3/27/2020
Public-Key Cryptography
“asymmetric cryptography”
Dr.Khaled Tarmissi
1
“It is insufficient to protect ourselves with laws; we need to
protect ourselves with mathematics.”
“Bruce Schneier “
2
1
3/27/2020
Public-Key Cryptography
probably most significant advance in the 3000 year history of
cryptography
❑ uses two keys – a public & a private key
❑ asymmetric since parties are not equal
❑ uses clever application of number theoretic concepts to
function
❑ complements rather than replaces private key crypto
❑
3
Symmetric Key Cryptosystem
✓ Encryption and decryption rely on having a key (a word, number,
or phrase to encrypt and decrypt) .
✓ Encryption and decryption use the same key
✓ Problem is difficulty of secure key distribution. !!!
4
4
2
3/27/2020
Diffie-Hellman by Analogy: Paint
Alice
“Let’s use yellow”
Bart
“OK, yellow.”
1. Alice & Bart decide on a public color, and mix one
liter of that color.
2. They each choose a random secret color, and mix two
liters of their secret color.
3. They keep one liter of their secret color, and mix the
other with the public color.
5
5
Diffie-Hellman by Analogy: Paint
Bart
Alice
4. They exchange the mixtures over the public channel.
5. When they get the other person’s mixture, they
combine it with their retained secret color.
6. The secret is the resulting color: Public + Alice’s + Bart’s
6
6
3
3/27/2020
Asymmetric Cryptography
Encryption key
Plaintext
Bob
Decryption key
Ciphertext
Encryption
Original plaintext
Decryption
Alice
The big idea is to use a pair of keys for encryption: a public
key, which encrypts data, and a corresponding private key
for decryption.
7
7
Public-key Encryption
• Involves 2 distinct keys – public, private.
• The private key is kept secret and never
be divulged, and it is password protected
(Passphase).
• The public key is not secret and can be
freely distributed, shared with anyone.
• It is also called “asymmetric
cryptography”.
• Two keys are mathematically related,
it is infeasible to derive the private key
from the public key.
8
8
4
3/27/2020
Public key cryptography
+ Bob’s public
B key
K
K
plaintext
message, m
encryption
algorithm
ciphertext
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
9
9
How to use 2 different keys?
• Just an example:
– Public Key = 4, Private Key = 1/4, message M = 5
– Encryption:
• Ciphertext C = M * Public Key
• 5 * 4 = 20
– Decryption:
• Plaintext M = C * Private Key
• 20 * ¼ = 5
10
10
5
3/27/2020
Requirements
1.
It must be computationally easy to encipher or
decipher a message given the appropriate key.
2.
It must be computationally infeasible to derive
the private key from the public key.
3.
It must be computationally infeasible to
determine the private key from a chosen
plaintext attack.
11
Trapdoor One-Way Function
The main idea behind asymmetric-key cryptography is the
concept of the trapdoor one-way function.
A function as rule mapping a domain to a range
12
6
3/27/2020
Trapdoor One-Way Function
One-Way Function (OWF)
1. f is easy to compute.
2. f −1 is difficult to compute.
Trapdoor One-Way Function (TOWF)
3. Given y and a trapdoor, x can be
computed easily.
13
One-Way Trapdoor Functions
➢ “One way” means easy to compute in one direction,
but hard to compute in other direction. In other word
“One-way function whose inverse is easy to calculate
only if given a special piece of information”
➢ Example: Given p and q, product N = pq easy to
compute, but … given N, it’s hard to find p and q
➢ “Trap door” used to create key pairs
14
7
3/27/2020
OWF: Multiplying two primes
• It is easy to take two prime numbers and multiply them together.
• If they are fairly small we can do this in our heads, on a piece of paper, or on a calculator.
• As they get bigger and bigger it is fairly easy to write a computer program to compute the
product.
• Multiplication runs in polynomial time.
• Multiplication of two primes is easy.
15
3*5
143
11*13
6887
?
31897
?
200 digit
??
600 digit
???
15
15
OWF: Modular exponentiation
• The process of exponentiation just means raising numbers to a power.
• Raising a to the power b, normally denoted ab just means multiplying
a by itself b times. In other words:
ab = a x a x a x … x a
• Modular exponentiation means computing ab modulo some other
number n. We tend to write this as
ab mod n.
• Modular exponentiation is “easy”.
16
16
8
3/27/2020
OWF: Modular exponentiation
However, given a, b, and ab mod n (when n is prime), calculating b is
regarded by mathematicians as a hard problem.
This difficult problem is often referred to as the discrete logarithm
problem.
In other words, given a number a and a prime number n, the function
f(b) = ab mod n
is believed to be a one-way function.
17
17
Modular exponentiation
let's explore the exponentiation property:
A^B mod C = ( (A mod C)^B ) mod C
Often we want to calculate A^B mod C for large values of B.
❑ For Example:
❑ 2^90 = 1237940039285380274899124224
❑ 7^256 =
2213595400046048155450188615474945937162517050260073069916366390524704974
00798999684800343383794038078279445526231260759886736342594056001485602
786638194645895120583737911647366324673350968721264246243189632348313601
These huge values cause our calculators and computers to return overflow errors.
18
9
!!! ???
3/27/2020
Modular exponentiation:repeated squaring
Modular exponentiation example (520 mod 35 )
❑
520 = 95367431640625 = 25 mod 35
•
❑
A better way: repeated squaring
•
•
•
•
•
•
•
•
❑
20 = 10100 base 2
(1, 10, 101, 1010, 10100) = (1, 2, 5, 10, 20)
Note that 2 = 1 2, 5 = 2  2 + 1, 10 = 2  5, 20 = 2  10
51= 5 mod 35
52= (51)2 = 52 = 25 mod 35
55= (52)2  51 = 252  5 = 3125 = 10 mod 35
510 = (55)2 = 102 = 100 = 30 mod 35
520 = (510)2 = 302 = 900 = 25 mod 35
Never have to deal with huge numbers!
19
Relative Primality
❑x
and y are relatively prime if they have no common
factor other than 1
❑ x-1 mod y exists only when x and y are relatively prime
❑ If it exists, x-1 mod y is easy to compute using Euclidean
Algorithm
▪ We won’t do the computation here
20
10
3/27/2020
Euler Totient Function ø(n)
(n) is “the number of numbers less than n that are relatively
prime to n”
❑ in general need prime factorization, but
❑
• for p (p prime)
• for p.q (p,q prime)
❑
ø(p) = p-1
ø(p.q) = (p-1)(q-1)
eg.
• ø(37) = 36
• ø(21) = (3–1)×(7–1) = 2×6 = 12
21
21
22
From Lec 2 ..
Example 22
Find the multiplicative inverse of 8 in Z10.
Solution
There is no multiplicative inverse because gcd (10, 8) = 2
≠ 1. In other words, we cannot find any number between
0 and 9 such that when multiplied by 8, the result is
congruent to 1.
Example 23
Find all multiplicative inverses in Z10.
Solution
There are only three pairs: (1, 1), (3, 7) and (9, 9). The
numbers 0, 2, 4, 5, 6, and 8 do not have a multiplicative
inverse.
22
11
3/27/2020
23
From Lec 2 ..
Example 24
Find all multiplicative inverse pairs in Z11.
Solution
We have seven pairs: (1, 1), (2, 6), (3, 4), (5, 9), (7, 8),
(9, 9), and (10, 10).
23
Euler's Theorem
❑a
generalisation of Fermat's Theorem
❑ aø(n)mod N = 1
• where gcd(a,N)=1
❑
Examples:
• a=3 ; n=10 ; ø(10) = 4;
• hence 34 = 81 = 1 mod 10
• a=2 ; n=11 ; ø(11)=10;
• hence 210 = 1024 = 1 mod 11
24
24
12
3/27/2020
Diffie - Hellman public key crypto.
❑
Discovered by Whitfield Diffie and Martin
Hellman
o “New Directions in Cryptography”
❑
Diffie-Hellman key agreement protocol
o Exponential key agreement
o Allows two users to exchange a secret key
o Requires no prior secrets
o Real-time over an untrusted network
25
The briefcase
example
Alice
Bob
1
2
3
4
5
26
26
13
3/27/2020
Diffie-Hellman
❑A
“key exchange” algorithm
o Used to establish a shared symmetric key
❑ Not
for encrypting or signing
❑ Based on discrete log problem:
o Given: g, p, and gk mod p
o Find: exponent k
27
Diffie-Hellman Key Exchange
❑
❑
Choose a prime p (publicly known)
• Should be about 512 bits or more
Pick g < p (also public)
• g must be a primitive root of p.
• A primitive root generates the finite field p.
• Every n in {1, 2, …, p-1} can be written as (gk mod p).
• Example: 2 is a primitive root of 5
• 20 = 1
21 = 2 22 = 4
23 = 4 (mod 5)
• Intuitively means that it’s hard to take logarithms base g because
there are many candidates.
28
28
14
3/27/2020
Diffie-Hellman
“Let’s use (p, g)”
Alice
Bart
“OK”
gA mod p
gB mod p
1. Alice & Bart decide on a public prime p and primitive
root g.
2. Alice chooses secret number A. Bart chooses secret
number B
3. Alice sends Bart gA mod p.
4. The shared secret is gAB mod p.
29
29
Details of Diffie-Hellman
❑ Alice
computes gAB mod p because she knows A:
• gAB mod p = (gB mod p)A mod p
❑ An
eavesdropper gets gA mod p and gB mod p
• They can easily calculate gA+B mod p but that doesn’t help. Way?
• Because … ga gb mod p = (ga+b mod p)  ( gab mod p)
❑
If Trudy can find a or b, she gets key K
❑
If Trudy can solve discrete log problem, she can find a or b
• The problem of computing discrete logarithms (to recover A
from gA mod p is hard.
30
30
15
3/27/2020
Diffie-Hellman Example (1)
users Alice & Bob who wish to swap keys:
❑ agree on prime q=353 and g=3
❑ select random secret keys:
❑
o A chooses xA=97, B chooses xB=233
❑
compute respective public keys:
97
o yA=3 mod 353 = 40 (Alice)
233
o yB=3 mod 353 = 248
(Bob)
❑
compute shared session key as:
x
97
o KAB= yB A mod 353 = 248 = 160
x
233
o KAB= yA B mod 353 = 40 = 160
(Alice)
(Bob)
31
Diffie-Hellman Example (2)
❑ Alice
and Bart agree that q=71 and g=7.
❑ Alice selects a private key A=5 and calculates a public
key gA  75  51 (mod 71). She sends this to Bart.
❑ Bart selects a private key B=12 and calculates a public
key gB  712  4 (mod 71). He sends this to Alice.
❑ Alice calculates the shared secret:
S  (gB)A  45  30 (mod 71)
❑ Bart calculates the shared secret
S  (gA)B  5112  30 (mod 71)
32
16
3/27/2020
Diffie-Hellman
Public: g and p
❑ Private: Alice’s exponent a, Bob’s exponent b
❑
ga mod p
gb mod p
Alice, a
Bob, b
Alice computes (gb)a = gba = gab mod p
❑ Bob computes (ga)b = gab mod p
❑ Use K = gab mod p as symmetric key
❑
33
Applications
❑ Diffie-Hellman
is currently used in
many protocols, namely:
o Secure Sockets Layer (SSL)/Transport
Layer Security (TLS)
o Secure Shell (SSH)
o Internet Protocol Security (IPSec)
o Public Key Infrastructure (PKI)
34
17
3/27/2020
RSA public key cryptography
The RSA Public Key Cryptography was invented in 1978 by three
researchers at MIT named Rivest, Shamir and Adelman. RSA stands
for the first letter in each of its inventors' last names
RSA is an elegant algorithm based on the product of two large
prime numbers that exactly fit the requirement for a practical
public key cryptography implementation.
35
Math Background (RSA)
❑ Factorization
Problem
o How to factorize an integer:
48770428682337401 ?
o Is 223092871 a factor of
48770428682337401?
❑ It
is difficult to factorize N=p*q if both p
and q are large prime numbers
36
18
3/27/2020
RSA – Key Generation
1.
2.
3.
4.
Alice generates two large primes p and q (each
with at least 100 decimal digits).
She computes n = p×q
She computes Phi(n) = (p-1) ×(q-1)
She chooses a random number “e” in which
gcd(e,Phi(n) )= 1
37
5.
6.
7.
She computes the private key “d” by solving the
equation e × d =1 mod Phi(n) .
She can now carefully dispose of the values of p,
q and Phi(n) .
Alice keeps “d” private but publishes the value
of the pair (e,n) ( this is her public key).
38
19
3/27/2020
RSA - Encryption
We distinguish Bob and Alice encryption and decryption
procedures with subscripts:
EA , DA and EB , DB
Bob wishes to send Alice a message M. He takes the
following steps:
1. He looks up Alice’s public key pair (e,n) .
2. He computes the ciphertext C and sends it to
Alice,
C= EA(M) =Me (mod n)
39
RSA - Decryption
Alice receives the value C from Bob. She decrypts it
since she knows the key DA . The decoding M′ is
M′ =DA (EA (M)) = DA (Me )= (Me)d (mod n)
We have to prove that this works! Namely that M′
will be equal to the original M.
40
20
3/27/2020
Complexity of operations in RSA
41
RSA Public Key System
Example
Choose prime numbers p and q.
Choose 11 and 13
Find their product n = pq.
Calculate n = 11*13 = 143
Calculate Phi(n) = (p-1)(q-1).
Calculate Phi(n) = (11-1)*(13-1) = 120.
Let e = 7.
Select an integer e, in which the
gcd( e, Phi(n))= 1.
We want 7*d = 1 mod 120.
Thus d = 103, as 7*103 = 721 = 1 mod 120.
Calculate d such that e*d = 1 mod Phi(n).
The public key is (7, 143).
The public key is (e, n).
The private key is (103, 143).
The private key is (d, n).
Let the numerical representation of M be
M = 5, for example.
Plaintext can be any number M, where
M < n, and neither p nor q divides M
The ciphertext is C=5 7 (mod 143) =47
The ciphertext is C=Me (mod n)
The plaintext is 47103 (mod 143) =5
The plaintext is Med (mod n)
42
21
3/27/2020
Choosing e
Let’s consider p=3 and q=7. What choices of e are acceptable?
In this case (p-1)(q-1) = 2 x 6 = 12. Any suitable choice of e must have the property
that there are no numbers that neatly divide into e and 12 except for 1. Let’s just try
them all out:
e=2: this is no good, since 2 divides both e and 12. In fact this will be true for all
multiples of 2 as well, so e=4, e=6, e=8 and e=10 are also not possible.
e=3: this is no good, since 3 divides both e and 12. In fact this will be true for all
multiples of 3 as well, so e=6 and e=9 are also not possible.
The remaining choices are e=5, e=7 and e=11. Since in each case there is no number
that divides into them and 12 other than 1, all these choices of e are possible.
43
43
Example of RSA (1)
Bob chooses p=5, q=7. Then n=35, Phi(n)=24.
e = 5 (so e, Phi(n) relatively prime).
d = 29 (so ed-1 exactly divisible by Phi(n)).
encrypt:
decrypt:
letter
m
me
l
12
248832
c
17
d
c
c = me mod n
17
m = cd mod n letter
481968572106750915091411825223071697
12
l
44
22
3/27/2020
Why RSA Works
❑
because of Euler's Theorem:
aø(n)mod N = 1
❑
in RSA have:
❑
o where gcd(a,N)=1
o
o
o
o
❑
N=p.q
ø(N)=(p-1)(q-1)
carefully chosen e & d to be inverses mod ø(N)
hence e.d=1+k.ø(N) for some k
hence :
Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q = M1 = M mod N
45
Example of RSA (2)
Choose p = 7 and q = 17.
Compute n = p*q= 119.
Compute f(n)=(p-1)(q-1)=96.
Select e = 5, (a relatively prime to f(n).)
Compute d = _77_such that e*d=1 mod f(n).
• Public key: <5,119>
• Private key: <77,119>
• Message = 19
• Encryption: 195 mod 119 = 66
• Decryption: 6677 mod 119 = 19
46
23
3/27/2020
Example of RSA (3)
p = 7, q = 11, n = 77
Alice chooses e = 17, making d = 53
Bob wants to send Alice secret message
HELLO (07 04 11 11 14)
– 0717 mod 77 = 28; 0417 mod 77 = 16
– 1117 mod 77 = 44; – 1117 mod 77 = 44
– 1417 mod 77 = 42
• Bob sends 28 16 44 44 42
47
Example of RSA (4)
Alice receives 28 16 44 44 42
Alice uses private key, d = 53, to decrypt message:
– 2853 mod 77 = 07; 1653 mod 77 = 04
– 4453 mod 77 = 11; 4453 mod 77 = 11
– 4253 mod 77 = 14
• Alice translates 07 04 11 11 14 to HELLO
No one else could read it, as only Alice knows her
private key (needed for decryption)
48
24
3/27/2020
Is RSA secure?
The security of the RSA cryptosystem depends on
the difficulty of factoring n. It is currently difficult to
obtain the private key d from the public key (n, e).
However if one could factor n into p and q, then one
could obtain the private key d. Thus the security of
the RSA system is based on the assumption that
factoring is difficult. The discovery of an easy
method of factoring would "break" RSA .
49
49
Is RSA Secure? (Cont.)

How might we “break” RSA?
➔Factoring n
➔Computing Phi(n)
➔Compute d given e and n
➔Still need to know n or Phi(n)
➔Computing
(C=
Me
e-th roots modulo n
(mod n); then M= C1/e (mod n))
➔It is computationally intractable
50
25
3/27/2020
Idea: if we had a fast algorithm which
can factor large numbers in a reasonable
amount of time, we could break RSA!!!
51
On May 9th 2005 a team at the German Federal Agency for Information
Technology Security announced the factorization of the 200-digit
number known as RSA-200 by General Number Field Sieve algorithm
(GNFS).
RSA-200 is:
27,997,833,911,221,327,870,829,467,638,722,601,621,070,446,786,
955,428,537,560,009,929,326,128,400,107,609,345,671,052,955,360,
856,061,822,351,910,951,365,788,637,105,954,482,006,576,775,098,
580,557,613,579,098,734,950,144,178,863,178,946,295,187,237,869,
221,823,983
The two 100-digits factors are:
3,532,461,934,402,770,121,272,604,978,198,464,368,671,197,400,
197,625,023,649,303,468,776,121,253,679,423,200,058,547,956,528,
088,349
and
7,925,869,954,478,333,033,347,085,841,480,059,687,737,975,857,
364,219,960,734,330,341,455,767,872,818,152,135,381,409,304,740,
185,467
The effort took approximately 80 2.2GHz Opteron CPU over 3 months
of calendar time. The same team latter announced factorization of
RSA-640, a smaller number containing 193 decimal digits (640 bits) on
November 4th 2005.
52
26
3/27/2020
The following table gives the number of operations needed to factor n with
GNFS method, and the time required if each operation uses one
microsecond, for various lengths of the number n (in decimal digits)
Digits
Number of operations
Time
100
9.6× 108
16 minutes
200
3.3 × 1012
38 days
300
1.3 × 1015
41 years
400
1.7 × 1017
5313 years
500
1.1 × 1019
3.5 × 105 years
1024
1.3 × 1026
4.2 × 1012 years
2048
1.5 × 1035
4.9 × 1021 years
53
❑
❑
❑
❑
❑
RSA-2048
Prize: $200,000
Status: Not Factored
Decimal Digits: 617
25195908475657893494027183240048398571429282126204
03202777713783604366202070759555626401852588078440
69182906412495150821892985591491761845028084891200
72844992687392807287776735971418347270261896375014
97182469116507761337985909570009733045974880842840
17974291006424586918171951187461215151726546322822
16869987549182422433637259085141865462043576798423
38718477444792073993423658482382428119816381501067
48104516603773060562016196762561338441436038339044
14952634432190114657544454178424020924616515723350
77870774981712577246796292638635637328991215483143
81678998850404453640235273819513786365643912120103
97122822120720357
Decimal Digit Sum: 2738
54
27
3/27/2020
More Public Key Crypto
❑ RABIN
CRYPTOSYSTEM.
❑ ELGAMAL CRYPTOSYSTEM.
❑ ELLIPTIC CURVE CRYPTOSYSTEMS.
❑…
55
Hybrid Encryption Systems
❑ All
known public key encryption algorithms are much
slower than the fastest secret-key algorithms.
❑ In a hybrid system, Alice uses Bob’s public key to send
him a secret shared session key.
❑ Alice and Bob use the session key to exchange
information.
56
28
3/27/2020
Symmetric and asymmetric-key
❑ Symmetric
and asymmetric-key cryptography
will exist in parallel and continue to serve the
community. We actually believe that they are
complements of each other; the advantages of
one can compensate for the disadvantages of
the other.
57
Uses for Public Key Crypto
❑ Confidentiality
o Transmitting data over insecure channel
o Secure storage on insecure media
❑ Authentication
(later)
❑ Digital signature provides integrity and
non-repudiation
o No non-repudiation with symmetric keys
58
29