Public Key Algorithms
4/13/2015
M. Chatterjee
1
Modular Arithmetic




Public key algorithms are based on
modular arithmetic.
Modular addition.
Modular multiplication.
Modular exponentiation.
4/13/2015
M. Chatterjee
2
Modular Addition

Addition modulo (mod) K



Poor cipher with (dk+dm) mod K, e.g., if
K=10 and dk is the key.
Additive inverse: addition mod K yields
0.
“Decrypt” by adding inverse.
4/13/2015
M. Chatterjee
3
Modular Multiplication




Multiplication modulo K
Multiplicative inverse: multiplication
mod K yields 1
Only some numbers have inverse
Use Euclid’s algorithm to find inverse


Given x, n, it finds y such that xy mod n =
1
All number relatively prime to n will
have mod n multiplicative inverse
4/13/2015
M. Chatterjee
4
Totient Function


x, m relative prime: no other common
factor than 1
Totient function ø(n): number of
integers less than n relatively prime to n


if n is prime, ø(n)=n-1
if n=pq, and p, q are primes, ø(n)=(p-
1)(q-1)
4/13/2015
M. Chatterjee
5
Modular Exponentiation


xy mod n = xy mod ø(n) mod n
if y = 1 mod ø(n) then xy mod n = x
mod n
4/13/2015
M. Chatterjee
6
RSA (Rivest, Shamir,
Adleman)



The most popular one.
Support both public key encryption and digital
signature.
Assumption/theoretical basis:



Factoring a big number is hard.
Variable key length (usually 512 bits).
Variable plaintext block size.


Plaintext must be “smaller” than the key.
Ciphertext block size is the same as the key
length.
4/13/2015
M. Chatterjee
7
What Is RSA?

To generate key pair:

Pick large primes (>= 256 bits each) p and
q



Let n = p*q, keep your p and q to yourself!
For public key, choose e that is relatively
prime to ø(n) =(p-1)(q-1), let pub =
<e,n>
For private key, find d that is the
multiplicative inverse of e mod ø(n), i.e.,
e*d = 1 mod ø(n), let priv = <d,n>
4/13/2015
M. Chatterjee
8
How Does RSA Work?

Given pub = <e, n> and priv = <d, n>




encryption: c = me mod n, m < n
decryption: m = cd mod n
signature: s = md mod n, m < n
verification: m = se mod n
4/13/2015
M. Chatterjee
9
Why Does RSA Work?

Given pub = <e, n> and priv = <d, n>





n =p*q, ø(n) =(p-1)(q-1)
e*d = 1 mod ø(n)
xed = x mod n
encryption: c = me mod n
decryption: m = cd mod n = med mod n =
m mod n = m Why????????
4/13/2015
M. Chatterjee
10


e*d = 1 mod ø(n)
So e*d = 1 + kø(n)
…med mod n = m 1 + kø(n)
m (m kø(n) mod n) = m ????
What is Fermat’s theorem???
4/13/2015
M. Chatterjee
11
Why Is RSA Secure?


Factoring 512-bit number is very hard!
But if you can factor big number n then
given public key <e,n>, you can find d,
hence the private key by:



Knowing factors p, q, such that, n = p*q
Then ø(n) =(p-1)(q-1)
Then d such that e*d = 1 mod ø(n)
4/13/2015
M. Chatterjee
12
Attacks on RSA
• Brute force key search
• Mathematical attacks
• Timing attacks
4/13/2015
M. Chatterjee
13
Math-Based Attacks







Three possible approaches:
– Factor n = pq
– Determine F(n)
– Find the private key d
directly
• All the above are equivalent to
factoring n
4/13/2015
M. Chatterjee
14
Brute Force
An adversary just tries all possible
keys and keeps his fingers crossed that
the right key is not the last key he will
try !

4/13/2015
M. Chatterjee
15
Timing Attacks



By measuring the time required to perform
decryption (exponentiation with the private
key as exponent), an attacker can figure out
the private key
Possible countermeasures:



– use constant exponentiation time
– add random delays
– blind values used in calculations
4/13/2015
M. Chatterjee
16
Other Attacks on RSA
Small encryption exponent e
 E=3, Alice sends the message m to three people
(public keys (e, n1), (e, n2), (e,n3))
 An attacker can compute a solution to the following
system
 x = c1 mod n1
 x = c2 mod n2
 x = c3 mod n3
 Then, compute m from x = m3
 Countermeasure: padding required

4/13/2015
M. Chatterjee
17
Forward Search Attack
If message space is small, the attacker can
create a dictionary of encrypted messages
(public key known, encrypt all possible
messages and store them)
 When the attacker ‘sees’ a message on the
network, compares the encryptedmessages, so
he finds out what particular message was
encrypted

4/13/2015
M. Chatterjee
18
Small decryption exponent
d



Choosing a small exponent helps
efficiency BUT
If size of d is 1/4 size of n (in bits) and
gcd(p-1,q-1) is small, there is a way to
compute d only from e and n.
Countermeasure: d should be about the
same size as n.
4/13/2015
M. Chatterjee
19
Common modulus attack





Each entity must choose its own modulus
Assume Alice and Bob generated keys using
the same modulus n, ((e1, n ), d1)) and ((e2,
n), d2))
C1 = Me1 mod n,
C2 = Me2 mod n
(e1)a + (e2) b = 1 if gcd(e1,e2)=1
M = C1a C2 b mod n
4/13/2015
M. Chatterjee
20
Cycling attack






Intercepted ciphertext: C
C1 = Ce mod n
C2 = C1e mod n
C3 = C2e mod n
Ck = Ck-1e mod n
If Ck = C then stop P = Ck-1
4/13/2015
M. Chatterjee
21
Attacker Goals
Total break: the attacker finds the key (the
symmetric key for ciphers or the private key for public
key cryptosystems); after that all ciphertexts can be
decrypted.

Partial break: with some probability , the adversary
is able to decrypt previously unseen ciphertexts,
without knowing the key. Or the adversary can find
out info about the plaintext, just by looking at the
ciphertext.

Distinguishability: with probability > 0.5, the
adversary can distinguish between encryption of two
different plaintexts, or between an encryption and a
random string.

4/13/2015
M. Chatterjee
22
Diffie-Hellman Key Exchange



Shared key, public communication
No authentication of partners
What’s involved?


P is a prime (about 512 bits), and g < p
P and g are publicly known
4/13/2015
M. Chatterjee
23
4/13/2015
M. Chatterjee
24
Diffie-Hellman Key Exchange
Procedure
Alice
Bob
pick secret Sa randomly
pick secret Sb
randomly
compute TA=gSa
mod p
compute TB=gSb
mod p
send TA to Bob
send TB to Alice
compute TBSa mod p
compute TASb mod p
Alice and Bob reached the same secret gSaSb
M. Chatterjee
25
mod4/13/2015
p, which is then used
as the shared

DH Security - Discrete
Logarithm Is Hard


T = gs mod p
Conjecture: given T, g, p, it is
extremely hard to compute the value of
s (discrete logarithm)
4/13/2015
M. Chatterjee
26
Diffie-Hellman Scheme

Security factors


Discrete logarithm very difficult.
Shared key (the secret) itself never
transmitted.
4/13/2015
M. Chatterjee
27

Disadvantages:

Expensive exponential operation



DoS possible.
The scheme itself cannot be used to
encrypt anything – it is for secret key
establishment.
No authentication, so you can not sign
anything …
4/13/2015
M. Chatterjee
28
Bucket Brigade Attack...Man
In The Middle
Alice
gSa=123
123 -->

Trudy
Bob
gSx =654
gSb =255
654 -->
<--654
<--255
654Sa=123Sx
255Sx=654Sb
Trudy plays Bob to Alice and Alice to
Bob
4/13/2015
M. Chatterjee
29
Diffie-Hellman in Phone Book
Mode



DH was subject to active man-in-themiddle attack because their public keycomponent was intercepted and
substituted
Phone book mode allows everyone to
generate the public key-component in
advance and publish them through other
reliable means, e.g. <TB> for bob
All communicating parties agree on their
4/13/2015
common
<g, p> M. Chatterjee
30
Encryption With Diffie-Hellman

Everyone computes and publishes <p, g,
T>


T=gS mod p
Alice communicates with Bob:

Alice




Picks a random secret Sa
Computes gbSa mod pb
Use Kab = TbSa mod pb to encrypt message
Send encrypted message along with gbSa mod pb
4/13/2015
M. Chatterjee
31

Bob


4/13/2015
(gbSa)Sb mod pb = (gbSb)Sa mod pb = TbSa mod pb
= Kab
Use Kab to decrypt
M. Chatterjee
32