CMSC 414
Computer and Network Security
Lecture 7
Jonathan Katz
Public-key cryptography
The public-key setting
 A party (Alice) generates a public key along with
a matching secret key (aka private key)
 The public key is widely distributed, and is
assumed to be known to anyone (Bob) who wants
to communicate with Alice
– We will discuss later how this can be ensured
 Alice’s public key is also known to the attacker!
 Alice’s secret key remains secret
 Bob may or may not have a public key of his own
The public-key setting
pk
c = Encpk(m)
pk
c = Encpk(m)
Private- vs. public-key I
 Disadvantages of private-key cryptography
– Need to securely share keys
• What if this is not possible?
• Difficult to distribute/manage keys in a large organization
• Private-key crypto requires private+authenticated channel to
share keys; public-key crypto requires authenticated channel
– Consider communication in an n-party network: each
party must store n-1 secret keys
– Inapplicable in open systems (i.e., e-commerce)
• Need to know in advance the parties with whom you will
communicate
• Not suited for “many-to-one” communication
Private- vs. public-key II
 Why study private-key setting at all?
– Private-key is orders of magnitude more efficient
– Private-key still has domains of applicability
• Military settings, disk encryption, …
• Bidirectional, “one-to-one” authenticated communication
– Public-key crypto is “harder” to get right
• Need stronger assumptions, easier to attack
– Can combine private-key primitives with public-key
techniques to get the best of both (for encryption)
• So still need to understand the private-key setting!
– Can distribute keys using trusted entities (KDCs)
Private- vs. public-key III
 Public-key cryptography is not a cure-all
– Still requires authenticated distribution of public keys
• May (sometimes) be just as hard as sharing a key
• Technically speaking, requires only an authenticated channel
instead of an authenticated + private channel
– Not clear with whom you are communicating (unless
the sender has a public key)
– Can be too inefficient for certain applications
Cryptographic primitives
Private-key setting
Public-key setting
Confidentiality
Private-key
encryption
Public-key
encryption
Integrity
Message
authentication codes
Digital signature
schemes
Public-key encryption
 Key-generation algorithm: randomized algorithm
that outputs (pk, sk)
 Encryption algorithm:
– Takes a public key and a message (plaintext), and
outputs a ciphertext; c  Epk(m)
 Decryption algorithm:
– Takes a private key and a ciphertext, and outputs a
message (or perhaps an error); m = Dsk(c)
 Correctness: for all (pk, sk), Dsk(Epk(m)) = m
Security?
 Just as in the case of private-key encryption, but
the attacker gets to see the public key pk
– For all m0, m1, no adversary running in time T, given pk
and an encryption of m0 or m1, can determine the
encrypted message with probability better than 1/2 + 
 Public-key encryption must be randomized (even
to achieve security against ciphertext-only attacks)
 In the public-key setting, security against
ciphertext-only attacks implies security against
chosen-plaintext attacks
– And security for encryption of multiple messages
El Gamal encryption
 We have already (essentially) seen one encryption
scheme:
Receiver
p, g
Sender
p, g, hA = gx
hA = g.x mod p
c = (KBA m) mod p
hB, c
hB = gy mod p
KAB = (hB)x
KBA = (hA)y
El Gamal encryption
 (Some aspects of the actual scheme are simplified)
 Key generation
– Choose a large prime p, and an element g  Zp*
– Choose random x  {0, …, p-2}, set h=gx
– The public key is (p, g, h), and the private key is x
 Encryption
– View the message m as an element of Zp*
– Choose random r  {0, …, p-2}
– The ciphertext is (gr, hr m)
 To decrypt ciphertext (c1, c2) output c2/c1x
Security?
 Security of El Gamal encryption is equivalent to
the decisional Diffie-Hellman assumption
 Best known algorithm for decisional Diffie-
Hellman in Zp* runs in time ≈ exp(log p1/3)
– So if p is a 1024-bit prime, best current attack on El
Gamal encryption requires time ≈ 260
 In other groups, the Diffie-Hellman problem is
currently ‘harder’
– E.g., for elliptic curve groups, best current algorithms
require time exp(log |G|/2)
– Can use ~120-bit group elements to get 260 security
RSA background
 N=pq, p and q distinct, odd primes
 (N) = (p-1)(q-1)
– Easy to compute (N) given the factorization of N
– Hard to compute (N) without the factorization of N
 Fact: for all x  ZN*, it holds that x(N) = 1 mod N
– Proof: take CMSC 456!
 If ed=1 mod (N), then for all x it holds that
(xe)d = x mod N
I.e., given d, we can compute eth roots
We have an asymmetry!
 Let e be relatively prime to (N)
– Needed so that ed=1 mod (N) has a solution
 Given e and the factors of N, can compute d and
hence compute eth roots
 Without the factorization of N, no apparent way to
compute eth roots
 Let’s use this to encrypt…
Hardness of computing eth roots?
 The RSA problem:
– Given N, e, and c, compute c1/e mod N
 If factoring is easy, then the RSA problem is easy
 We know of no other way to solve the RSA
problem besides factoring N
– But we do not know how to prove that the RSA
problem is as hard as factoring
 The upshot: we believe factoring is hard, and we
believe the RSA problem is hard
How hard is factoring?
 Best current algorithms for factoring N=pq a
product of two equal-length primes, run in time
≈ exp(log N1/3)
 So need |N| ≈ 1024 for reasonable security
 Currently |N| ≈ 2048 recommended for good
security margins
RSA key generation
 Generate random primes p, q of sufficient length
 Compute N=pq and (N) = (p-1)(q-1)
 Compute e and d such that ed = 1 mod (N)
– e must be relatively prime to (N)
– Typical choice: e = 3; other choices possible
 Public key = (N, e); private key = (N, d)
“Textbook RSA” encryption
 Public key (N, e); private key (N, d)
 To encrypt a message m  ZN*, compute
c = me mod N
 To decrypt a ciphertext c, compute m = cd mod N
 Correctness clearly holds…
 …what about security?
Textbook RSA is insecure!
 It is deterministic!
 Furthermore, it can be shown that the ciphertext
leaks specific information about the plaintext
Padded RSA
 Introduce randomization…
 Public key (N, e); private key (N, d)
– Say |N| = 1024 bits
 To encrypt m  {0,1}895,
– Choose random r  {0,1}128
– Compute c = (r | m)e mod N
 Decryption done in the natural way…
 Essentially this is standardized as PKCS #1 v1.5
(since superseded)