Public-Key Cryptography
Luca Viganò
Dipartimento di InformaticaUniversità di Verona
Sicurezza delle RetiA.A. 12/13Lecture 3
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 1 / 86
1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 2 / 86
Introduction to Public-Key Cryptography
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 3 / 86
Introduction to Public-Key Cryptography
Motivation
Public key cryptography was born in May 1975, the child of twoproblems: the key distribution problem and the problem of signa-tures. The discovery consisted not of a solution, but of the recog-nition that the two problems, each of which seemed unsolvableby definition, could be solved at all and that the solutions to bothcame in one package.
Whitfield Diffie, The first-ten years of public key cryptography ,1988
Let’s consider to what extent these problems are “solved”.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 4 / 86
Introduction to Public-Key Cryptography
Public-key cryptography
Let {Ee | e 2 K} and {De | e 2 K} form an encryption schema.Consider transformation pairs (Ee, Dd) where knowing Ee it isinfeasible, given c 2 C to find an m 2M where Ee(m) = c. Thisimplies it is infeasible to determine d from e.) Ee constitutes a trap-door one-way function with trapdoor d .Public key as e can be public information:
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 5 / 86
Introduction to Public-Key Cryptography
Public-key cryptography: encryption/authentication
Plaintextinput
Bobs'spublic key
ring
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm(reverse of encryption
algorithm)
Figure 9.1 Public-Key Cryptography
Joy
Mike
Mike Bob
TedAlice
Alice's publickey
Alice 's privatekey
(a) Encryption
Plaintextinput
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm(reverse of encryption
algorithm)
Bob's privatekey
Bob's publickey
Alice'spublic key
ring
Joy Ted
(b) Authentication
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 6 / 86
Introduction to Public-Key Cryptography
Symmetric vs. Asymmetric (Public-Key) Encryption
Table 9.1 CONVENTIONAL AND PUBLIC-KEY ENCRYPTION
Conventional Encryption Public-Key Encryption
Needed to Work:
1. The same algorithm with the same key is used forencryption and decryption.
2. The sender and receiver must share the algorithm and thekey.
Needed for Security:
1. The key must be kept secret.
2. It must be impossible or at least impractical to decipher amessage if no other information is available.
3. Knowledge of the algorithm plus samples of ciphertext mustbe insufficient to determine the key.
Needed to Work:
1. One algorithm is used for encryption and decryption with apair of keys, one for encryption and one for decryption.
2. The sender and receiver must each have one of the matchedpair of keys (not the same one).
Needed for Security:
1. One of the two keys must be kept secret.
2. It must be impossible or at least impractical to decipher amessage if no other information is available.
3. Knowledge of the algorithm plus one of the keys plussamples of ciphertext must be insufficient to determine theother key.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 7 / 86
Introduction to Public-Key Cryptography
Encryption using public-key cryptography
BobAlice
PassiveAdversary
mm
d
encryptionE (m) = ce D (c) = m
decryptiond
destinationplaintextsource
cunsecured channel
unsecured channele key
source
When Alice can determine the message authentity of e, public-keycryptography provides her a confidential (secret) channel to Bob.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 8 / 86
Introduction to Public-Key Cryptography
Public-Key Cryptosystem: Secrecy
MessageSource
Cryptanalyst
Key PairSource
DestinationX X
^
Y
PRb
PUb
Figure 9.2 Public-Key Cryptosystem: Secrecy
EncryptionAlgorithm
DecryptionAlgorithm
PRb
X̂
Source A Destination B
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 9 / 86
Introduction to Public-Key Cryptography
Public-Key Cryptosystem: Authentication
MessageSource
Cryptanalyst
Key PairSource
DestinationX X
^
Y
PRa
PRa
PUa
Figure 9.3 Public-Key Cryptosystem: Authentication
EncryptionAlgorithm
DecryptionAlgorithm
Source A Destination B
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 10 / 86
Introduction to Public-Key Cryptography
Public-Key Cryptosystem: Secrecy and Authentication
MessageSource
MessageDest.
X
Figure 9.4 Public-Key Cryptosystem: Authentication and Secrecy
EncryptionAlgorithm
Key PairSource
PUb PRb
Source A Destination B
Key PairSource
PRa PUa
Y EncryptionAlgorithm
Z DecryptionAlgorithm
Y DecryptionAlgorithm
X
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 11 / 86
Introduction to Public-Key Cryptography
Requirements for Public-Key Cryptography
1 It is computationally easy for B to generate a pair (public key PUb,private key PRb).
2 It is computationally easy for sender A, knowing PUb and M, togenerate
C = E(PUb, M) .
3 It is computationally easy for receiver B to decrypt C using PRb torecover M:
M = D(PRb, C) = D(PRb, E(PUb, M)) .
4 It is computationally infeasible for an adversaryknowing PUb to determine PRb,knowing PUb and C to recover M.
5 (Useful, but not always necessary) The two keys can be applied ineither order:
M = D(PUb, E(PRb, M)) = D(PRb, E(PUb, M)) .
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 12 / 86
Introduction to Public-Key Cryptography
Requirements for Public-Key Cryptography (cont.)
These are difficult requirements.As a matter of facts only a few algorithms enjoying the aboverequirements have received widespread acceptance so far:
Encryption/
Algorithm Decryption Digital Signature Key Exchange
RSA Yes Yes YesElliptic Curve Yes Yes YesDiffie-Hellman No No YesDSS No Yes No
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 13 / 86
Introduction to Public-Key Cryptography
Trapdoor one-way functions
A function f : X ! Y is a one-way function, if f is “easy” tocompute for all x 2 X , but f�1 is “hard” to compute.
Example: Problem of modular cube roots.Select primes p = 48611 and q = 53993.Let n = pq = 2624653723 and X = {1, 2, . . . , n � 1}.Define f : X ! N by f (x) = x3 mod n.Example: f (2489991) = 1981394214. Computing f is easy.Inverting f is hard: find x which is cubed and yields remainder!
A trapdoor one-way function is a one-way function fk : X ! Ywhere, given extra information k (the trapdoor information) it isfeasible to find, for y 2 Im(f ), an x 2 X where fk (x) = y .
Example: Computing modular cube roots (above) is easy when pand q are known (basic number theory).
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 14 / 86
Introduction to Public-Key Cryptography
Public-key Cryptoanalysis
Brute-force attacks.
Countermeasure: use large keys!But tradeoff is necessary as complexity of encryption/decryptionmay not scale linerarly with the length of the key.In practice: public-key encryption is confined to key managementand digital signature.
Computing private key from public key.
No proof that this attack is unfeasible! (Even for RSA)Probable-message attack.
Suppose a short message M (e.g. a 56-bit DES key) is sentencrypted with PUa, i.e. C = E(PUa, M). The attacker computesall Yi = E(PUa, Xi) for all possible plaintext Xi for i = 1, . . . , 256
and stops as soon as Yi = C concluding that M = Xi (themessage sent).Solution: append some random bits to M.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 15 / 86
Number Theory
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 16 / 86
Number Theory
Prime Factorization
Numbers: naturals N = {0, 1, 2, . . .}, integers Z = {0, 1,�1, . . .},primes = {2, 3, 5, 7, ...}.To factor a number n is to write it as a product of other numbers,e.g. n = a ⇤ b ⇤ c.Multiplying numbers is easy, factoring numbers appears hard.We cannot factor most numbers with more than 1024 bits.The prime factorization of a number a amounts to writing it as aproduct of powers of primes:
a = ⇧p2P pap = 2a2 ⇤ 3a3 ⇤ 5a5 ⇤ 7a7 ⇤ 11a11 ⇤ · · ·
where P is the set of prime numbers and ap 2 N.For example:
91 = 7 ⇤ 133600 = 24 ⇤ 32 ⇤ 52
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 17 / 86
Number Theory
Relatively prime numbers & gcd
Divisors: a 6= 0 divides b (written a |b ) if 9m. ma = b.Examples: 3 |6, 36 |7, 36 |10.Two numbers a, b are relatively prime if they have no commondivisors/factors apart from 1, i.e. if gcd(a, b) = 1.For instance, 8 and 15 are relatively prime since
factors of 8 are 1,2,4,8,factors of 15 are 1,3,5,15,and 1 is the only common factor.
Conversely we can determine the greatest common divisor bycomparing their prime factorizations and using least powers.For example, 150 = 21 ⇤ 31 ⇤ 52, 18 = 21 ⇤ 32 hencegcd(18, 150) = 21 ⇤ 31 ⇤ 50 = 6.
See appendix for more on number theory.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 18 / 86
Number Theory
Modular Arithmetics
8a n.9q r . (a = q ⇤ n + r) where 0 r < n.
Here r is the remainder , which we write as r = a mod n .
a, b 2 Z are congruent modulo n, if a mod n = b mod n.
We write this as a =n b .
Properties:
(a • b) =n (a mod n) • (b mod n) for • 2 {+,�, ⇤}i.e., (a • b) mod n = [(a mod n) • (b mod n)] mod n
If a ⇤ b =n a ⇤ c and a relatively prime to n, then b =n c.
Modulo operator has following properties (of congruences):1 a =n a2 a =n b ) b =n a3 (a =n b ^ b =n c)) a =n c
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 19 / 86
Number Theory
Modular Arithmetics (cont.)
Examples:
2 = (5 ⇤ 6) mod 4= [(5 mod 4) ⇤ (6 mod 4)] mod 4= (1 ⇤ 2) mod 4
8 ⇤ 4 =3 8 ⇤ 1 ) 4 =3 1
Additional property of modulo: if a1 =n b1 and a2 =n b2, then
(a1 + a2) =n (b1 + b2) and (a1 ⇤ a2) =n (b1 ⇤ b2)
This can also be expressed as
[(a1 mod n) + (a2 mod n)] mod n = (a1 + a2) mod n
and
[(a1 mod n) ⇤ (a2 mod n)] mod n = (a1 ⇤ a2) mod n
Also: if a ⇤ b =n a ⇤ c and a relatively prime to n, then b =n c.Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 20 / 86
Number Theory
Modular Arithmetics (cont.)
Theorem
Suppose that a, b 2 Z are relatively prime. There is a c 2 Z satisfyingbc mod a = 1, i.e., we can compute b�1 mod a.
Proof: From Extended Euclidean Algorithm, there exist x , y 2 Z where
1 = ax + by
Since a|ax , we have by mod a = 1. Assertion follows with c := y .
Fermat’s little theorem
For a and n relatively prime and n prime
an�1 =n 1
Example: 46 mod 7 = 16 ⇤ 16 ⇤ 16 mod 7 = 2 ⇤ 2 ⇤ 2 mod 7 = 1.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 22 / 86
Number Theory
Euler Totient Function
When doing arithmetic modulo n.Complete set of residues is 0, . . . , n � 1.Reduced set of residues consists of those numbers (residues)which are relatively prime to n.For instance, for n = 10:
complete set of residues is {0, 1, 2, 3, 4, 5, 6, 7, 8, 9},reduced set of residues is {1, 3, 7, 9}.
Number of elements in reduced set of residues is called the EulerTotient Function �(n).
In other words, �(n) is the number of positive integers less than nwhich are relatively prime to n.�(n) is the number of a 2 {1, 2, . . . , n � 1} with gcd(a, n) = 1.
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15�(n) 1 1 2 2 4 2 6 4 6 4 10 4 12 6 8
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 24 / 86
Number Theory
Euler’s Totient Function and Euler’s Theorem
Properties:
�(1) = 1.�(p) = p � 1 if p is prime.
�(p ⇤ q) = �(p) ⇤ �(q) = (p � 1) ⇤ (q � 1) if p and q are prime(p 6= q).
So that Fermat’s little theorem (for a and n relatively prime and nprime) can be rewritten to
Euler’s Theorem
a�(n) =n 1 for all a, n such that gcd(a, n) = 1.
Examples:
If a = 3 and n = 10, then �(10) = 4 and 34 = 81 =10 1If a = 2 and n = 11, then �(11) = 10 and 210 = 1024 =11 1
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 25 / 86
The RSA Algorithm
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 26 / 86
The RSA Algorithm
The RSA Algorithm
Named after inventors: Rivest, Shamir, Adleman, 1978.
Published after 1976 challenge by Diffie and Hellman.
Security comes from difficulty of factoring large numbers.Keys are functions of a pairs of large, � 100 digits, primenumbers.
Most popular public-key algorithm.Used in many applications, e.g., PGP, PEM, SSL, ...
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 27 / 86
The RSA Algorithm
The RSA Algorithm
Let n be a number known by sender and receiver.Plaintext split in blocks of dlog2(n)e bits.Thus each block represents a number M such that M < n.Encryption and decryption are defined as follows:
C = Me mod nM = Cd mod n = (Me)d mod n = Med mod n
for some (properly chosen) values of e and d .It is a public-key encryption algorithm with
public key PU = {e, n} andprivate key PR = {d , n}.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 28 / 86
The RSA Algorithm
The RSA Algorithm (cont.)
For the RSA algorithm to work, the following requirements must bemet:
1 It is possible to find values of e, d , and n such thatMed mod n = M for all M < n.
2 It is relatively easy to calculate Me mod n and Cd mod n for allvalues of M < n.
3 It is unfeasible to determine d given e and n.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 29 / 86
The RSA Algorithm
Correctness of RSA
We must show that there exist e, d , and n such that
Med mod n = M
for all M < n.It can be shown that the above equation holds if e and d aremultiplicative inverses mod �(n), i.e. if
d =�(n) e�1
iffde =�(n) 1 iffed mod �(n) = 1
But this is true only if d (and hence e) is relatively prime to �(n), i.e. ifgcd(�(n), d) = 1.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 30 / 86
The RSA Algorithm
Correctness of RSA
We must show that there exist e, d , and n such that
Med mod n = M
for all M < n.It can be shown that the above equation holds if e and d aremultiplicative inverses mod �(n), i.e. if
d =�(n) e�1 iffde =�(n) 1
iffed mod �(n) = 1
But this is true only if d (and hence e) is relatively prime to �(n), i.e. ifgcd(�(n), d) = 1.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 30 / 86
The RSA Algorithm
Correctness of RSA
We must show that there exist e, d , and n such that
Med mod n = M
for all M < n.It can be shown that the above equation holds if e and d aremultiplicative inverses mod �(n), i.e. if
d =�(n) e�1 iffde =�(n) 1 iffed mod �(n) = 1
But this is true only if d (and hence e) is relatively prime to �(n), i.e. ifgcd(�(n), d) = 1.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 30 / 86
The RSA Algorithm
RSA algorithms
Generate a public/private key pair:1 Generate two (large) distinct primes p and q.2 Compute n = pq and � = (p � 1)(q � 1).3 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n):1 Compute Mi = Cd
i mod n.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 31 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate two (large) distinct primes p and q.2 Compute n = pq and � = (p � 1)(q � 1).3 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq and � = (p � 1)(q � 1).3 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Select an e, 1 < e < �, relatively prime to �.4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = e�1 mod �.5 Publish (e, n), keep (d , n) private, discard p and q.
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Publish (e, n), keep (d , n) private, discard p and q.
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)
Encryption with key (e, n)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)
Encryption with key (e, n) = (79, 3337)1 Break message M into blocks M1M2 · · · with Mi < n
2 Compute Ci = Mei mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)
Encryption with key (e, n) = (79, 3337)1 Break message M into blocks, e.g. 688 232 687 966 668 · · ·2 Compute Ci = Me
i mod n.
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)
Encryption with key (e, n) = (79, 3337)1 Break message M into blocks, e.g. 688 232 687 966 668 · · ·2 Compute C1 = 68879 mod 3337 = 1570, C2 = ...
Decryption with key (d , n) :1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)
Encryption with key (e, n) = (79, 3337)1 Break message M into blocks, e.g. 688 232 687 966 668 · · ·2 Compute C1 = 68879 mod 3337 = 1570, C2 = ...
Decryption with key (d , n) = (1019, 3337):1 Compute Mi = Cd
i mod n
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA algorithms: Example
Generate a public/private key pair:1 Generate p = 47, q = 712 Compute n = pq = 3337 and � = (p � 1)(q � 1) = 46 ⇤ 70 = 32203 Choose e = 79 (randomly in the interval [1..3220])4 Compute d = 79�1 mod 3220 = 10195 Public key (e, n) = (79, 3337), private key (d , n) = (1019, 3337)
Encryption with key (e, n) = (79, 3337)1 Break message M into blocks, e.g. 688 232 687 966 668 · · ·2 Compute C1 = 68879 mod 3337 = 1570, C2 = ...
Decryption with key (d , n) = (1019, 3337):1 Compute M1 = 15701019 mod 3337 = 688, M2 = ...
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 32 / 86
The RSA Algorithm
RSA Security
Computation of secret d given (e, n).As difficult as factorization. If we can factor n = pq then we cancompute � = (p � 1)(q � 1) and hence d = e�1 mod �.
No known polynomial time algorithm.But given progress in factoring, n should have at least 1024 bits.
Computation of Mi , given Ci , and (e, n).Unclear (= no proof) whether it is necessary to compute d , i.e., tofactorize n.
) Progress in number theory could make RSA insecure.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 33 / 86
Asymmetric algorithms for secret key distribution
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 34 / 86
Asymmetric algorithms for secret key distribution
The key distribution problem
K1
K2K3
K4
K5
For n = 1000, we need 499,500 symmetric versus 2000asymmetric keys.Trust:What good would it do after all to develop impenetrablecryptosystems, if their users were forced to share their keyswith a key distribution center that could be compromised byeither burglary or subpoena?”
Whitfield Diffie, The first-ten years of public key cryptography, 1988Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 35 / 86
Asymmetric algorithms for secret key distribution
Asymmetric algorithms for secret key distribution
Use public key encryption algorithms to support (faster) symmetriccryptography.
We will see two approaches:Secret key distribution with RSA.Diffie-Hellman key exchange.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 36 / 86
Asymmetric algorithms for secret key distribution Secret key distribution with RSA
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 37 / 86
Asymmetric algorithms for secret key distribution Secret key distribution with RSA
Secret key distribution with RSA
Encryption of m (with public key (e, n)):choose k randomly
c = (ke mod n, Ek (m))
Decryption (with private key (d , n))Split c into (c1, c2)
k = cd1 mod n m = Dk (c2)
Example: SSLAlice chooses a secret, encrypts it with Bob’s PK and rest of thesession is protected based on that secret.
Problem: if the private key (d , n) gets compromised, then k canbe recovered by an intruder from previously observed traffic.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 38 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 39 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Background on discrete logarithms
A primitive root s of a prime number p is a number whose powersgenerate 1, . . . , p � 1.So s mod p, s2 mod p, . . ., sp�1 mod p are distinct, i.e., apermutation of 1 through p � 1. Hence:
8b 2 Z.9i 2 {0, . . . , p � 1}. b = si mod p
Given b 2 Z, exponent i above is the discrete logarithm of b forbase s, mod p.Computing discrete logs appears infeasible.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 40 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman key exchange
1 Principals share prime q and primitive root ↵. Both may be public.2 A and B generate random numbers XA and XB (respectively) both
less than q.3 A computes YA = ↵XA mod q, B computes YB = ↵XB mod q.4 A and B exchange results.5 A computes KA = Y XA
B mod q, B computes KB = Y XBA mod q.
Keys are equal, i.e. KA = KB:
KA = Y XAB mod q
= (↵XB)XA mod q= (↵XA)XB mod q
= Y XBA mod q = KB
Security depends on difficulty of computing discrete logs.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 41 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman key exchange
1 Principals share prime q and primitive root ↵. Both may be public.2 A and B generate random numbers XA and XB (respectively) both
less than q.3 A computes YA = ↵XA mod q, B computes YB = ↵XB mod q.4 A and B exchange results.5 A computes KA = Y XA
B mod q, B computes KB = Y XBA mod q.
Keys are equal, i.e. KA = KB:
KA = Y XAB mod q
= (↵XB)XA mod q= (↵XA)XB mod q
= Y XBA mod q = KB
Security depends on difficulty of computing discrete logs.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 41 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman key exchange
1 Principals share prime q and primitive root ↵. Both may be public.2 A and B generate random numbers XA and XB (respectively) both
less than q.3 A computes YA = ↵XA mod q, B computes YB = ↵XB mod q.4 A and B exchange results.5 A computes KA = Y XA
B mod q, B computes KB = Y XBA mod q.
Keys are equal, i.e. KA = KB:
KA = Y XAB mod q
= (↵XB)XA mod q
= (↵XA)XB mod q
= Y XBA mod q = KB
Security depends on difficulty of computing discrete logs.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 41 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman key exchange
1 Principals share prime q and primitive root ↵. Both may be public.2 A and B generate random numbers XA and XB (respectively) both
less than q.3 A computes YA = ↵XA mod q, B computes YB = ↵XB mod q.4 A and B exchange results.5 A computes KA = Y XA
B mod q, B computes KB = Y XBA mod q.
Keys are equal, i.e. KA = KB:
KA = Y XAB mod q
= (↵XB)XA mod q= (↵XA)XB mod q
= Y XBA mod q = KB
Security depends on difficulty of computing discrete logs.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 41 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman key exchange
1 Principals share prime q and primitive root ↵. Both may be public.2 A and B generate random numbers XA and XB (respectively) both
less than q.3 A computes YA = ↵XA mod q, B computes YB = ↵XB mod q.4 A and B exchange results.5 A computes KA = Y XA
B mod q, B computes KB = Y XBA mod q.
Keys are equal, i.e. KA = KB:
KA = Y XAB mod q
= (↵XB)XA mod q= (↵XA)XB mod q
= Y XBA mod q = KB
Security depends on difficulty of computing discrete logs.Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 41 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman key exchange (cont.)
YA
YB
Figure 10.8 Diffie-Hellman Key Exchange
User A User B
Generate random XA < q;Calculate YA = aXA mod q Generate
random XB < q;Calculate YB = aXB mod q;Calculate K = (YA)XB mod q Calculate
K = (YB)XA mod q
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 42 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: strengths
The shared secret key is created out of nothing!
The shared secret key is at least as strong as the strongesthalf-key: neither A nor B can completely sabotage the resultingkey.
The shared secret key is never transmitted (not even in encryptedform).
) Perfect Forward Secrecy (PFS): a session key derived from aset of long-term public and private keys will not be compromised ifone of the (long-term) private keys is compromised in the future.
That is, if someone records the entire conversation and laterdiscovers Alice’s or Bob’s private keys, he/she won’t be able todecrypt anything (except for the data explicitly encrypted with thatprivate key)!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 43 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.
2 Z intercepts YA and transmits YZ to B.Z also calculates K1 = (YA)XZ mod q.
3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.
3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.
4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.
5 Z intercepts YB and transmits YZ to A.Z calculates K2 = (YB)XZ mod q.
6 A receives YZ and calculates K1 = (YZ )XA mod q.Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.
6 A receives YZ and calculates K1 = (YZ )XA mod q.Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key,
but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .
Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: weaknesses
Keys are unauthenticated and thus it is vulnerable to the followingMan-in-the-middle Attack :
1 A transmits YA to B.2 Z intercepts YA and transmits YZ to B.
Z also calculates K1 = (YA)XZ mod q.3 B receives YZ and calculates K2 = (YZ )XB mod q.4 B transmits YB to A.5 Z intercepts YB and transmits YZ to A.
Z calculates K2 = (YB)XZ mod q.6 A receives YZ and calculates K1 = (YZ )XA mod q.
Now A and B think that they share a secret key, but instead A sharessecret key K1 with Z and B shares secret key K2 with Z .Solution: sign the exponents. But this requires shared keys!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 44 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Diffie-Hellman: man-in-the-middle attack
A Z B
A “believes” that she shares key K1 = ↵XAXZ mod q with B.B “believes” that he shares key K2 = ↵XBXZ mod q with A.Z can use these two keys to read and relay “confidential” communicationsbetween A and B, or to impersonate one of them to the other.Can be prevented by mutual authentication between A and B.Typically: add an exchange of digitally signed identification (ID) tokens.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 45 / 86
Asymmetric algorithms for secret key distribution Diffie-Hellman key exchange
Group Diffie-Hellman (for three or more parties)
Given a Diffie-Hellman group (↵, q), three parties Alice, Bob and Carol cangenerate together a secret key K = ↵XAXBXC mod q by:
1 Alice chooses a random large integer XA and sends to Bob: YA = ↵XA mod q
2 Bob chooses a random large integer XB and sends to Carol YB = ↵XB mod q
3 Carol chooses a random large integer XC and sends to Alice: YC = ↵XC mod q
4 Alice sends to Bob Y 0C = Y XA
C mod q
5 Bob sends to Carol Y 0A = Y XB
A mod q
6 Carol sends to Alice Y 0B = Y XC
B mod q
7 Alice computes: K = Y 0B
XA mod q
8 Bob computes: K = Y 0C
XB mod q
9 Carol computes: K = Y 0A
XC mod q
Can be extended to more parties by adding more rounds of computations.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 46 / 86
Asymmetric algorithms for secret key distribution ElGamal variant of Diffie-Hellman key exchange
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 47 / 86
Asymmetric algorithms for secret key distribution ElGamal variant of Diffie-Hellman key exchange
ElGamal variant
Setup: same as Diffie-Hellman. Public prime q and generator ↵.Moreover, let E be any symmetric encryption function.SchemaStep 1 B chooses XB and computes YB = ↵XB mod q.
B ! A: YB.Step 2 A chooses integer XA, computes YA = ↵XA mod q, and
computes key K = Y XAB mod q.
A! B: (E(M, K ), YA)
Step 3 B computes K = Y XBA mod q and uses K to decrypt
E(M, K ).Red parts are Diffie-Hellman.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 48 / 86
Asymmetric algorithms for secret key distribution Massey-Omura scheme
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 49 / 86
Asymmetric algorithms for secret key distribution Massey-Omura scheme
Massey-Omura scheme
Encryption without shared keys based on discrete log problem.Principals share (public) prime p.u 2 {A, B} chooses (private) eu, du 2 Z such that
eudu mod (p � 1) = 1 .
So (p � 1)|(eudu � 1). So there is a k where eudu = k(p � 1) + 1.Hence, by Euler’s theorem, for all m 2 {1, . . . p � 1}
meudu mod p = mk(p�1)m mod p = m mod p = m
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 50 / 86
Asymmetric algorithms for secret key distribution Massey-Omura scheme
Massey-Omura Protocol
Step 1 A! B: meA mod p
Step 2 B ! A: meAeB mod p
Step 3 A! B: meAeBdA mod p (= meB )
Step 4 A! B: meAeBdAdB mod p (= m)
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 51 / 86
Message integrity and cryptographic hashes
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 52 / 86
Message integrity and cryptographic hashes
Message Integrity
Sorry nottonight
Tonight atmy place
Message or data integrity is the property that data has not beenaltered in an unauthorized manner since the time it was created,transmitted, or stored by an authorized source.In operating systems, access control can be used to ensure dataintegrity. In open networks, one uses cryptographic means.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 53 / 86
Message integrity and cryptographic hashes
Cryptographic hash requirements
Motivation: create a data “fingerprint".A hash function h(x) (in the general sense) has the properties:
1 Compression: h maps an input x of arbitrary bit length to an outputh(x) of fixed bit length n.
2 Polynomial time computable.
Example (longitudinal redundancy check):Given m blocks of n-bit input b1, . . . , bm, form the n-bit checksum cfrom the bitwise xor of every block. I.e., (for 1 i n)
ci = bi1 � bi2 � . . .� bim
Cryptographic techniques can be seen as a refinement ofchecksum techniques to handle active forger.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 54 / 86
Message integrity and cryptographic hashes
Cryptographic hash requirements (cont.)
h(x) is a cryptographic hash function if it is additionally:One-way (or pre-image resistant).Given y , it is hard to compute an x where h(x) = y .And usually either2nd-preimage resistance: It is computationally infeasible to find a
second input that has the same output as any specified input,i.e., given x to find an x 0 6= x such that h(x) = h(x 0).
Collision resistance: It is difficult to find two distinct inputs x , x 0
where h(x) = h(x 0).
Hash value also called message digest or modification detectioncode.An application: password files.
For password p, store h(p) in password file.Requires only pre-image resistance. Why?Often combined with salt s, i.e., store pair (s, h(s, p)).
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 55 / 86
Message integrity and cryptographic hashes
Message or data integrity is the property that data has not beenaltered in an unauthorized manner since the time it was created,transmitted, or stored by an authorized source.
Sorry nottonight
Tonight atmy place
Message integrity: modification detection code providescheckable fingerprint.
computesMDC = h(M’)MDC = h(M)
M M’
MDC(Authenticated)
verifies if
Requires 2nd-preimage resistance and authenticated MDC.Typical application: signed hashes.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 56 / 86
Message integrity and cryptographic hashes
Collision resistance and the birthday paradox
When attacker controls input to hash function, collision resistanceis important.Unimportant for password hashing. What about signing contracts?Birthday paradox
How many people must be in a room such that the probability p thatone has your birthday is p > .5?
The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 57 / 86
Message integrity and cryptographic hashes
Collision resistance and the birthday paradox
When attacker controls input to hash function, collision resistanceis important.Unimportant for password hashing. What about signing contracts?Birthday paradox
How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.
How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 57 / 86
Message integrity and cryptographic hashes
Collision resistance and the birthday paradox
When attacker controls input to hash function, collision resistanceis important.Unimportant for password hashing. What about signing contracts?Birthday paradox
How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5?
23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 57 / 86
Message integrity and cryptographic hashes
Collision resistance and the birthday paradox
When attacker controls input to hash function, collision resistanceis important.Unimportant for password hashing. What about signing contracts?Birthday paradox
How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!
Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 57 / 86
Message integrity and cryptographic hashes
Collision resistance and the birthday paradox
When attacker controls input to hash function, collision resistanceis important.Unimportant for password hashing. What about signing contracts?Birthday paradox
How many people must be in a room such that the probability p thatone has your birthday is p > .5?The probability that one of n people has your birthday is n/365, sofor n = 183, p > 0.5.How many people must be in a room such that the probability p thatany two share the same birthday is p > .5? 23 persons!Generalization: Let h have 2m possible outputs. h must be appliedto 2m/2 inputs so that the probability of a collision is greater than0.5.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 57 / 86
Message integrity and cryptographic hashes
A birthday attack
One might think a 64 bit hash code is secure. Preimageresistance means, on average 263 messages must be tried.
Birthday attack for finding collisionsSuppose A is willing to sign a contract with B. Then B preparesversion x , good for A, and version y , which bankrupts her.
B generates “good” messages x1, . . ..Similarly he dovetails the generation of the “bad” y1, . . ..He stops when h(xi) = h(yj).
A signs h(xi). Later B uses signature for yj .
On average, work required is order of 232.So double your hash size if collision avoidance important!
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 58 / 86
Message integrity and cryptographic hashes
A letter in 237 variations
Dear Anthony,⇢
This letter isI am writing
�to introduce
⇢you toto you
� ⇢Mr.
�Alfred
⇢P.
�
Barton, the⇢
newnewly appointed
� ⇢chief
senior
�jewellery buyer for
⇢ourthe
�Northern
⇢EuropeanEurope
� ⇢area
division
�. He
⇢will take
has taken
�
over⇢
the�
responsibility for⇢
allthe whole of
�our interests in
⇢watches and jewelleryjewellery and watches
�in the
⇢area
region
�. . . .
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 59 / 86
Message integrity and cryptographic hashes
Constructing a cryptographic hash function
Simplest constructions use block chaining techniques (Rabin1978):
Divide message M into fixed size blocks b1, . . . bn.
Use symmetric encryption algorithm, e.g., DES
h0 = IV (initial value) and hi = Ebi (hi�1)
...b1 b2 bn
IV hnh1 h2Eb1
Eb2
Ebn
Similar to Cipher Block Chaining, but no secret key.
Modern algorithms are considerably more complex.MD5 (Rivest): 128 bit hashes. Known weakness.SHA (US Standard): 160 bit hashes. Assumed secure.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 60 / 86
Message authentication
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 61 / 86
Message authentication Message authentication codes
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 62 / 86
Message authentication Message authentication codes
Message authentication codes
Message authentication also called data-origin authentication.
Alice
Tonight atmy place,
Annmy place,Tonight at
Observe that message authentication implies message integrity.Contrast to entity (or user) authentication
Yes.
Is it you, Alice?
Message Authentication Codes (MACs) and digital signatures aretwo main techniques for establishing message authentication.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 63 / 86
Message authentication Message authentication codes
MACs
A MAC algorithm is a family of hash functions hk parameterized bya secret key k . The hk must be computation-resistant: given zeroor more MAC pairs (xi , hk (xi)), it is infeasible to compute(x , hk (x)) for any new input x 6= xi .Message authentication with MACs
M’, MAC’M, MAC
altersM and MAC
computesMAC = h (M) MAC’ = h (M’)K K
verifies if
hk any enciphering algorithm that returns fixed length output.Message authentication?
Yes, for verified messages.Non-repudiation? Not with symmetric cipher.Freshness? No detection of message replay.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 64 / 86
Message authentication Message authentication codes
MACs
A MAC algorithm is a family of hash functions hk parameterized bya secret key k . The hk must be computation-resistant: given zeroor more MAC pairs (xi , hk (xi)), it is infeasible to compute(x , hk (x)) for any new input x 6= xi .Message authentication with MACs
M’, MAC’M, MAC
altersM and MAC
computesMAC = h (M) MAC’ = h (M’)K K
verifies if
hk any enciphering algorithm that returns fixed length output.Message authentication? Yes, for verified messages.Non-repudiation?
Not with symmetric cipher.Freshness? No detection of message replay.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 64 / 86
Message authentication Message authentication codes
MACs
A MAC algorithm is a family of hash functions hk parameterized bya secret key k . The hk must be computation-resistant: given zeroor more MAC pairs (xi , hk (xi)), it is infeasible to compute(x , hk (x)) for any new input x 6= xi .Message authentication with MACs
M’, MAC’M, MAC
altersM and MAC
computesMAC = h (M) MAC’ = h (M’)K K
verifies if
hk any enciphering algorithm that returns fixed length output.Message authentication? Yes, for verified messages.Non-repudiation? Not with symmetric cipher.Freshness?
No detection of message replay.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 64 / 86
Message authentication Message authentication codes
MACs
A MAC algorithm is a family of hash functions hk parameterized bya secret key k . The hk must be computation-resistant: given zeroor more MAC pairs (xi , hk (xi)), it is infeasible to compute(x , hk (x)) for any new input x 6= xi .Message authentication with MACs
M’, MAC’M, MAC
altersM and MAC
computesMAC = h (M) MAC’ = h (M’)K K
verifies if
hk any enciphering algorithm that returns fixed length output.Message authentication? Yes, for verified messages.Non-repudiation? Not with symmetric cipher.Freshness? No detection of message replay.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 64 / 86
Message authentication Message authentication codes
Constructing MACs (I)
Simplest realization based on cipher-block chaining.
K
Block cBlock m Block m Block m4 3 2 1f
c1 = EK (m1 � 0)
ci = EK (ci�1 �mi)
E is a block cipher, e.g., DES.cn is MAC. Alternatively i left-most bits can be used.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 65 / 86
Message authentication Digital signatures
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 67 / 86
Message authentication Digital signatures
The digital signature problem
Alice
Tonight atmy place,
Annmy place,Tonight at
Problem of proof of data origin.How do we know, or prove, that a message originated from aparticular person?Public key cryptography supports both knowing and proving toothers (non-repudiation).Would this be possible using a shared key?
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 68 / 86
Message authentication Digital signatures
Digital signature requirements
Signature is fundamental in authentication and nonrepudiation.
Nomenclature and set-upM is set of messages that can be signed.
S is set of elements called signatures, e.g., n-bit strings.
SA : M! S, is a signing transformation for entity A, and keptsecret by A.
VA : M⇥ S ! {true, false} is a verification transformation for A’ssignature and is publicly known.
SA and VA provide digital signature scheme for A.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 69 / 86
Message authentication Digital signatures
Signature schema (cont.)
Example
m1
m2
m3
s1
s2
s3
(m , s )1 1(m , s )1 2
(m , s )1 3(m , s )12(m , s )2 2
(m , s )2 3
(m , s )13
(m , s )3 3
(m , s )23
SA
VA
False
True
Signing procedure: A creates a signature for m 2M by:Compute s = SA(m) and transmit pair (m, s).Verification procedure. B verifies A’s signature of (m, s) by:Compute u = VA(m, s). Accept signature only if u = true.Secrecy requires:
it is hard for any entity other than A to find, forany m 2M, an s 2 S, where VA(m, s) = true.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 70 / 86
Message authentication Digital signatures
Signature schema (cont.)
Example
m1
m2
m3
s1
s2
s3
(m , s )1 1(m , s )1 2
(m , s )1 3(m , s )12(m , s )2 2
(m , s )2 3
(m , s )13
(m , s )3 3
(m , s )23
SA
VA
False
True
Signing procedure: A creates a signature for m 2M by:Compute s = SA(m) and transmit pair (m, s).Verification procedure. B verifies A’s signature of (m, s) by:Compute u = VA(m, s). Accept signature only if u = true.Secrecy requires: it is hard for any entity other than A to find, forany m 2M, an s 2 S, where VA(m, s) = true.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 70 / 86
Message authentication Digital signatures
Implementing digital signatures
Can be based on (reversible) public-key encryption systems.Consider Ee : M! C is a public-key transformation. Moreover,suppose that M = C. If Dd is the decryption transformationcorresponding to Ee, then since both are permutations
Dd(Ee(m)) = Ee(Dd(m)) = m for all m 2M.
A public-key encryption scheme of this type is called reversible.Construction for a digital signature schema
1 Let M and C be message and signature space, with M = C.2 Let (e,d) be a key pair for the public-key encryption scheme.3 Define signing function SA to be Dd . I.e., s = Dd (m).4 Define VA by
VA(m, s) =
⇢true, if Ee(s) = m,false, otherwise
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 71 / 86
Message authentication Digital signatures
Implementation (cont.)
Previous schema admits a forgery attack:1 Attacker B selects a random s 2 S and computes m = Ee(s).2 Since S = M, he can submit (m, s) as message with signature.3 Verification returns true even though A did not sign m!
Solution: let some subset M0 ⇢M constitute the signablemessages.Redefine verifier VA : S ! {true, false} as:
VA(s) =
⇢true, if Ee(s) 2M0
false, otherwise
Messages can be recovered since m = Ee(s).Secure when M0 is a sufficiently small subset of M.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 72 / 86
Message authentication Digital signatures
Implementation (cont.)
RSA provides a realization of digital signatures:
Dd(Ee(m)) = Ee(Dd(m)) = m
Forgery prevented by signing messages with fixed structure, e.g.,Message names its sender, or (more typically).Cryptographic hash signed, sent with the message.
m’, D (h(m))m, D (h(m))d d
verifies ifh(m’) = E (D (h(m))de
Pair can additionally be encrypted for confidentiality.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 73 / 86
Conclusions
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 74 / 86
Conclusions
Conclusions
Symmetric/asymmetric cryptography ensure confidentiality.Assuming (un)conditional security and properly distributed keys.
Asymmetric cryptography simplifies key distribution.Simplifies logistics, due to substantially reduced number of keys.But still need an authenticated channel to distribute keys.
Implements message authentication, once keys distributed.Public Key Infrastructures are clearly important.Information security as an art: designing mechanisms andinfrastructures appropriate for application/environment.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 75 / 86
Appendix on number theory
Outline1 Introduction to Public-Key Cryptography2 Number Theory3 The RSA Algorithm4 Asymmetric algorithms for secret key distribution
Secret key distribution with RSADiffie-Hellman key exchangeElGamal variant of Diffie-Hellman key exchangeMassey-Omura scheme
5 Message integrity and cryptographic hashes6 Message authentication
Message authentication codesDigital signatures
7 Conclusions8 Appendix on number theory
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 76 / 86
Appendix on number theory
Greatest Common Divisor
For a, b 2 N, gcd(a, b) denotes greatest common divisor.Example 60 = 22 ⇤ 3 ⇤ 5, 14 = 2 ⇤ 7, gcd(60, 14) = 2gcd can be computed quickly using Euclid’s algorithm.
gcd(60, 14) : 60 = 4 ⇤ 14 + 4gcd(14, 4) : 14 = 3 ⇤ 4 + 2gcd(4, 2) : 4 = 2 ⇤ 2
Extended Euclid’s algorithm computes x , y 2 Z such that
gcd(a, b) = xa + yb
Here 2 = 14� 3(60� 4 ⇤ 14) = �3 ⇤ 60 + 13 ⇤ 14a, b 2 N are relatively prime if gcd(a, b) = 1.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 77 / 86
Appendix on number theory
Euclid’s Algorithm
Euclid’s algorithm is based on the theoremgcd(a, b) = gcd(b, a mod b) for any nonnegative integer a andany positive integer b.
For example, gcd(55, 22) = gcd(22, 55 mod 22) = gcd(22, 11) = 11.The algorithm is
Euclid(a, b)1 if b = 02 then return a3 else return Euclid(b, a mod b)
Euclid(30, 21) = Euclid(21, 9) = Euclid(9, 3) = Euclid(3, 0) = 3.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 78 / 86
Appendix on number theory
Extended Euclid’s Algorithm
Extend the algorithm to compute the integer coefficients x and y suchthat
d = gcd(a, b) = ax + by
The algorithm is
Extended-Euclid(a, b)1 if b = 02 then return (a, 1, 0)3 (d 0, x 0, y 0) Extended-Euclid(b, a mod b)4 (d , x , y) (d 0, y 0, x 0 � ba/bcy 0)5 return (d , x , y)
where q = ba/bc is the quotient of the division (for a = qb + r ).
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 79 / 86
Appendix on number theory
Extended Euclid’s Algorithm — ExampleExtended-Euclid(99, 78) = 3 = 99 ⇤ (�11) + 78 ⇤ 14
Extended-Euclid(a, b)1 if b = 02 then return (a, 1, 0)3 (d 0, x 0, y 0) Extended-Euclid(b, a mod b)4 (d , x , y) (d 0, y 0, x 0 � ba/bcy 0)5 return (d , x , y)
a b ba/bc d x y99 78 1 3 �11 1478 21 3 3 3 �1121 15 1 3 �2 315 6 2 3 1 �26 3 2 3 0 13 0 � 3 1 0
Each line shows one level of the recursion.Exercise: Use both Euclid’s algorithm and Extended Euclid’s algorithmto compute gcd(1970, 1066), showing all steps of the computations.Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 80 / 86
Appendix on number theory
Fast Exponentiation
There is an efficient algorithm (cf. the literature!) for computingpowers modulo n in a monoid G = (H, �, e) (where H is a set, � isan associative operation on H, and e 2 H is a neutral elementsuch that e � a = a � e = a for all a 2 H).Let g 2 G and e be a positive integer with binary expansion
e =kX
i=0
ei2i (observe that the coefficients ei are either 0 or 1)
Then
ge = gPk
i=0 ei 2i=
kY
i=0
(g2i)ei =
Y
0ik , ei=1
g2i
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 81 / 86
Appendix on number theory
Fast Exponentiation (cont.)
ge = gPk
i=0 ei 2i=
Qki=0(g
2i)ei =
Q0ik , ei=1 g2i yields the following
idea:1 Compute the successive squares g2i
for 0 i k .2 Determine ge as the product of those g2i
for which ei = 1.N.B.: we can compute g2i+1
= (g2i)2 from g2i by one squaring.
An example: 673 mod 100.Binary expansion of exponent: 73 = 1 + 23 + 26.Determine successive squares of 6:
62 = 36 622= 362 = �4 mod 100
623= 16 mod 100 624
= 162 = 56 mod 100625
= 562 = 36 mod 100 626= �4 mod 100
673 = 6 ⇤ 623 ⇤ 626= 6 ⇤ 16 ⇤ (�4) mod 100 = 16 mod 100.
Hence, 6 squares and 2 products instead of 72 multiplications modulo100.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 82 / 86
Appendix on number theory
Fermat Test
It is expensive to prove that a given positive integer is prime, but thereare efficient algorithms (primality tests) that prove the primality of apositive integer with high probability.The Fermat Test is a primality test based on Fermat’s theorem in thefollowing version:
if n is a prime number, then an�1 =n 1 for all positive integersa such that a and n are relatively prime (gcd(a, n) = 1).
Choose a positive integer a 2 {1, 2, . . . , n � 1}.Compute y = an�1 mod n (e.g. using fast exponentiation).If y 6= 1, then n is composite (by the above theorem).If y = 1, then we do not know whether n is prime or composite, asthe following example shows.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 83 / 86
Appendix on number theory
Fermat Test (cont.)
Consider n = 341 = 11 ⇤ 31. Although n is composite we have
2340 =341 1
Therefore, if we use Fermat Test with n = 341 and a = 2, then weobtain y = 1, which proves nothing.On the other hand, if we use Fermat Test with n = 341 and a = 3, thenn is proven composite as
3340 =341 56
N.B.: if the Fermat Test proves that n is composite, it does not find a divisorof n. It only shows that n lacks a property that all prime numbers have.Therefore, the Fermat Test cannot be used as a factoring algorithm.Exercise: Use Fermat Test to show that 1111 is not a prime number.Homework: Look up Miller-Rabin’s Test.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 84 / 86
Appendix on number theory
Correctness of RSA: more detailsSince ed mod � = 1, there exists k 2 N where ed = 1 + k�.Now consider whether or not gcd(m, p) = 1, i.e., whether p|m.Case 1: If gcd(m, p) = 1 then by Fermat’s theorem
mp�1 =p 1
Raising both sides to power k(q � 1) and multiplying by m yields
m1+k(p�1)(q�1) =p m
Case 2: If gcd(m, p) = p then last congruence is trivially valid sinceeach side is congruent to 0 mod p.Hence in both cases
med =p m
By the same argument med =q m and since p and q are distinctprimes, it follows that med =n m and hence
cd =n (me)d =n m.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 85 / 86
Appendix on number theory
Bibliography
William Stallings. Cryptography and Network Security . FourthEdition, Prentice Hall, 2006.
Dieter Gollmann. Computer Security . Wiley, 2000.
Bruce Schneier. Applied Cryptography. John Wiley & Sons, NewYork, 1996.
Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone.Handbook of Applied Cryptography . CRC Press, 1996. Availableonline.
Arthur E. Hutt, Seymour Bosworth, Douglas B. Hoyt. ComputerSecurity Handbook . John Wiley & Sons, 1995.
Luca Viganò (Università di Verona) Public-Key Cryptography SdR A.A. 12/13, Lecture 3 86 / 86