Applications for Public-Key Cryptosystems

Public-Key Requirements
• Conditions that these algorithms must fulfill:
– It is computationally easy for a party B to generate a pair
(public-key PUb, private key PRb)
– It is computationally easy for a sender A, knowing the
public key and the message to be encrypted, to generate
the corresponding ciphertext
– It is computationally easy for the receiver B to decrypt the
resulting ciphertext using the private key to recover the
original message
– It is computationally infeasible for an adversary, knowing
the public key, to determine the private key
– It is computationally infeasible for an adversary, knowing
the public key and a ciphertext, to recover the original
message
– The two keys can be applied in either order
 Public-Key Requirements
• Need a trap-door one-way function
• A trap-door one-way function is a family of
invertible functions fk, such that
– Y = fk(X) easy, if k and X are known
– X = fk–1(Y) easy, if k and Y are known
– X = fk–1(Y) infeasible, if Y known but k not
known
• A practical public-key scheme depends on a
suitable trap-door one-way function
Rivest-Shamir-Adleman (RSA) Scheme

• Developed in 1977 at MIT by Ron Rivest,

Adi Shamir & Len Adleman
• Most widely used general-purpose
approach to public-key encryption
• Is a cipher in which the plaintext and
ciphertext are integers between 0 and n –
1 for some n
– A typical size for n is 1024 bits, or 309 decimal
digits
Example of RSA Algorithm
The Security of RSA
 Factoring Problem
• We can identify three approaches to
attacking RSA mathematically:
– Factor n into its two prime factors. This enables
calculation of ø(n) = (p – 1) x (q – 1), which in
turn enables determination of d = e-1 (mod ø(n))
– Determine ø(n) directly without first determining
p and q. Again this enables determination of d =
e-1 (mod ø(n))
– Determine d directly without first determining
ø(n)
Table 9.5 Progress in RSA Factorization
 Timing Attacks
• Paul Kocher, a cryptographic consultant,
demonstrated that a snooper can determine
a private key by keeping track of how long a
computer takes to decipher messages
• Are applicable not just to RSA but to other
public-key cryptography systems
• Are alarming for two reasons:
– It comes from a completely unexpected direction
– It is a ciphertext-only attack
Countermeasures
 Fault-Based Attack
• An attack on a processor that is generating RSA digital
signatures
– Induces faults in the signature computation by reducing
the power to the processor
– The faults cause the software to produce invalid
signatures which can then be analyzed by the attacker to
recover the private key
• The attack algorithm involves inducing single-bit
errors and observing the results
• While worthy of consideration, this attack does not
appear to be a serious threat to RSA
– It requires that the attacker have physical access to the
target machine and is able to directly control the input
power to the processor
Chosen Ciphertext Attack (CCA)
• The adversary chooses a number of ciphertexts and
is then given the corresponding plaintexts,
decrypted with the target’s private key
– Thus the adversary could select a plaintext, encrypt it
with the target’s public key, and then be able to get
the plaintext back by having it decrypted with the
private key
– The adversary exploits properties of RSA and selects
blocks of data that, when processed using the target’s
private key, yield information needed for cryptanalysis
– To counter such attacks, RSA Security Inc.
recommends modifying the plaintext using a
procedure known as optimal asymmetric encryption
padding (OAEP)
 Diffie-Hellman Key Exchange

• First published public-key algorithm

• A number of commercial products employ
this key exchange technique
• Purpose is to enable two users to securely
exchange a key that can then be used for
subsequent symmetric encryption of
messages
• The algorithm itself is limited to the
exchange of secret values
• Its effectiveness depends on the difficulty of
computing discrete logarithms
 Key Exchange Protocols
• Users could create random private/public
Diffie-Hellman keys each time they
communicate
• Users could create a known private/public
Diffie-Hellman key and publish in a directory,
then consulted and used to securely
communicate with them
• Vulnerable to Man-in-the-Middle-Attack
• Authentication of the keys is needed
ElGamal Cryptography
Elliptic Curve Cryptography (ECC)

• Addition operation in ECC is the

counterpart of modular multiplication in
RSA
• Multiple addition is the counterpart of
modular exponentiation
 ECC Encryption/Decryption
• Several approaches using elliptic curves have been analyzed
• Must first encode any message m as a point on the elliptic curve Pm
• Select suitable curve and point G as in Diffie-Hellman
• Each user chooses a private key nA and generates a public key PA=nA
*G
• To encrypt and send message Pm to B, A chooses a random positive
integer k and produces the ciphertext Cm consisting of the pair of
points:

Cm = {kG, Pm+kPB}
• To decrypt the ciphertext, B multiplies the first point in the pair by
B’s secret key and subtracts the result from the second point:
Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
Security of Elliptic Curve Cryptography
• Depends on the difficulty of the elliptic curve
logarithm problem
• Fastest known technique is “Pollard rho
method”
• Compared to factoring, can use much smaller
key sizes than with RSA
• For equivalent key lengths computations are
roughly equivalent
• Hence, for similar security ECC offers
significant computational advantages