Public Key Algorithms CS 472 Spring 13 Lecture 6 Mohammad Almalag 2/19/2013 Public Key Algorithms - Introduction Public key algorithms are a motley crew, how? All hash algorithms do the same thing: Take the message and perform an irreversible transformation on it. All secret key algorithms do the same thing: Take a block and encrypt it in a reversible way. Chaining methods to convert the block cipher into message cipher. But public key algorithms look very different from each other. 1
Public Key Algorithms - Introduction They are different: In how they perform their functions. What functions they perform. Examples of public key algorithms and their functions: RSA and ECC (encryption and digital signatures) AlGamal and DSS (digital signatures) Diffie-Hellman (establishment of a shared secret) Zero knowledge proof systems (authentication) Public Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key (e), which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key (d), known only to the recipient, used to decrypt messages, and sign (create) signatures is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures 2
Public Key Cryptography Public Key Characteristics Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key knowing only algorithm & encryption key it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms) 3
Public Key Applications Can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) Some algorithms are suitable for all uses, others are specific to one Security of Public Key Schemes like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems more generally the hard problem is known, but is made hard enough to be impractical to break requires the use of very large numbers hence is slow compared to private key schemes 4
Example (Insecure) Public Key Algorithm Multiplication modulo p (where p is a prime) For example, let p=127 Choose e and d so that e*d=1 mod 127 e.g. e=53 and d=12 To encrypt a number, multiply by 53 mod 127 To decrypt a number, multiply by 12 mod 127 Decryption must restore the initial value! Why Isn t This Secure? The number 127 is too small. You could compute d from e by trying all possible values Modular division is possible - the inverse can be computed quickly even when p is large 5
Math-words Factor of an Integer: Any integer which divides evenly into a given integer. For example, 8 is a factor of 24 Greatest Common Factor (gcf): The largest integer that divides evenly into each of a given set of numbers. For example, 6 is the gcf of 30 and 18 Relatively Prime: relatively prime numbers have a (gcf) of 1 For example, 6 and 35 are relatively prime (gcf = 1) Totient function (Φ): The totientφ(n) of a positive integer n greater than 1 is defined to be the number of positive integers less than n that are coprime to n. RSA Named after its inventors: Rivest, Shamir, and Adelman Uses modular exponentiation Choose a modulus n and a public exponent e The key length is variable (e.g., 512 bits) The block size is variable Must be smaller than the key length The ciphertext block will be the length of the key Security due to cost of factoring large numbers 6
RSA If you can find d from e, why can t someone else? Factoring large numbers is hard Finding d from e is easy if you can factor n, but it s hard if you can t Pick two large primes and multiply them together to get n. You can now factor n because you constructed n After computing d from e, you can forget the factors of n What does factoring have to do with it? Define Φ(n) to be the # of integers < n and relatively prime to n If p is a prime, Φ(p) = p-1 Euler proved: x Φ(n) mod n = 1 So x kφ(n) mod n = 1 and x kφ(n)+1 mod n = x If we can find d*e = 1 mod Φ(n), they d be exponentiative inverses If n=p*q (p,q primes), Φ(n)=(p-1)(q-1) (remove multiples of p and multiples of q) 7
RSA Key Setup each user generates a public/private key pair by: selecting two large primes at random -p,q computing their system modulus n=p.q -define Φ (n)=(p-1)(q-1) selecting at random the encryption key e where 1<e<Φ (n), gcd(e, Φ(n))=1 solve following equation to find decryption key d e.d=1 mod Φ (n) and 0 d n publish their public encryption key: PU={e,n} keep secret private decryption key: PR={d,n} How to Find Large Primes If factoring is hard, how do you find large primes? It turns out you can test a number for primality easily even though factoring is hard! Pick random large numbers and test them until you find a prime one http://www.math.utah.edu/~pa/math/largepr ime.html 8
How do you test for primality? Fermat s theorem (note: Fermat was born 100 years earlier than Euler..it s a special case of Euler s theorem) x p 1 mod p = 1 if p prime So to test if n is a prime, pick x and raise x to n-1. If it s not 1, n definitely not prime But can it be 1 even if n not prime? Yes, but probably not. Can use different x s RSA Use to encrypt a message M the sender: obtains public key of recipient PU={e,n} computes: C = M e mod n, where 0 M<n to decrypt the ciphertext C the owner: uses their private key PR={d,n} computes: M = C d mod n note that the message M must be smaller than the modulus n (block if needed) 9
Numerical Example of RSA To generate the encryption and decryption keys, we can proceed as follows: 1. Generate randomly two large primes p and q 2. Compute n = pq and φ = (p 1)(q 1) 3. Choose a number e so that: gcd(e, φ) = 1 4. Find the multiplicative inverse of e modulo φ, i.e., find d so that ed 1 (mod φ) Numerical Example of RSA The encryption public key is KE = (e, n) and the decryption private key is KD = (d, n) The encryption function is: E(M) = mod n The decryption function is: D(M) = mod n These functions satisfy: D(E(M)) = M and E(D(M)) = M for any 0 M < n 10
Numerical Example of RSA Let s look at a numerical example 1. Let p = 7 and q = 13 be the two primes. 2. n = pq = 91 and φ = (p 1)(q 1) = 72 3. Choose e. Let s look among the primes: Try e = 2. gcd(2, 72) = 2 (does not work) Try e = 3. gcd(3, 72) = 3 (does not work) Try e = 5. gcd(5, 72) = 1 (it works) We choose e = 5 Numerical Example of RSA 4. Let s find d. We want to find d such that: ed 1 (mod φ) which is equivalent to find d such that ed + φk = 1 for some integer k. Recall that gcd(e, φ) = 1 We can use the Extended Euclid s Algorithm to find integers x and y such that ex + φy = gcd(e, φ) If e = 5 and φ = 72, we find x = 29 and y = 2. Indeed, 5(29) + 72( 2) = gcd(5, 72) = 1. Then, d = 29 In general, we use d = x mod φ 11
Numerical Example of RSA 5. The encryption and decryption functions are: Encryption: E(M) = mod n = mod 91 Decryption: D(M) = mod n = mod 91 Numerical Example of RSA Suppose the message is M = 10 E(M) = E(10) = 10 mod 91 = 82 D(E(M)) = D(82) = 82 mod 91 = 10 12
Numerical Example of RSA Let s see how to compute efficiently: 82 mod 91 Using the square-and-multiply algorithm: 82 82 (mod 91) 82 81 (mod 91) 82 81 9 (mod 91) 82 9 81 (mod 91) 82 81 9 (mod 91) Numerical Example of RSA Since 29 = 16 + 8 + 4 + 1 (in binary 29 is 11101), we deduce that: 82 81 81 81 81 (mod 91) (9) (81) (9) (82) (mod 91) 10 (mod 91) We conclude that 82 mod 91 = 10 13
Diffie-Hellman Allows two individuals to agree on a secret key, even though they can only communicate in public Alice chooses a private number and from that calculates a public number Bob does the same Each can use the other s public number and their own private number to compute the same secret An eavesdropper can t reproduce it Why is Diffie-Hellman Secure? We assume the following is hard: Given g, p, and g X mod p x < n With the best known mathematical techniques, this is somewhat harder than factoring a composite of the same magnitude as p Subtlety: they haven t proven that the algorithms are as hard to break as the underlying problem 14
Diffie-Hellman Alice choose random A agree on g,p T A =g A mod p Bob choose random B T B =g B mod p compute T BA mod p compute T AB mod p agree on g AB mod p Man-in-the-Middle Attack Alice Trudy Bob T A =g A mod p T T =g T mod p agree on g AT mod p {data}g AT mod p {data}g AT mod p T T =g T mod p T B =g B mod p agree on g TB mod p {data}g TB mod p {data}g TB mod p 15
Signed Diffie-Hellman (Avoiding Man in the Middle) Alice choose random A Bob choose random B [T A =g A mod p] signed with Alice s Private Key [T B =g B mod p] signed with Bob s Private Key verify Bob s signature verify Alice s signature agree on g AB mod p Diffie-Hellman for Encryption Alice Bob choose g, p choose random B choose random A publish g, p, T B =g B mod p compute T A =g A mod p compute T B A encrypt message using g AB mod p send T A, encrypted msg compute T A B decrypt message using g AB mod p 16