1

Public Key Algorithms

2

Public Key Algorithms• It is necessary to know some number theory to really

understand how and why public key algorithms work

– Most of the public key algorithms are based on modular arithmetic

3

Use of Public Key Cryptosystems

• Encryption/decryption– Sender encrypts a message with the receiver’s public key– Only the receiver can decrypt the message

• Digital signature– The sender signs a message with its private key– Authentication and non-repudiation

• Key exchange– Two sides cooperate to exchange a session key– Secret key cryptosystems are often used with the session

key

4

Modular Arithmetic

• Modular Addition– Addition modulo (mod) n

• x mod n: the remainder of x when divided by n

– mod 10 addition• 5+5 = 0• 2+2 = 4

– An additive inverse of x is the number that adds to x to get 0

• 4’s inverse (mod 10) is 6• Decrypt by adding inverse

5

Addition Modulo 10

6

Modular Multiplication• Mod 10 multiplication table

• Multiplication by 1, 3, 7, 9 works as cipher

• Multiplicative inverse x-1: y * x = 1

• Use Euclid’s Algorithm to find inverse

7

Totient Function

• x, m relative prime (rp) = no other common factor than 1

• relatively prime ≠ prime (9 rp 10)

• totient function Φ(n): number of numbers less than n rp to n– if n prime: {1, 2, …, n-1}. Φ(n) = n-1

– if n=p * q, p, q distinct prime => Φ(n) = (p-1)(q-1)

8

Modular Exponentiation (Exponentiation Modulo 10)

9

Modular Exponentiation

• Encryption: x3 works, x2 does not

• Exponential inverse y of x: (ax)y = a

• Columns: 1=5, 2=6, 3=7…

• xy mod n = x(y mod Φ(n)) mod n: the ith column is the same as the i+4th column– rp to 10 are {1, 3, 7, 9}

• Totient function Φ(n): number of numbers less than n relatively prime to n

10

RSA (Rivest, Shamir, Adleman)

• A very popular public key cryptographic algorithm

• Support public key encryption and digital signature

• Variable key length – 512 bits, 1024 bits

• Variable plaintext block size– Plaintext block must be smaller than the key length

– Ciphertext block size is the length of the key

• Ciphertext length = key length

• Much slower to compute than DES/IDEA

• Assumption/theoretical basis:– Factoring a large number is practically impossible

11

RSA Algorithm

• To generate a public key and a corresponding private key– Pick large primes p and q (around 256 bits)– Let n=p*q (512 bits), factors p and q remain secret– Public key: choose e that is relatively prime to ø(n) =(p-

1)(q-1), let pub = <e,n>– Private key: find the number d that is the multiplicative

inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv = <d,n>

– Encryption: of m < n, c = me mod n– Decryption: m = cd mod n– Verification

• Sign: s = md mod n• Verify: m = se mod n

12

RSA Example

Bob chooses p=7, q=11. Then n=77, z= ø(n) =60.e=7 (so e, z relatively prime).d=43 (so ed-1 exactly divisible by z).

m me c = m mod ne

9 97 37

c m = c mod nd37 3743 9

cd

encrypt:

decrypt:

13

Why Does RSA Work?

(m mod n)e mod n = m mod nd ed

Useful number theory result: If p,q prime and n = pq, then:

x mod n = x mod ny y mod (p-1)(q-1)

= m mod ned mod (p-1)(q-1)

= m mod n1

= m

(using number theory result above)

(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )

• Will decrypting an encrypted message get the original message back?

14

Why Does RSA Work?

• That is: will decrypting an encrypted message get the original message back?

• Given pub = <e, n> and priv = <d, n>– n =p*q, ø(n) =(p-1)(q-1)

– de = 1 mod ø(n)

– For any x, xde = x mod n

– encryption: c = me mod n

– decryption: m = cd mod n = me∗d mod n = m mod n = m(since m < n)

– digital signature (similar)

15

Why is RSA Secure?

• Based on the Fundamental Tenet of Cryptography

• Factoring 512-bit number is very hard!– If you can factor quickly, you can break RSA!

• But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by:– Knowing factors p, q, such that, n = p*q

– Then ø(n) =(p-1)(q-1)

– Then d such that e*d = 1 mod ø(n)

16

Diffie-Hellman

• Allows two individuals to agree on a shared key, public communication

• No authentication of partners– Alice might be establishing a secret key with a bad guy

• What is involved?– A large prime p, and g < p

– p and g are publicly known

– Alice and Bob choose random SA and SB, kept secret

– next slide..

17

Diffie-Hellman Key Exchange

• Procedure

Alice Bob

pick secret SA randomly pick secret SB randomly

compute TA=gSA mod p compute TB=gSB mod p

send TA to Bob send TB to Alice

compute TBSA mod p compute TASB mod p

Alice and Bob reached the same secret gSASB mod p, which is then used as the shared key.

not secure against bucket-brigade/man-in-the-middle attacks.

18

DH Security – Discrete Logarithm is Hard

• T = gs mod p

• Given T, g, and p, it is computationally infeasible to compute the value of s (discrete logarithm)

19

The Bucket Brigade/Man-in-the-Middle Attack

• Mr. X plays Alice to Bob and Bob to Alice

20

Defense against Man-in-the-Middle Attack• Diffie-Hellman in Phone Book Mode

– Have a somewhat permanent public and secret number– Everyone has to agree on a common p and g– Everyone generates the public key components and publish them

through other reliable means, e.g., <Tb> for Bob– Essential Requirement: authenticity of public key

• Authenticated Diffie-Hellman– Alice and Bob know some sort of secret

• Use this secret to prove they generate their DH value• Following DH exchange, transmit a hash of the agreed-upon shared

DH value, name, and the pre-shared secret• Following DH exchange, transmit a hash of the pre-shared secret

and the DH value• …

21

Encryption with Diffie-Hellman• To avoid the active exchange• Everyone computes and publishes a public key <p, g, T> for

the private key s– T=gS mod p

• Alice communicates with Bob:– Bob has published <pb, gb, Tb>– Alice

• Picks a random secret Sa• Computes gb

Sa mod pb

• Use Kab = TbSa mod pb (the encryption key) to encrypt message

• Send encrypted message along with gbSa mod pb

– Bob• (gb

Sa)Sb mod pb = (gbSb)Sa mod pb = Tb

Sa mod pb = Kab

• Use Kab to decrypt

• Essentially key distribution + encryption

22

Digital Signature Standard (DSS)

• By NIST

• Based on ElGamal

• Speeded up for signer rather than verifier: smart cards

• Use SHA-1 to generate the hash value and Digital Signature Algorithm (DSA) to generate the digital signature

23

DSS Algorithm

24

DSS Algorithm

Calculate X-1 and dm

25

Why is DSA Secure?• No revealing of the private key S• Nobody should be able to generate a signature for a

given message without knowing S• Nobody should be able to generate a message that

matches a given signature• Nobody should be able to modify a signed message in

a way that keeps the same signature valid• Need a per-message secret number Sm

– If Sm is known, the private key S can be computed• (XmSm – dm)Tm

-1 mod q = S mod q (refer to step 6): the attacker can forge DSS signature

– If two messages share the same Sm, the private key S can be revealed

• (Xm – Xm’)-1(dm-dm’) mod q = Sm mod q (refer to step 6 ) => Sm