Vous êtes sur la page 1sur 42

Unit II

Chapter 1: Key Management


 Public-key encryption schemes are secure only if the authenticity of the public key is assured. A
public-key certificate scheme provides the necessary security.
 A simple public-key algorithm is Diffie-Hellman key exchange. This protocol enables two users to
establish a secret key using a public-key scheme based on discrete logarithms. The protocol is secure
only if the authenticity of the two participants can be established.
 Elliptic curve arithmetic can be used to develop a variety of elliptic curve cryptography (ECC)
schemes, including key exchange, encryption, and digital signature.
 For purposes of ECC, elliptic curve arithmetic involves the use of an elliptic curve equation defined
over a finite field. The coefficients and variables in the equation are elements of a finite field.
Schemes using Zp and GF(2m) have been developed.

Key Management

 public-key encryption helps address key distribution problems

 have two aspects of this:

 distribution of public keys

 use of public-key encryption to distribute secret keys

Distribution of Public Keys

 can be considered as using one of:

 public announcement

 publicly available directory

 public-key authority

 public-key certificates
Public Announcement

 users distribute public keys to recipients or broadcast to community at large

 eg. append PGP keys to email messages or post to news groups or email list

 major weakness is forgery

 anyone can create a key claiming to be someone else and broadcast it

 until forgery is discovered can masquerade as claimed user

Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly available dynamic directory of public
keys. Maintenance and distribution of the public directory would have to be the responsibility of some
trusted entity or organization (Bellow Figure). Such a scheme would include the following elements:

1. The authority maintains a directory with a {name, public key} entry for each participant.
2. Each participant registers a public key with the directory authority. Registration would have to be in
person or by some form of secure authenticated communication.
3. A participant may replace the existing key with a new one at any time, either because of the desire to
replace a public key that has already been used for a large amount of data, or because the
corresponding private key has been compromised in some way.
4. Participants could also access the directory electronically. For this purpose, secure, authenticated
communication from the authority to the participant is mandatory.
Public-Key Authority

 improve security by tightening control over distribution of keys from directory

 has properties of directory

 and requires users to know public key for the directory

 then users interact with directory to obtain any desired public key securely

 does require real-time access to directory when keys are needed

Public-Key Certificates

 certificates allow key exchange without real-time access to public-key authority

 a certificate binds identity to public key

 usually with other info such as period of validity, rights of use etc

 with all contents signed by a trusted Public-Key or Certificate Authority (CA)

 can be verified by anyone who knows the public-key authorities public-key

Public-Key Distribution of Secret Keys

 use previous methods to obtain public-key

 can use for secrecy or authentication

 but public-key algorithms are slow

 so usually want to use private-key encryption to protect message contents

 hence need a session key

 have several alternatives for negotiating a suitable session

Simple Secret Key Distribution

 proposed by Merkle in 1979

 A generates a new temporary public key pair

 A sends B the public key and their identity

 B generates a session key K sends it to A encrypted using the supplied public key

 A decrypts the session key and both use

 problem is that an opponent can intercept and impersonate both halves of protocol

Public-Key Distribution of Secret Keys

 if have securely exchanged public-keys:

Hybrid Key Distribution

 retain use of private-key KDC

 shares secret master key with each user

 distributes session key using master key

 public-key used to distribute master keys

 especially useful with widely distributed users

 rationale

 Performance: There are many applications, especially transaction-oriented applications, in

which the session keys change frequently. Distribution of session keys by public-key
encryption could degrade overall system performance because of the relatively high
computational load of public-key encryption and decryption. With a three-level hierarchy,
public-key encryption is used only occasionally to update the master key between a user and
the KDC.
 Backward compatibility: The hybrid scheme is easily overlaid on an existing KDC scheme,
with minimal disruption or software changes.

Diffie-Hellman Key Exchange

 first public-key type scheme proposed

 by Diffie & Hellman in 1976 along with the exposition of public key concepts

 note: now know that Williamson (UK CESG) secretly proposed the concept in 1970

 is a practical method for public exchange of a secret key

 used in a number of commercial products

 a public-key distribution scheme

 cannot be used to exchange an arbitrary message

 rather it can establish a common key

 known only to the two participants

 value of key depends on the participants (and their private and public key information)

 based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy

 security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
Diffie-Hellman Setup

 all users agree on global parameters:

 large prime integer or polynomial q

 a being a primitive root mod q

 each user (eg. A) generates their key

 chooses a secret key (number): xA < q

 compute their public key: yA = axA mod q

 each user makes public that key yA

Diffie-Hellman Key Exchange

 shared session key for users A & B is KAB:

KAB = axA.xB mod q

= yAxB mod q (which B can compute)

= yBxA mod q (which A can compute)

 KAB is used as session key in private-key encryption scheme between Alice and Bob

 if Alice and Bob subsequently communicate, they will have the same key as before, unless they
choose new public-keys

 attacker needs an x, must solve discrete log

Diffie-Hellman Example

 users Alice & Bob who wish to swap keys:

 agree on prime q=353 and a=3

 select random secret keys:

 A chooses xA=97, B chooses xB=233

 compute respective public keys:

 yA=397 mod 353 = 40 (Alice)

 yB=3233 mod 353 = 248 (Bob)

 compute shared session key as:

 KAB= yBxA mod 353 = 24897 = 160 (Alice)

 KAB= yAxB mod 353 = 40233 = 160 (Bob)

Key Exchange Protocols

 users could create random private/public D-H keys each time they communicate

 users could create a known private/public D-H key and publish in a directory, then consulted and
used to securely communicate with them
 both of these are vulnerable to a meet-in-the-Middle Attack

 authentication of the keys is needed

Elliptic Curve Cryptography

 majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large

 imposes a significant load in storing and processing keys and messages

 an alternative is to use elliptic curves

 offers same security with smaller bit sizes

 newer, but not as well analysed

Real Elliptic Curves

 an elliptic curve is defined by an equation in two variables x & y, with coefficients

 consider a cubic elliptic curve of form

 y2 = x3 + ax + b

 where x,y,a,b are all real numbers

 also define zero point O

 have addition operation for elliptic curve

 geometrically sum of Q+R is reflection of intersection R

Finite Elliptic Curves

 Elliptic curve cryptography uses curves whose variables & coefficients are finite

 have two families commonly used:

 prime curves Ep(a,b) defined over Zp

• use integers modulo a prime

• best in software
 binary curves E2m(a,b) defined over GF(2n)

• use polynomials with binary coefficients

• best in hardware

Elliptic Curve Cryptography

 ECC addition is analog of modulo multiply

 ECC repeated addition is analog of modulo exponentiation

 need “hard” problem equiv to discrete log

 Q=kP, where Q,P belong to a prime curve

 is “easy” to compute Q given k,P

 but “hard” to find k given Q,P

 known as the elliptic curve logarithm problem

 Certicom example: E23(9,17)

ECC Diffie-Hellman
 can do key exchange analogous to D-H

 users select a suitable curve Ep(a,b)

 select base point G=(x1,y1)

 with large order n s.t. nG=O

 A & B select private keys nA<n, nB<n

 compute public keys: PA=nAG, PB=nBG

 compute shared key: K=nAPB, K=nBPA

 same since K=nAnBG

ECC Encryption/Decryption

 several alternatives, will consider simplest

 must first encode any message M as a point on the elliptic curve Pm

 select suitable curve & point G as in D-H

 each user chooses private key nA<n

 and computes public key PA=nAG

 to encrypt Pm : Cm={kG, Pm+kPb}, k random

 decrypt Cm compute:

Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

ECC Security

 relies on elliptic curve logarithm problem

 fastest method is “Pollard rho method”

 compared to factoring, can use much smaller key sizes than with RSA etc

 for equivalent key lengths computations are roughly equivalent

 hence for similar security ECC offers significant computational advantages

Comparable Key Sizes for Equivalent Security

Key Terms
abelian group elliptic curve arithmetic prime curve

binary curve elliptic curve cryptography primitive root

cubic equation finite field public-key certificate

Diffie-Hellman key exchange key distribution public-key directory

discrete logarithm key management zero point

elliptic curve man-the-middle attack

Review Questions

1 What are two different uses of public-key cryptography related to key distribution?

2 List four general categories of schemes for the distribution of public keys.

3 What are the essential ingredients of a public-key directory?

4 What is a public-key certificate?

5 What are the requirements for the use of a public-key certificate scheme?

6 Briefly explain Diffie-Hellman key exchange.

7 What is an elliptic curve?

8 What is the zero point of an elliptic curve?

9 What is the sum of three points on an elliptic curve that lie on a straight line?
Chapter2: Introduction to Number Theory


 A prime number is an integer that can only be divided without remainder by positive and negative
values of itself and 1. Prime numbers play a critical role both in number theory and in cryptography.
 Two theorems that play important roles in public-key cryptography are Fermat's theorem and Euler's
 An important requirement in a number of cryptographic algorithms is the ability to choose a large
prime number. An area of ongoing research is the development of efficient algorithms for
determining if a randomly chosen large integer is a prime number.
 Discrete logarithms are fundamental to a number of public-key algorithms. Discrete logarithms are
analogous to ordinary logarithms, but operate over modular arithmetic.

Prime Numbers

 prime numbers only have divisors of 1 and self

 they cannot be written as a product of other numbers

 note: 1 is prime, but is generally not of interest

 eg. 2,3,5,7 are prime, 4,6,8,9,10 are not

 prime numbers are central to number theory

 list of prime number less than 200 is:

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127

131 137 139 149 151 157 163 167 173 179 181 191 193 197 199

Prime Factorisation

 to factor a number n is to write it as a product of other numbers: n=a x b x c

 note that factoring a number is relatively hard compared to multiplying the factors together to
generate the number

 the prime factorisation of a number n is when its written as a product of primes

 eg. 91=7x13 ; 3600=24x32x52

Relatively Prime Numbers & GCD

 two numbers a, b are relatively prime if have no common divisors apart from 1

 eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the
only common factor

 conversely can determine the greatest common divisor by comparing their prime factorizations and
using least powers

 eg. 300=21x31x52 18=21x32 hence GCD(18,300)=21x31x50=6

Fermat's Theorem

 ap-1 = 1 (mod p)

 where p is prime and gcd(a,p)=1

 also known as Fermat’s Little Theorem

 also ap = p (mod p)

 useful in public key and primality testing

Euler Totient Function ø(n)

 when doing arithmetic modulo n

 complete set of residues is: 0..n-1

 reduced set of residues is those numbers (residues) which are relatively prime to n

 eg for n=10,

 complete set of residues is {0,1,2,3,4,5,6,7,8,9}

 reduced set of residues is {1,3,7,9}

 number of elements in reduced set of residues is called the Euler Totient Function ø(n)
 to compute ø(n) need to count number of residues to be excluded

 in general need prime factorization, but

 for p (p prime) ø(p) = p-1

 for p.q (p,q prime) ø(pq) =(p-1)x(q-1)

 eg.

ø(37) = 36

ø(21) = (3–1)x(7–1) = 2x6 = 12

Euler's Theorem

 a generalisation of Fermat's Theorem

 aø(n) = 1 (mod n)

 for any a,n where gcd(a,n)=1

 eg.

a=3;n=10; ø(10)=4;

hence 34 = 81 = 1 mod 10

a=2;n=11; ø(11)=10;

hence 210 = 1024 = 1 mod 11

Primality Testing

 often need to find large prime numbers

 traditionally sieve using trial division

 ie. divide by all numbers (primes) in turn less than the square root of the number

 only works for small numbers

 alternatively can use statistical primality tests based on properties of primes

 for which all primes numbers satisfy property

 but some composite numbers, called pseudo-primes, also satisfy the property
 can use a slower deterministic primality test

Miller Rabin Algorithm

 a test based on Fermat’s Theorem

 algorithm is:

TEST (n) is:

1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq

2. Select a random integer a, 1<a<n–1

3. if aq mod n = 1 then return (“maybe prime");

4. for j = 0 to k – 1 do

5. if (a2jq mod n = n-1)

then return(" maybe prime ")

6. return ("composite")

Probabilistic Considerations

 if Miller-Rabin returns “composite” the number is definitely not prime

 otherwise is a prime or a pseudo-prime

 chance it detects a pseudo-prime is < 1/4

 hence if repeat test with different random a then chance n is prime after t tests is:

 Pr(n prime after t tests) = 1-4-t

 eg. for t=10 this probability is > 0.99999

Prime Distribution

 prime number theorem states that primes occur roughly every (ln n) integers

 but can immediately ignore evens

 so in practice need only test 0.5 ln(n) numbers of size n to locate a prime

 note this is only the “average”

 sometimes primes are close together

 other times are quite far apart

Chinese Remainder Theorem

 used to speed up modulo computations

 if working modulo a product of numbers

 eg. mod M = m1m2..mk

 Chinese Remainder theorem lets us work in each moduli mi separately

 since computational cost is proportional to size, this is faster than working in the full modulus M

 can implement CRT in several ways

 to compute A(mod M)

 first compute all ai = A mod mi separately

 determine constants ci below, where Mi = M/mi

 then combine results to get answer using:

Primitive Roots

 from Euler’s theorem have aø(n)mod n=1

 consider am=1 (mod n), GCD(a,n)=1

 must exist for m = ø(n) but may be smaller

 once powers reach m, cycle will repeat

 if smallest is m = ø(n) then a is called a primitive root

 if p is prime, then successive powers of a "generate" the group mod p

 these are useful but relatively hard to find

Discrete Logarithms

 the inverse problem to exponentiation is to find the discrete logarithm of a number modulo p

 that is to find x such that y = gx (mod p)

 this is written as x = logg y (mod p)

 if g is a primitive root then it always exists, otherwise it may not, eg.

x = log3 4 mod 13 has no answer

x = log2 3 mod 13 = 4 by trying successive powers

 whilst exponentiation is relatively easy, finding discrete logarithms is generally a hard problem


 have considered:

 prime numbers

 Fermat’s and Euler’s Theorems & ø(n)

 Primality Testing

 Chinese Remainder Theorem

 Discrete Logarithms

Key Terms
bijection Euler's theorem order

composite number Euler's totient function prime number

Chinese remainder theorem Fermat's theorem primitive root

discrete logarithm index

Review Questions

1 What is a prime number?

2 What is the meaning of the expression a divides b?

3 What is Euler's totient function?

4 The Miller-Rabin test can determine if a number is not prime but cannot determine if a number is
prime. How can such an algorithm be used to test for primality?

5 What is a primitive root of a number?

6 What is the difference between an index and a discrete logarithm?

Chapter 3: Confidentiality Using Symmetric Encryption


 In a distributed environment, encryption devices can be placed to support either link encryption or
end-to-end encryption. With link encryption, each vulnerable communications link is equipped on
both ends with an encryption device. With end-to-end encryption, the encryption process is carried
out at the two end systems.
 Even if all traffic between users is encrypted, a traffic analysis may yield information of value to an
opponent. An effective countermeasure is traffic padding, which involves sending random bits during
periods when no encrypted data are available for transmission.
 Key distribution is the function that delivers a key to two parties who wish to exchange secure
encrypted data. Some sort of mechanism or protocol is needed to provide for the secure distribution
of keys.
 Key distribution often involves the use of master keys, which are infrequently used and are long
lasting, and session keys, which are generated and distributed for temporary use between two parties.
 A capability with application to a number of cryptographic functions is random or pseudorandom
number generation. The principle requirement for this capability is that the generated number stream
be unpredictable.

Confidentiality using Symmetric Encryption

 traditionally symmetric encryption is used to provide message confidentiality

Placement of Encryption

 have two major placement alternatives

 link encryption

 encryption occurs independently on every link

 implies must decrypt traffic between links

 requires many devices, but paired keys

 end-to-end encryption

 encryption occurs between original source and final destination

 need devices at each end with shared keys

 when using end-to-end encryption must leave headers in clear

 so network can correctly route information

 hence although contents protected, traffic pattern flows are not

 ideally want both at once

 end-to-end protects data contents over entire path and provides authentication

 link protects traffic flows from monitoring

 can place encryption function at various layers in OSI Reference Model

 link encryption occurs at layers 1 or 2

 end-to-end can occur at layers 3, 4, 6, 7

 as move higher less information is encrypted but it is more secure though more complex with
more entities and keys

Encryption vs Protocol Level

Key Distribution

 symmetric schemes require both parties to share a common secret key

 issue is how to securely distribute this key

 often secure system failure due to a break in the key distribution scheme

 given parties A and B have various key distribution alternatives:

 A can select key and physically deliver to B

 third party can select & deliver key to A & B

 if A & B have communicated previously can use previous key to encrypt a new key

 if A & B have secure communications with a third party C, C can relay key between A & B

Key Hierarchy

 typically have a hierarchy of keys

 session key

 temporary key

 used for encryption of data between users

 for one logical session then discarded

 master key

 used to encrypt session keys

 shared by user & key distribution center

Key Distribution Scenario

Key Distribution Issues

 hierarchies of KDC’s required for large networks, but must trust each other

 session key lifetimes should be limited for greater security

 use of automatic key distribution on behalf of users, but must trust system

 use of decentralized key distribution

 controlling key usage

Random Numbers

 many uses of random numbers in cryptography

 nonces in authentication protocols to prevent replay

 session keys

 public key generation

 keystream for a one-time pad

 in all cases its critical that these values be

 statistically random, uniform distribution, independent

 unpredictability of future values from previous values

Pseudorandom Number Generators (PRNGs)

 often use deterministic algorithmic techniques to create “random numbers”

 although are not truly random

 can pass many tests of “randomness”

 known as “pseudorandom numbers”

 created by “Pseudorandom Number Generators (PRNGs)”

Linear Congruential Generator

 common iterative technique using:

Xn+1 = (aXn + c) mod m

 given suitable values of parameters can produce a long random-like sequence

 suitable criteria to have are:

 function generates a full-period

 generated sequence should appear random

 efficient implementation with 32-bit arithmetic

 note that an attacker can reconstruct sequence given a small number of values

 have possibilities for making this harder

Using Block Ciphers as PRNGs

 for cryptographic applications, can use a block cipher to generate random numbers
 often for creating session keys from master key

 Counter Mode

Xi = EKm[i]

 Output Feedback Mode

Xi = EKm[Xi-1]


Blum Blum Shub Generator

 based on public key algorithms

 use least significant bit from iterative equation:

 xi = xi-12 mod n

 where n=p.q, and primes p,q=3 mod 4

 unpredictable, passes next-bit test

 security rests on difficulty of factoring N

 is unpredictable given any run of bits

 slow, since very large numbers must be used

 too slow for cipher use, good for key generation

Natural Random Noise

 best source is natural randomness in real world

 find a regular but random event and monitor

 do generally need special h/w to do this

 eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors,
mercury discharge tubes etc

 starting to see such h/w in new CPU's

 problems of bias or uneven distribution in signal

 have to compensate for this when sample and use

 best to only use a few noisiest bits from each sample

Published Sources

 a few published collections of random numbers

 Rand Co, in 1955, published 1 million numbers

 generated using an electronic roulette wheel

 has been used in some cipher designs cf Khafre

 earlier Tippett in 1927 published a collection

 issues are that:

 these are limited

 too well-known for most uses


 use and placement of symmetric encryption to protect confidentiality

 need for good key distribution

 use of trusted third party KDC’s

 random number generation issues

Key Terms
Blum, Blum, Shub generator linear congruential session key

covert channel link encryption skew

deskewing master key traffic padding

end-to-end encryption nonce true random number generator

key distribution pseudorandom number wiring closet

generator (PRNG)
key distribution center (KDC)

Review Questions

1 For a user workstation in a typical business environment, list potential locations for confidentiality

2 What is the difference between link and end-to-end encryption?

3 What types of information might be derived from a traffic analysis attack?

4 What is traffic padding and what is its purpose?

5 List ways in which secret keys can be distributed to two communicating parties.

6 What is the difference between a session key and a master key?

7 What is a nonce?

8 What is a key distribution center?

9 What is the difference between statistical randomness and unpredictability?

Chapter 4: Public-Key Cryptography and RSA


 Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed
using the different keysone a public key and one a private key. It is also known as public-key
 Asymmetric encryption transforms plaintext into ciphertext using a one of two keys and an
encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered
from the ciphertext.
 Asymmetric encryption can be used for confidentiality, authentication, or both.
 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
the difficulty of finding the prime factors of a composite number.

Private-Key Cryptography

 traditional private/secret/single key cryptography uses one key

 shared by both sender and receiver

 if this key is disclosed communications are compromised

 also is symmetric, parties are equal

 hence does not protect sender from receiver forging a message & claiming is sent by sender

Public-Key Cryptography

 probably most significant advance in the 3000 year history of cryptography

 uses two keys – a public & a private key

 asymmetric since parties are not equal

 uses clever application of number theoretic concepts to function

 complements rather than replaces private key crypto

Why Public-Key Cryptography?

 developed to address two key issues:

 key distribution – how to have secure communications in general without having to trust a
KDC with your key
 digital signatures – how to verify a message comes intact from the claimed sender

 public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976

 known earlier in classified community

Public-Key Cryptography

 public-key/two-key/asymmetric cryptography involves the use of two keys:

 a public-key, which may be known by anybody, and can be used to encrypt messages, and
verify signatures

 a private-key, known only to the recipient, used to decrypt messages, and sign (create)

 is asymmetric because

 those who encrypt messages or verify signatures cannot decrypt messages or create
Public-Key Characteristics

 Public-Key algorithms rely on two keys where:

 it is computationally infeasible to find decryption key knowing only algorithm & encryption

 it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is


 either of the two related keys can be used for encryption, with the other used for decryption
(for some algorithms)
Public-Key Cryptosystems

Public-Key Cryptosystem: Authentication and Secrecy

Public-Key Applications

 can classify uses into 3 categories:

 encryption/decryption (provide secrecy)

 digital signatures (provide authentication)

 key exchange (of session keys)

 some algorithms are suitable for all uses, others are specific to one
Applications for Public-Key Cryptosystems

Algorithm Encryption/Decryption Digital Signature Key Exchange

RSA Yes Yes Yes

Elliptic Curve Yes Yes Yes

Diffie-Hellman No No Yes

DSS No Yes No

Security of Public Key Schemes

 like private key schemes brute force exhaustive search attack is always theoretically possible

 but keys used are too large (>512bits)

 security relies on a large enough difference in difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems

 more generally the hard problem is known, but is made hard enough to be impractical to break

 requires the use of very large numbers

 hence is slow compared to private key schemes


 by Rivest, Shamir & Adleman of MIT in 1977

 best known & widely used public-key scheme

 based on exponentiation in a finite (Galois) field over integers modulo a prime

 nb. exponentiation takes O((log n)3) operations (easy)

 uses large integers (eg. 1024 bits)

 security due to cost of factoring large numbers

 nb. factorization takes O(e log n log log n) operations (hard)

RSA Key Setup

 each user generates a public/private key pair by:

 selecting two large primes at random - p, q

 computing their system modulus n=p.q

 note ø(n)=(p-1)(q-1)

 selecting at random the encryption key e

• where 1<e<ø(n), gcd(e,ø(n))=1

 solve following equation to find decryption key d

 e.d=1 mod ø(n) and 0≤d≤n

 publish their public encryption key: PU={e,n}

 keep secret private decryption key: PR={d,n}


 to encrypt a message M the sender:

 obtains public key of recipient PU={e,n}

 computes: C = Me mod n, where 0≤M<n

 to decrypt the ciphertext C the owner:

 uses their private key PR={d,n}

 computes: M = Cd mod n

 note that the message M must be smaller than the modulus n (block if needed)

Why RSA Works

 because of Euler's Theorem:

 aø(n)mod n = 1 where gcd(a,n)=1

 in RSA have:

 n=p.q

 ø(n)=(p-1)(q-1)

 carefully chose e & d to be inverses mod ø(n)

 hence e.d=1+k.ø(n) for some k

 hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k

= M1.(1)k = M1 = M mod n

RSA Example - Key Setup

1. Select primes: p=17 & q=11

2. Compute n = pq =17 x 11=187

3. Compute ø(n)=(p–1)(q-1)=16 x 10=160

4. Select e: gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1

6. Publish public key PU={7,187}

7. Keep secret private key PR={23,187}

RSA Example - En/Decryption

 sample RSA encryption/decryption is:

 given message M = 88 (nb. 88<187)

 encryption:

C = 887 mod 187 = 11

 decryption:

M = 1123 mod 187 = 88


 can use the Square and Multiply Algorithm

 a fast, efficient algorithm for exponentiation

 concept is based on repeatedly squaring base

 and multiplying in the ones that are needed to compute the result

 look at binary representation of exponent

 only takes O(log2 n) multiples for number n

 eg. 75 = 74.71 = 3.7 = 10 mod 11

 eg. 3129 = 3128.31 = 5.3 = 4 mod 11

c = 0; f = 1

for i = k downto 0

do c = 2 x c

f = (f x f) mod n

if bi == 1 then


f = (f x a) mod n

return f

Efficient Encryption

 encryption uses exponentiation to power e

 hence if e small, this will be faster

 often choose e=65537 (216-1)

 also see choices of e=3 or e=17

 but if e too small (eg e=3) can attack

 using Chinese remainder theorem & 3 messages with different modulii

 if e fixed must ensure gcd(e,ø(n))=1

 ie reject any p or q not relatively prime to e

Efficient Decryption

 decryption uses exponentiation to power d

 this is likely large, insecure if not

 can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to
get desired answer

 approx 4 times faster than doing directly

 only owner of private key who knows values of p & q can use this technique

RSA Key Generation

 users of RSA must:

 determine two primes at random - p, q

 select either e or d and compute the other

 primes p,q must not be easily derived from modulus n=p.q

 means must be sufficiently large

 typically guess and use probabilistic test

 exponents e, d are inverses, so use Inverse algorithm to compute the other

RSA Security

Four possible approaches to attacking the RSA algorithm are as follows:

 Brute force: This involves trying all possible private keys.

 Mathematical attacks: There are several approaches, all equivalent in effort to factoring the product
of two primes.
 Timing attacks: These depend on the running time of the decryption algorithm.
 Chosen ciphertext attacks: This type of attack exploits properties of the RSA algorithm.

The defense against the brute-force approach is the same for RSA as for other cryptosystems, namely, use a
large key space. Thus, the larger the number of bits in d, the better. However, because the calculations
involved, both in key generation and in encryption/decryption, are complex, the larger the size of the key, the
slower the system will run.

In this subsection, we provide an overview of mathematical and timing attacks.

The Factoring Problem

We can identify three approaches to attacking RSA mathematically:

 Factor n into its two prime factors. This enables calculation of f(n) = (p 1) x (q 1), which, in turn,
enables determination of d e1 (mod f(n)).
 Determine f(n) directly, without first determining p and q. Again, this enables determination of d e1
(mod f(n)).
 Determine d directly, without first determining f(n).

Timing Attacks

 developed by Paul Kocher in mid-1990’s

 exploit timing variations in operations

 eg. multiplying by small vs large number

 or IF's varying which instructions executed

 infer operand size based on time taken

 RSA exploits time taken in exponentiation

 countermeasures

 Constant exponentiation time: Ensure that all exponentiations take the same amount of time
before returning a result. This is a simple fix but does degrade performance.
 Random delay: Better performance could be achieved by adding a random delay to the
exponentiation algorithm to confuse the timing attack. Kocher points out that if defenders
don't add enough noise, attackers could still succeed by collecting additional measurements to
compensate for the random delays.
 Blinding: Multiply the ciphertext by a random number before performing exponentiation.
This process prevents the attacker from knowing what ciphertext bits are being processed
inside the computer and therefore prevents the bit-by-bit analysis essential to the timing

Chosen Ciphertext Attacks

• RSA is vulnerable to a Chosen Ciphertext Attack (CCA)

• attackers chooses ciphertexts & gets decrypted plaintext back

• choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis

• can counter with random pad of plaintext

• or use Optimal Asymmetric Encryption Padding (OASP)

Encryption Using Optimal Assymetric Encryption Padding (OAEP)


 have considered:

 principles of public-key cryptography

 RSA algorithm, implementation, security

Key Terms
chosen ciphertext attack (CCA) public key cryptography

digital signature public key cryptosystems

key exchange public key encryption

one-way function RSA

optimal asymmetric encryption padding (OAEP) time complexity

private key timing attack

public key trapdoor one-way function

Review Questions

1 What are the principal elements of a public-key cryptosystem?

2 What are the roles of the public and private key?

3 What are three broad categories of applications of public-key cryptosystems?

4 What requirements must a public key cryptosystems fulfill to be a secure algorithm?

5 What is a one-way function?

6 What is a trapdoor one-way function?

7 Describe in general terms an efficient procedure for picking a prime number.