Block 4: Public Key Cryptography

Objectives
You should:
1. Be able to describe how public key systems simplify
key distribution.
2. Understand how public key systems use trapdoor
functions to realize cryptographic transformations with
separate encrypting and decrypting keys.
3. Know how the Diffie-Hellman key exchange algorithm
enables the secure exchange of secret keys over a
network.
4. Know how generate keys for the RSA system and how
to encipher and decipher messages with this system.
5. Be able to describe how certificate authorities assure
the validity of public keys
6. Be able to describe how public key systems are used
for digital signatures and identification.
7. Understand how hash functions are used for digital
signatures and be aware of current concerns about the
security of SHA-1.

Public Key Cryptosystems

Introduced by Diffie and Hellman in 1976, they get around the

problem of distributing keys.
In a secret key system: either the encryption and decryption
keys are the same or it is very easy to obtain the decryption
key from the encryption key.
In a public key system: it is very difficult to obtain the
decryption key from the encryption key, so the encryption keys
can be made public avoiding the key distribution problem.
The user has a pair of related keys: a public (encrypting) key,
which is available to anyone, and its corresponding private
(decrypting) key which is kept secret.
The security of the system depends on the computational
infeasibility of inverting the encrypting transformation without
knowledge of the secret key since the cryptanalyst has all the
information needed to attack the system.
The encrypting transformation should be a trapdoor one-way
function.
Note: unicity distance is irrelevant to public key systems since
the cryptanalyst knows the encryption key. Using the
encryption key the cryptanalyst may perform any chosen
plaintext attack.
2

A public key system has separate encrypting (public) and

decrypting (secret) keys p and s and possibly different
encrypting and decrypting transformations E and D, where
Ds, E p, m m
E p, D s, m m

but

A public key cryptosystem must therefore have the following

properties:
Generation of "random" pairs of keys p and s must be
feasible.
The computation of

E ( p , m)

and

D ( s, c )

must be feasible.

Without knowledge of s it must be infeasible to compute m

from E ( p, m) and p, also computing s from p must be
infeasible.
This means that we must discover an efficient way to
construct a trapdoor one-way function.
Secret key systems provide a degree of message
authentication automatically only someone with knowledge
of the secret key may create a message decipherable using
the public key.
3

In public key systems anyone with knowledge of Bob's public

key may create a message decipherable using Bobs secret
key.
If message authentication is required then it must be done in
addition to encrypting the message.

Diffie-Hellman Key Exchange algorithm

In their seminal paper Diffie and Hellman proposed a method
for the secure exchange of secret keys over a network.
This method was later shown to provide the basis for public
key cryptography.
The algorithm works as follows:
Alice and Bob agree on a large prime number n and a
generator g, mod n. with g < n.
The numbers n and g can be publicly known.
Alice picks an integer x with 0 < x < n randomly. Alice
computes A = gx mod n.
Alice sends Bob g, n, A.
Bob picks an integer y with 0 < y < n randomly. Bob
computes B = gy mod n.
Bob sends Alice B.

Alice takes Bobs number and calculates Bx

5

 Bob takes Alices number and calculates Ay

Both calculations yield gxy mod n. This is the secret key.

A cryptanalyst would have to take a discrete logarithm to

identify the key. For large n this is considered infeasible.
A pictorial representation of this algorithm is:

For an excellent demonstration of this key exchange protocol

from the CrypTool pull down menu choose:

Indiv.Procedures/Protocols/Diffie-Hellman Demonstration
Diffie-Hellman key exchange is used by WAP Class 1

The Discrete Logarithm Problem

The groups formed by the integers mod n contain elements
known as generators that produce all the other members
when raised to a power contained within the group.
Example: mod 7 has elements 1 to 6 (plus 0)
If we consider the elements raised to powers 1 to 6

X2

x3

X4

x5

x6

G
G

For a generator g there is a unique x such that y=gx(mod n)

Given a number n, its discrete logarithm to the base b, mod m,
is a number x such that bx(mod m) = n.
Finding x is a difficult problem and discrete logarithms exist
only for certain b and m.
8

Examples
In mod 7 arithmetic:
log 3 (6) 3

log 4 (5)

as 3

27 6 mod 7

does not exist, and

log 4 (2) 2,5

as 4 is not a generator

The difficulty of computing discrete logarithms is similar to

factoring. For a large modulus this problem is hard.

Digital Signatures

Since any user of a public key system can use Bob's public
key to encrypt a message for Bob, he has no way of checking
the identity of the sender of a message.
Suppose Alice wants to send a message to Bob and arrange
that Bob can verify that it indeed came from her.
She takes the signature message she wishes to send and
decrypts it using her secret key S to obtain a digital
signature, which can be attached to the original message.
She then sends both to Bob ( MESS ).
A

Bob (or anyone else) can reconstitute the original message

from the digital signature by encrypting it with Alice's public
key, ( p ).
A

He may then check that the original message is equal to the

encrypted signature.
Only Alice could have generated the signature, since
knowledge of her secret key is necessary to generate it.
Thus Bob can be sure the message came from Alice. He can
also prove this to a third party.

10

So Alice obtains

SIGA DA ( s A , m)

Alice sends

MESS A E ( pB , m, SIGA )

Bob obtains

( m, SIG A ) DB ( s B , MESS A )

and checks that

m E ( p A , SIG A )

This process is very costly in communication bandwidth so

another option is to compute a one-way hash of the original
message to produce a message digest, encrypt the message
digest and send that instead.
The digest should be sufficiently long to prevent an exhaustive
attack (at least 160 bits, possibly more) and should depend on
the entire message.

11

The Birthday Paradox

When you put 20 people in a room and each of the 20 people
asks each of the other 19 people about their birthdays:
Each individual person only has a small (less than 5%)
chance of success, but each person is trying it 19 times. That
increases the probability dramatically.
If you want to calculate the exact probability, let's say you
have a big wall calendar with all 365 days on it.
o You walk in and put a big X on your birthday.
o The next person who walks in has only a 364 possible
open days available, so the probability of the two dates
not colliding is 364/365.
o The next person has only 363 open days, so the
probability of not colliding is 363/365.

If you multiply the probabilities for all 20 people not colliding,

then you get:
364/365 * 363/365 * 365-20+1/365 = Chances of no
collisions
The probability of collisions is 1 minus that number.
(Approx. 0.5)
12

The Birthday Attack

Use at least a 160 bit digest to prevent a birthday attack.
Suppose we are using digital signatures to enforce a contract I
do not wish to honour.
I write two versions of the contract, say I will pay you 1000
and I will pay you 1.
Suppose the key size is 128 bits.
I generate 264 variations of each contract (e.g. by inserting or
removing spaces, punctuation, etc.), and compute a digest for
each; giving a total of 2128 pairs of digest values for a total of
264+1 digest computations.
Amongst these 2128 pairs, there is almost certainly one pair for
which the digest values are equal (if not, I generate a few
more).
I then have two different contracts each with the same digest
value.
I give one to you I will pay you 1000 and keep the other I
will pay you 1.
When you try to prove that I have promised you 1000 I
produce the other contract and claim that you must have
stolen my key.
Thus a digest of length n can be circumvented with
digest computations and 2 blocks of memory.
1 n 2

13

21 n 2

I will pay
1

I will pay
1000

Generate many punctuation variations

Same Hash Output

This attack is demonstrated to some extent in CrypTool.

From the pull down menu choose:
Analysis/Hash/Attack on the Hash Value of the Digital
Signature

14

Brief history of the most popular hashing functions

In 1990, Ron Rivest invented the hash function MD4.

In 1992, he improved on MD4 and developed another hash
function: MD5.
In 1993, the National Security Agency published a hash
function very similar to MD5, called SHA (Secure Hash
Algorithm).
Then, in 1995, citing a newly discovered weakness that it
refused to elaborate on, the NSA made a change to SHA.
The new algorithm was called SHA-1.
Today, the most popular hash function is SHA-1, with MD5 still
being used in older applications.

15

Typical hash functions are:

Message Digest 5 (MD5): It takes as input a message of

arbitrary length and pads the message until it is a multiple of
512 bits long.
The padded input is processed in 512-bit blocks to produce a
128-bit value (the hash code).
As the computer power available to potential attackers has
increased, concerns have arisen over the vulnerability of 128bit hash codes to birthday attack.
Concerns have also arisen about the vulnerability of MD5 to
cryptanalysis.

Secure Hash Algorithm (SHA-1): a hash function developed

by the US National Institute of Standards and Technology
(NIST) and published as a federal standard in 1993.
A revised version was published in 1995 that is generally
referred to as SHA-1.
It takes as input a message of less than 2 64 bits and
processes it in 512-bit blocks to produce a 160-bit hash code.
SHA-1 has the desired property that every bit of the hash
code is a function of every bit of the input.
16

RIPEMD-160: A hash function developed under the European

Unions RACE Integrity Primitives Evaluation project.
Similar in structure to SHA-1 it processes a message of
arbitrary length in 512-bit blocks to produce a 160-bit hash
code.
Federal Information Processing Standards (FIPS) 180-2, 1
August 2002, included SHA-1 and three new hash functions
known as SHA-256, SHA-384 and SHA-512.
The suffixes refer to the sizes of the message digests
produced by the hash functions in bits.
The new hash functions have a more complicated description
than SHA-1.
On 29 February 2004 the standard was amended to include
SHA-224.

17

An attack on SHA-1

In February 2005, three Chinese cryptographers showed that

SHA-1 is not collision-free (Xiaoyun Wang, Yiqun Lisa Yin, and
Hongbo Yu, mostly from Shandong University in China).
That is, they developed an algorithm for finding collisions
faster than brute force (the birthday attack).
The Chinese researchers analysis shows that collisions of
SHA1 can be found with complexity less than 2^69 hash
operations.
This is the first attack on the full 80-step SHA1 with complexity
less than the 2^80 theoretical bound.
The Chinese researchers expect that real collisions of SHA1
reduced to 70-steps can be found using todays
supercomputers.
For the average Internet user, this news was not a cause for
panic.
No one is going to be breaking digital signatures but it's time
to migrate away from SHA-1.
Luckily, there are alternatives.

18

The National Institute of Standards and Technology already

has standards for longer -- and harder to break -- hash
functions: SHA-224, SHA-256, SHA-384, and SHA-512.
These are collectively known as SHA-2.

Current developments in attacking SHA-1

At Crypto 2005 (The 25th Annual International Cryptology

Conference August 14-18, 2005, Santa Barbara, California,
USA) Adi Shamir announced new results of Xiaoyun Wang,
one of the original team of Chinese researchers who
announced an attack on SHA-1, together with Andrew Yao
and Frances Yao.
Shamir presented few details but revealed that the time
complexity of the new attack is 2^63 and stated that he
expected Wang and her students to improve on this result
over the next few months.
There is no reason to believe that 2^63 is anything like a lower
limit.
An attack that's faster than 2^64 is a significant milestone.
Massive computations have already been done with
complexity 2^64. Now that the SHA-1 collision search is
clearly feasible, some research group will try to implement it.
19

Writing working software will both uncover hidden problems

with the attack, and illuminate hidden improvements.
While a paper describing an attack against SHA-1 is
damaging, software that produces actual collisions is even
more so.

NIST plans
Although No attacks have been reported on the SHA-2
variants but they are algorithmically similar to SHA-1 and so
efforts are underway to develop improved alternative hashing
algorithms.
An open competition for a new SHA-3 function was
announced in the Federal Register on November 2, 2007.
"NIST is initiating an effort to develop one or more additional
hash algorithms through a public competition, similar to the
development process for the Advanced Encryption Standard
(AES)."
Submissions are due October 31, 2008 and the
announcement of a winner and publication of the new
standard are scheduled to take place in 2012.

20

Identification
Cryptographic algorithms have a third basic application in
addition to encryption and digital signatures, identification.
The primary use of identification is for access control.
Cryptographic algorithms used for identification are used
within identification protocols which enable the prover, Bob, to
prove to the verifier, Alice, their identity.
In a challenge response identification system if the prover,
Bob, wants to identify himself to the verifier, Alice, then Bob
must respond correctly to a question, or challenge, from
Alice.
o Bob responds to the challenge by computing a response
using a secret key and sending it to Alice.
o If the challenge response system is based on symmetric
key cryptography, Alice verifies the response using the
same secret key.
o If the system is based on public key cryptography, Alice
verifies the response using the public key that
corresponds to the secret key Bob used.

21

Suppose Alice and Bob agree a secret key by which they may
identify themselves to each other:
o If Bob wants to identify himself to Alice he asks Alice for a
random number, he then encrypts this random number
with the secret key and sends the cipher text to Alice who
decrypts the cipher text with the secret key and
compares the result with the number she sent.
o If there is a match then she accepts this as proof of
identity.
Public-key cryptography may be used for identification as
follows:
o If Bob wants to identify himself to Alice he asks Alice for a
random number, he then encrypts this random number
with his private key and sends the cipher text to Alice
who decrypts the cipher text using Bobs public key and
compares the result with the number she sent.
o If there is a match then she accepts this as proof of
identity. For this challenge response system to work Alice
must be sure that she has the authentic public key of
Bob.

22

Public Key Infrastructures

It must not be possible for public keys to be falsified or abused
and the secrecy of private keys must be must be assured.
This is achieved through public key infrastructures (PKIs).
Personal Security Environments
If Bob wants to use a public key system he needs separate
key pairs for each purpose for which he wants to use the
system, encryption, digital signature, and identification, or the
system is insecure.
If one key pair is used for digital signature and identification an
attacker can pretend they want a check on identity.
The attacker can send a random number for Bob to encrypt
with his private key that is generated by computing the hash of
a document, when Bob encrypts this with his private key he is
in fact signing the document.
Bob must securely store his private keys in a personal
security environment (PSE) that the keys must never leave.
Because of this the PSE must do all digital signing,
identification and decryption with the private keys.
The PSE may generate the key pairs to be used. However,
this requires resources such as, in the case of RSA keys, the
23

facility to generate large prime numbers.

Therefore, it may be more sensible to use a trusted third party
to generate the key pairs.
However, the third party will then automatically know the
private keys used which can be considered a drawback.
A software PSE is only as secure as the underlying operating
system and all operating systems are to some extent
vulnerable to attack.
Furthermore, a simple software PSE may only be an
encrypted file that can be accessed by entering a password
that is used to decrypt the file.
In this case, the PSE is only as secure as the password that is
used.
Therefore, a hardware PSE should be used for all applications
where a high level of security is essential.
A hardware PSE is more formally referred to as a Hardware
Storage Module (HSM), for an introduction to the HSM
including a list of some of the products on the market see
chapter 8 of Austin, T., PKI, Wiley, 2001.
A PSE can be implemented on a smart card, which is just a
form of HSM.
It is very difficult to manipulate the software or hardware of a
smart card.
24

However, the processing capabilities of smart cards are very

limited so they cannot be used to encrypt or decrypt
documents.
Instead they are used to encrypt or decrypt session keys that
are passed to and from a PC via a smart card reader.
These session keys are the secret keys of symmetric key
algorithms, encryption or decryption using these keys is done
on the PC.
Even when a PSE is implement on a smart card a severe
security problem remains.
When the user wants to sign a document the PC computes
the hash of the document and then passes the hash to smart
card for signing.
An attacker can manipulate the software on the PC so that
this hash value is replaced with the hash of another document
that is then passed to the smart card for signing.
This is the representation problem for signatures.
This problem must be solved if handwritten signatures are
ever to be replaced by digital signatures.
One solution is for the user to see the hash they are signing
but this requires the smart card to have a display, one
possibility is to incorporate the smart card into a mobile
phone.
25

Certification Authorities

The users of a public key system must be sure of the validity

of the public keys they use.
If an attacker can substitute their public key for that of some
other person they can decrypt documents addressed to that
person.
This problem is usually solved by associating each user of the
system with a trusted third party called a certificate authority
(CA).
This requires that each user trust their CA and knows the
public key of their CA.
Each new user of the system must register with a CA.
o On registration the new user provides the CA with their
name and other relevant data.
The CA verifies the new users information before generating
a certificate that connects the new user to their public keys
and signing the certificate with the private key of the CA.

26

A certificate will contain the following information:

1. The user name
2. The public keys of the user
3. The algorithms in which the public keys are used
4. The serial number of the certificate
5. The dates of the beginning and end of the validity of the
certificate
6. The name of the certificate authority
7. Restrictions that apply to the use of the certificate
The X.509 standard is a scheme for formatting public key
certificates that is used in most network security
applications including IPSec, SSL, SET and S/MIME.
The CA stores the generated certificate and the
corresponding user name in a directory into which only it is
allowed to write.
All the registered users of the CA have read only access to
the directory.
Once a user has been registered and their public keys
certified, if the CA generated the key pairs of the user, the
CA will transmit the private keys to the PSE of the user.

27

The public key of the CA and the certificate of the user may
also be stored in the PSE of the user.
Some public and private keys have to be stored in archives
after they have expired.
As long a signature generated by a private signature key
may have to be verified the CA must store the
corresponding public key.
As long as documents encrypted by a public encryption key
may have to be read the corresponding private key must be
stored in the PSE of its user.
If the CA generated the key pairs of the user the user must
be provided with new private keys by the CA before the old
ones expire, this may be done using variants of the DiffieHellman key exchange protocol.
CrypTool provides a demonstration of digital signature
generation that requires you to generate a public key
certificate that contains the public signature key to be used
to check the signature.
From the pull down menu choose:
Digital Signatures/PKI/Signature Demonstration

28

Certificates sometimes have to be invalidated before they

have expired.
If someone looses a smart card which contains their private
signature key the corresponding public verification key must
be invalidated so that if the smart card is discovered by a
dishonest person that person cannot use the private signature
key.
A CA stores all its invalidated certificates in its certificate
revocation list (CRL), which is part of its directory.
o The CRL contains the serial number of the invalidated
certificate and the date it was invalidated.
o It may also contain other information such as the
reason the certificate was invalidated.
o The CA signs each entry in its CRL with its private
signature key.
If the user of a CA wants to know a public key of an
individual or organisation registered with the same CA they
simply obtain the certificate containing the public key from
the directory of the CA and verify the certificate using the
public key of the CA.
A user may keep certificates they use regularly in their PSE,
keeping a key-ring.

29

However, if they do this they must regularly check the

validity of those certificates.
If the user of a CA wants to know a public key of an
individual or organisation that is not registered with the
same CA but is registered with another CA they will be able
get the public key if they can obtain the certificate for the
public signature key of the other CA from their own CA and
validate it.
The certificate for the public key of the individual or
organisation concerned can then be obtained directly from
them or from the CA they are registered with.
This certificate can then be validated using the validated
public signature key of the CA that issued it.
If the CA of the user does not have the certificate for the
public key of the other CA it may be obtained using a
certificate chain, that is, indirectly through a succession of
certificate authorities.

30

RSA (Rivest, Shamir, and Adleman)

The RSA public key cryptosystem is named after its
discoverers.
A user's public and secret keys in RSA are constructed from
three positive integers n, p and s where p < n and s < n.
The pair is public key and the pair is secret key.
Message to be encrypted must be split into blocks, so that no
block, when interpreted as a non-negative integer m could
possibly be larger than n.
Each block may be interpreted as a non-negative integer by
treating it as the binary expansion of a natural number. To
encrypt plaintext m to obtain ciphertext c, we compute

To recover the plaintext m we compute

Of course we cannot use just any values for n, p and s and we

shall see next how to choose them so that RSA is hard to
attack and encryption and decryption are mutual inverses.

Generating RSA Keys

31

1. Randomly select two large primes q and .

2. Let n = qr.
3. Randomly choose an integer p coprime to , where i.e. p
has no common factors with (n) .
4. Compute s such that .
5. Publish as your public key.
6. Record as your secret key.

Explanation of Step 3
In step 4 we need to compute the multiplicative inverse of p
modulo , this only exists if p is coprime to (n) .
In the case of RSA, we know that n is the product of two
primes q and r, so

Example: RSA Encryption and Decryption

Let , , and . We encrypt and decrypt two ASCII characters:
19 and 91.

32

A pictorial representation of RSA encryption and decryption is

provided below. In the figure a single letter M = 19 is
encrypted then decrypted.

How Secure is RSA?

RSA is known to be no harder than factoring.
An efficient algorithm for factoring would make RSA insecure
since it would then be easy to obtain q and r and to compute s
from p.
While factoring is not known to be intractable there is currently
little prospect of an efficient algorithm for factoring and the
problem has been the subject of intensive study for many
33

years.
However, RSA is not known to be as hard as factoring and it is
possible there is an attack that does not involve factoring.
This appears unlikely as time passes as RSA has survived
intense investigation for 20 years.
In 1994 a 129-digit key RSA-129 was factorised and groups
throughout the World are constantly seeking to extend their
success to larger numbers. RSA-140 and RSA-155 were
factorised in 1999.
RSA-155 is 512 bits. Standard RSA keys are 1024 bits.
RSA-200 was factorised by the group of Prof. Jens Franke at
the University of Bonn in 2005.
The calculations took 17 months
It has been suggested that 1024-bit RSA keys by will be
factored by 2022.
The GISA (German Information Security Agency)
recommended the usage of 2048-bit keys from 2006 onwards.

How RSA is used

34

In the late 1970s most common general-purpose computers

were too weak to generate good RSA encryption and putting
RSA on a chip was too complicated.
The first significant users of RSA cryptography were a small
software company called Iris Associates funded by the
spreadsheet company Lotus Development Corp.
Iriss product, Notes, was the first example of groupware, a
program meant to be used by many people over a network.
Notes assumed users would exchange all their messages,
including the confidential ones, over a network.
This posed the problems of how to prevent someone sending
an email pretending to be someone else and how to prevent
someone reading the email as it passed through an
intermediate machine.
Iris solved these problems through a sophisticated use of
RSA: a hybrid system, using the public key method to encrypt
the symmetric keys of a conventional cryptosystem.
That is, RSA was used as a key-exchange algorithm and DES
was used encrypt the message content.
In practice, RSA encryption and decryption are too slow to be
used to encrypt messages; currently the standard RSA key is
1024 bits long.

35

Other Public Key Systems

Prior to the mid-1980s it was believed that the Diffie-Hellman
key exchange algorithm could only provide a way for two
parties to agree upon secret keys.
However, in the mid-1980s a company called Cylink
established that clever use of the Diffie-Hellman key exchange
algorithm provided for privacy and authentication.
Recently elliptic curve cryptography (ECC) has begun to
challenge RSA.
Its prime advantage is that it appears to offer the same level of
security for a far smaller key length reducing the processing
overhead.
This is particularly beneficial for applications on devices with
comparatively limited processing power such as wireless
devices and smartcards.
Currently, most chips on smart cards cannot process
keys exceeding 1024 bits
A digital signature can be processed 10-times faster with ECC
than with RSA.
However, verification of a given signature is still more efficient
with RSA than with ECC.

36

Thin clients like smart cards usually have to store the (long)
secret key and have to process a digital signature rather than
verify one.
There is a clear advantage in using ECC in terms of
efficiency.
RSA public key cryptography is too computationally expensive
for mobile phones so WAP uses Elliptic Curve Cryptography
(ECC) by default.
Nowadays, the major problem with ECC-implementations is
the lack of standardization.
This causes problems in interoperability
Furthermore, ECC products have only begun to appear
recently and therefore only recently has there been sustained
interest in trying to find cryptographic weaknesses in ECC.
Consequently, there is less confidence in the security of ECC
than RSA.
ECC is fundamentally more difficult to understand than RSA
and beyond the scope of this course.

37