Lecture 6: Overview of Public-Key Cryptography and RSA

Transcription

1 1 Lecture 6: Overview of Public-Key Cryptography and RSA Yuan Xue In this lecture, we give an overview to the public-key cryptography, which is also referred to as asymmetric cryptography. We will first introduce the background of public-key cryptography. Then we will study the model of public-key cryptosystem, and the requirement to design a practical public-key algorithm. Finally, we will study the design of RSA algorithm. I. BACKGROUND The concept of public-key (asymmetric) cryptography evolved from an attempt to address the following two difficult problems associated with the secret-key (symmetric) cryptosystem. Key distribution. Symmetric encryption requires a shared secret key. As we have seen in the previous lecture, this leads to the problem of key distribution, which in turn requires secret sharing either between the communicating parties or between the communicating hosts and the KDC. Non-repudiation. In symmetric encryption, the sending party may deny sending the message, because it is possible for the receiver to forge a message based on the same secret key. Accordingly, the receiving party may claim the receipt of a message from the sender which is actually forged by himself. To address both problems, Diffie and Hellman achieved an important breakthrough in The proposed scheme was radically different from all previous approaches to cryptography. First, it uses a pair of different keys in contrast to one shared key in symmetric encryption. Second, it is based on mathematical functions instead of substitution and permutation. The proposed scheme is called pubic-key (asymmetric) cryptography, which is one of the greatest revolutions in the history of cryptography. Its use of two keys has profound consequences in facilitating key distribution, and providing digital signature. However, the scheme proposed by Diffie and Hellman is not a general-purpose encryption algorithm. It can only provide secure secret key exchange. Thus it presents a challenge for the cryptologists to design a general-purpose encryption algorithm that satisfies the public-key encryption requirements. One of the first responses to the challenge was developed in 1977 by Rivest, Shamir, Adleman at MIT, so called RSA. Since then, the RSA scheme has become the most widely accepted and implemented general-purpose approach to public-key encryption.

2 2 II. PUBLIC-KEY CRYPTOSYSTEM MODEL In this section, we look at the overall framework for public-key cryptography. Public-key cryptosystem uses a pair of different but related keys one for encryption, the other for decryption; one is placed in a pubic register (public key), the other is kept secret (private key). It is required that given only knowledge of the cryptographic algorithm and the public key, it is computationally infeasible to determine the private key. In some algorithms, such as RSA, either public key or private key can be used for encryption, with the other one used for decryption. Fig. 1 illustrates that different security services can be provided with different usages of the keys. In Fig. 1(a), sender A encrypts using B s public key K 1 UB. The ciphertext C = E(K UB, P) is transmitted to B. B, in possession of the matching private key K RB, is able to decrypt the ciphertext C and retrieve the = D(K RB, P). No one else can decrypt the message without B s private key K RB. Thus the confidentiality of incoming communication to B is assured as long as B s private key is kept secret. In Fig. 1(b), A encrypts P with its private key K RA. The ciphertext C = E(K RA, P) received by B can be decrypted using A s public key K UA : P = D(K UA, C). Without A s private key, it is impossible to change the message. Therefore, the public-key encryption provides authentication in terms of both source and data integrity. At the same time, the entire message serves as a digital signature. This is because the message was encrypted using A s private key, and only A could have prepared the message. It is important to emphasize that this encryption process does not provide confidentiality. This is, the message is safe from alteration but not from eavesdropping. This is because any observer can decrypt the message by using A s public key. To provide both authentication and confidentiality for data delivery, a double use of the public-key encryption can be applied as shown in Fig. 1(c). In this scenario, the message is first encrypted by A s private key, which provides authentication. Then B s public key is applied again to provide confidentiality. At the receiver side, B s private key will first be used for decryption, followed by the decryption using A s public key. The essential steps to use public-key encryption are summarized as follows. 1) Generate a pair of keys. For example, A generates the public key K UA, and the private key K RA. 2) Publish the public key e.g., K UA, while keeping the private key secret. Users have the access to a collection of public keys from their communication parties. 1 As a convention, K U is used for public key; K R is used for private key.

3 3 3) Use one of the above models to encrypt the message to achieve different security goals and deliver the message. The received message is decrypted using the corresponding schemes in the models. Based on the public-key encryption framework, the following requirements need to be satisfied to design a public-key encryption algorithm. 1) It is computationally infeasible for an opponent, knowing the public key K U, and the encryption and decryption algorithms E, D, to determine the companion private key K R. 2) It is computationally infeasible for an opponent, knowing the public key K U and the ciphertext C which is encrypted via this key C = E(K U, P), to determine the. For practical use, the following features are also preferred in a public-key encryption algorithm. 1) It is computationally easy to generate a pair of keys (public key and private key). 2) It is computationally easy to encrypt a message using either public or private key, and decrypt it via the companion key. III. RSA As we have mentioned earlier, Diffie and Hellman introduced a new approach to cryptography, and challenged cryptologist to design a general-purpose encryption algorithm that satisfies the public-key encryption requirements. One of the first responses to the challenge was developed in 1977 by Ron Rivest, Adi Shamir, Len Adleman at MIT. Since then, the Rivest-Shamir-Adleman (RSA) scheme has become the most widely accepted and implemented general-purpose approach to public-key encryption 2. Now we will study RSA algorithm. In particular, we shall examine the following topics: 1) Mathematical preliminaries of RSA; 2) RSA algorithm description; 3) Why RSA would work; 4) Why RSA is secure; Students are encouraged to read the textbook [WS] Section 9.2 to understand the computational aspect and the security of RSA. Additional reading materials on threats to RSA, and practical considerations are provided at the discussion board in the blackboard system. A. Mathematical Preliminaries In this section, we will introduce the mathematical background that helps to understand RSA. 2 Recently, a competing system has begun to challenge RSA: elliptic curve cryptography (ECC), which offers equal security for a far smaller key size, thereby reducing processing overhead.

4 4 1) Modular Addition: Let s start with one of the simplest ciphers: general Caesar cipher. Its encryption and decryption operation can be represented using the following mathematical functions. C = (P + K) mod 26 (1) P = (C K) mod 26 (2) P \ K TABLE I ADDITION MODULO 10 For simplicity, we replace 26 with 10, and show the general Caesar cipher, which is also the modular addition operation, in Table I. Note that the decryption operation, which subtracts the secret key K from ciphertext C modulo 10, can also be done by adding K, which is the additive inverse of K modulo 10. An additive modular inverse of K is the number which is added to K to get 0 after modular operation. For example, 4 s inverse (modulo 10) is 6, because (4 + 6) mod 10 = 0. If the secret key were 4, then to encrypt in general Caesar cipher, 4 is added to the plaintext; and to decrypt, 6 is added to the ciphertext. Formally, we have C = (P + K) mod 26 (3) P = (C + K ) mod 26 (4) where K + K mod 10 = 0. (5)

5 5 P \ K TABLE II MULTIPLICATION MODULO 10 2) Modular Multiplication: Now let s look at the mod 10 multiplication operation as shown in Table II. We note that only when K = 1, 3, 7, 9, the modular multiplication operation works as a cipher, because it only performs a one-to-one mapping between the plaintext and the ciphertext in these cases. What is special about the numbers {1, 3, 7, 9}? The answer is that those numbers are all relatively prime to 10. Generally, a number K is relatively prime to n means gcd(k, n) = 1; 1 K < n (6) where gcd denotes the greatest common divisor. For decryption, we can look for multiplicative inverse, and undo the multiplication by multiplying the ciphertext by the multiplicative inverse of the key. Multiplicative inverse of K, denoted by K 1, is the number by which you d multiply K to get 1 in mod n. Formally, the cryptosystem can be represented as follows. C = (P K) mod n (7) P = (C K 1 ) mod n (8) where K K 1 mod n = 1 (9) Note that only those numbers that are relatively prime to n have multiplicative inverses in mod n. It is non-trivial to to find a multiplicative inverse in mod n arithmetic, especially when n is very large. But

6 6 there is an algorithm, known as Euclid s algorithm, which can efficiently find the inverse 3. At this point, we observe that the modular multiplication can also be used as a cipher, if the value of K is chosen appropriately. Moreover, K and K 1 can be used as a pair of keys for encryption and decryption, which is required by public-key encryption model. The problem is, however, there exists an algorithm (Euclid s algorithm) to calculate K 1 based on K, while in public-key encryption model, the private key can not be derived from knowledge of the public key. So let s further explore other mathematical functions. Before that, we d examine the question how many numbers less than n are relatively prime to n? This number is denoted as φ(n), and called totient function. As we will see later, this number is quite important in the design of RSA. It is obvious that, when n is a prime, φ(n) = n 1; when n is the product of two district primes p, q, (i.e., n = p q, p q are primes), φ(n) = (p 1)(q 1). 3) Modular Exponentiation: Now let s proceed to consider encryption and decryption using modular exponentiation operation. C = (P K ) mod n (10) P = (C K ) mod n (11) where K is the exponentiative inverse of K. Just like multiplicative inverse, we may ask what kind of values of K has the exponentiative inverse? and how its inverse can be calculated? The answers to these questions lead to the design of RSA. In what follows, we give a description of RSA algorithm first, then discuss how it is related with modular exponentiation. B. RSA Description The RSA scheme is a block cipher. Each plaintext block is an integer between 0 and n 1 for some n, which leads to a block size log 2 (n). The typical block size for RSA is 1024 bits. The details of the RSA algorithm are described as follows. Key generation 1) Pick two large prime numbers p and q, p q; 3 For details, please refer to algorithm, or step II in the hint.pdf file for homework 1.

7 7 2) Calculate n = p q; 3) Calculate φ(n) = (p 1)(q 1); 4) Pick e, so that gcd(e, φ(n)) = 1, 1 < e < φ(n); 5) Calculate d, so that d e mod φ(n) = 1, i.e., d is the multiplicative inverse of e in mod φ(n); 6) Get public key as K U = {e, n}; 7) Get private key as K R = {d, n}. Encryption For plaintext block P < n, its ciphertext C = P e mod n. Decryption For ciphertext block C, its plaintext is P = C d mod n. C. Why RSA works As we have seen from the RSA design, RSA algorithm uses modular exponentiation operation. For n = p q, e which is relatively prime to φ(n), has exponential inverse in mod n. Its exponential inverse d can be calculated as the multiplicative inverse of e in mod φ(n). The reason is illustrated as follows. Based on Euler s theorem, for y which satisfies y mod φ(n) = 1, the following equation holds. x y mod n = x mod n (12) As d e mod φ(n) = 1, we have that P ed P mod n. So the correctness of RSA cryptosystem is shown as follows. Encryption: C = P e mod n; Decryption: P = C d mod n = (P e ) d mod n = P ed mod n = P mod n = P. D. Why RSA is secure The premise behind RSA s security is the assumption that factoring a big number (n into p, and q) is hard. And thus it is difficult to determine φ(n). Without the knowledge of φ(n), it would be hard to derive d based on the knowledge of e. However factoring n is not the only way to break RSA. Students are encouraged to read the suggested material to find out more threats to RSA.

8 8 A B Encryption Decryption C = E(KUB,P) ciphertext C P = D(KRB,C) Public key KUB Private key KRB key pair source (a) Confidentiality A B Encryption Decryption C = E(KRA,P) ciphertext C P = D(KUA,C) key pair source Private key KRA Public key KUA (b) Authentication A B Encryption Encryption Decryption Decryption C' = E(KRA,P) ciphertext C C = E(KUB,C') C' = D(KRB,C) P = D(KUA,C') Private key KRA Public key KUB key pair source Private key KRB Public key KUA key pair source (c) Confidentiality and Authentication Fig. 1. Asymmetric Cryptosystem Models.