
to 96 or <96
6. Select E: Not from the above factors Let it be
chosen as E = 5 or any other Prime
7. Select Pvt key D such that
8. D X E Mod (P-1) (Q-1) = 1
9. Let D = 77 and D< 96 also
10. D X 5 Mod 96 = 1 = (5 X 77) mod 96 = 385 mod 96 = 1
11. Publish public key PU = {5, 96}
12. Keep secret private key PR = {77, 96}
 RSA Another example
1. Let two primes : P = 47 & Q = 71
2. Calculate N = PQ = 47 x 71 = 3337
3. Calculate ø(N) = (P–1)(Q-1) = 46x70 = 3220
4. Factors are 2, 2, 5, 7, 23
5. Select E: Not from the above factors Let it be
choosen E=79 or any other Prime
6. Select Pvt key D such that
7. D X E Mod (P-1) (Q-1) = 1
8. D X 79 Mod 3220 = 1
9. Let D = 1019
10. Publish public key PU = {79,3337}
11. Keep secret private key PR = {1019,3337}
 RSA Another example

 Bob chooses 7 and 11 as p and q and

 calculates n = 7 · 11 = 77.
 The value of F = (7 − 1) (11 − 1) or 60.
 Now he chooses two keys, e and d.
 If he chooses e to be 13, then d is 37.
 Now imagine Alice sends the plaintext 5 to Bob.
 She uses the public key 13 to encrypt 5.
 RSA example continued

Bob receives the cipher text 26

and uses the private key 37 to decipher the cipher text:

The plaintext 5 sent by Alice is received as plaintext 5 by

Bob.
 RSA Example - En/Decryption

 Encryption/decryption is:
 Let given message M or (PT) =
 688 (number 688 < 3337)
 Encryption:
CT = 68879 Mod 3337 = 1570
Send 1570 to Receiver
 Decryption:
M/PT) = 15701019 Mod 3337 =
688 ( Recovered) Back
 Exponentiation

can use the Square and Multiply Algorithm

a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
» eg. 75 = 74.71 = 3.7 = 10 mod 11
» eg. 3129 = 3128.31 = 5.3 = 4 mod 11
 RSA Key Generation
users of RSA must:
» determine two primes at random – P,Q at least 512
bits
» N must be 1024 bits
» select either E or D and compute the other
primes P,Q must not be easily derived from modulus N
= P.Q
» means must be sufficiently large
» typically guess and use probabilistic test
exponents E, D are inverses, so use Inverse algorithm
to compute the other
RSA uses two Algebraic Structures
Public Key Ring R = < Zn ,+, X >
Private Key Group = < Zø(n)* , X >
 RSA Security
possible approaches to attacking RSA are:
» brute force key search - infeasible given size of
numbers
» mathematical attacks - based on difficulty of
computing ø(n), by factoring modulus n
» timing attacks - on running of decryption
» chosen ciphertext attacks - given properties of
RSA
 Factoring Problem
mathematical approach takes 3 forms:
» factor N= P.Q, hence compute ø(N) and then D
» determine ø(N) directly and compute D
» find D directly
currently believe all equivalent to factoring
» have seen slow improvements over the years
• as of May-05 best is 200 decimal digits (663) bit with LS
» biggest improvement comes from improved
algorithm
• cf QS to GHFS to LS
» currently assume 1024-2048 bit RSA is secure
• ensure P, Q of similar size and matching other
constraints
Progress in Factoring
Progress in Factoring
 Timing Attacks

developed by Paul Kocher in mid-1990’s

exploit timing variations in operations
» eg. multiplying by small vs large number
» or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
» use constant exponentiation time
» add random delays
» blind values used in calculations
 Chosen Ciphertext Attacks

 RSA is vulnerable to a Chosen

Cipher text Attack (CCA)
 attackers chooses cipher texts &
gets decrypted plaintext back
 choose cipher text to exploit
properties of RSA to provide info to
help cryptanalysis can counter with
random pad of plaintext
 or use Optimal Asymmetric
Encryption Padding (OASP)
 Optimal
Asymmetric
Encryption
Padding (OASP)
 Summary

have considered:
» principles of public-key
cryptography
» RSA algorithm,
implementation, security
 Question for assignment to solve

Jennifer creates a pair of keys for herself.

She chooses
p = 397 and q = 401.
She calculates n = 159, 197 and
F = 396 · 400 = 158,400.
She then chooses e = 343 and
d = 12,007.
Show how Ted can send a message to Jennifer if he knows e
and n.