Public Key Cryptography

CSCI 172/283
Fall 2010
Public Key Cryptography
New paradigm introduced by Diffie and
Hellman
The mailbox analogy:
Bob has a locked mailbox
Alice can insert a letter into the box, but can’t
unlock it to take mail out
Bob has the key and can take mail out

Encrypt messages to Bob with Bob’s public key

Can freely distribute
Bob decrypts his messages with his private key
Only Bob knows this
Requirements
How should a public key scheme work?
Three main conditions
It must be computationally easy to encrypt or
decrypt a message given the appropriate key
It must be computationally infeasible to
derive the private key from the public key
It must be computationally infeasible to
determine the private key from chosen
plaintext attack
 Attacker can pick any message, have it encrypted,
and obtain the ciphertext
Exchanging keys
Alice and Bob want to communicate using a
block cipher to encrypt their messages, but
don’t have shared key
How do Alice and Bob get a shared key?
Solution 1
Alice sends the key along with her
encrypted message

Eve sees encrypted message and key

Uses key to decrypt message

IL!
F A
Solution 2
Alice sends the key at some time prior to
sending Bob the encrypted message

Eve has to wait longer

If she saw the key transmission, she has the
key
Uses key to decrypt message

IL!
F A
Solution 3 – Use public key
crypto
Diffie Hellman Key Exchange
All users share common modulus, p, and element g
g ≠ 0, g ≠ 1, and g ≠ p-1
Alice chooses her private key, k
A
Computes K = gkA mod p and sends it to Bob in the
A
clear
Bob chooses his private key, k
B
Computes K = gkB mod p and sends it to Alice in the
B
clear
When Alice and Bob want to agree on a shared key,
they compute a shared secret S
S = KBkA mod p
A,B
S = K kB mod p
B,A A
Why does DH work?
SA,B = SB,A
(gkA) kB mod p = (gkB) kA mod p

Eve knows
g and p
KA and KB
Why can’t Eve compute the secret?

SA,B = KBkA mod p

SB,A = KAkB mod p
This was the first public key cryptography scheme
Hard problems
 Public key cryptosystems are based on hard
problems
 DH is based on the Discrete Logarithm Problem
(DLP)

 Given:
Multiplicative group G
Element a in G
Output b
 Find:
Unique solution to ax = b in G
 x is log b
a

 No polynomial time algorithm exists to solve this*

*On classical computers
Could it fail?
Eve could fool Alice and Bob
Man in the middle / bucket brigade

My key is My key is My key is My key

KA K’B K’A is KB

Eve Bob
Alice

Alice has no guarantee that the person she’s establishing

a key with is actually Bob
RSA
Rivest-Shamir-Adleman
Probably the most well-known public key
scheme
First, some background
Euler’s Totient
Totient function (n)
Number of positive numbers less than n that
are relatively prime to n
 Two numbers are relatively prime when their
greatest common divisor is 1

Example: (10) = 4
1, 3, 7, 9

Example: (7) = 6
1, 2, 3, 4, 5, 6
If n is prime, (n) = n-1
RSA keys
Choose 2 large primes, p and q
N = pq
(N) = (p-1)(q-1)
Choose e < N such that gcd(e, (N))=1
d such that ed = 1 mod (N)

Public key: {N, e}

Private key: {d}
p and q must also be kept secret
RSA encryption/decryption
Alice wants to send Bob message m
She knows his public key, {N,e}

c = me mod N m = cd mod N

Bob
Alice
Toy example
p=7, q=11
N=77
(N) = (6)(10) = 60
Bob chooses e=17
Uses extended Euclidean algorithm to find
inverse of e mod 60
Finds d=53

Bob makes {N, e} public

Toy example (continued)
Alice wants to send Bob “HELLO WORLD”
Represent each letter as a number 00(A) to
25(Z)
26 is a space
Calculates:
0717 mod 77 = 28, 0417 mod 77 = 16, …, 0317
mod 77 = 75
Sends Bob 28 16 44 44 42 38 22 42 19 44
75
He decrypts each number with his private
key and gets “HELLO WORLD”
What could go wrong?
What was wrong with the toy example?
Eve can easily find the encryption of each
letter and use that as a key to Alice’s
message
Even without knowing the public key, can use
statistics to find likely messages
 Like cryptogram puzzles
How it should really happen
p and q should be at least 512 bits each
N at least 1024 bits
The message “HELLO WORLD” would be
converted into one very large integer
That integer would be raised to the
public/private exponent
For short message, pad them with a
random string
Is this key yours?
How to bind a key to an identity?
PK Paradigm
Genkey(some info)
Creates Kpub and Kpriv

Encrypt with Kpub

Decrypt with Kpriv

Certificate binds key to individual

IBE
Identity-Based Encryption
Kpub is well-known
Known to be bound to owner
Name, email, SSN, etc.

Owner requests a private key from CA

No certificates required

Conclusion by xkcd

http://xkcd.com/538/