04 Public Key Cryptography RSA

Public-key Cryptography: RSA
Tjark Weber
Cryptology
April 12, 2013
Tjark Weber (UU)
1 / 31
Lab 1
Lab 1
Lab 1 Deadline
Thanks to all who submitted their solution to part (a) of the first lab!
The deadline for parts (b) and (c) is this Thursday, April 18.
Start working on these parts todaydont wait until the last minute!
Ciphertexts are available in the Student Portal.
Contact jean-noel.monette@it.uu.se if you have any questions.
Tjark Weber (UU)
2 / 31
Exercise Solutions
Exercise Solutions
Tjark Weber (UU)
3 / 31
Exercise Solutions
Exercise Solutions
Exercise Solutions
Describe a chosen plaintext attack on the Hill cipher (assuming m is

known). How many plaintext elements are necessary to determine the
key?
Tjark Weber (UU)
4 / 31
Exercise Solutions
Exercise Solutions (cntd.)
Discuss whether the classical block ciphers presented in the course

satisfy confusion or diffusion.
Tjark Weber (UU)
5 / 31
Exercise Solutions
Discuss whether the classical block ciphers presented in the course

satisfy confusion or diffusion.
Cipher
Shift
Substitution
Affine
Vigen`ere
Hill
Tjark Weber (UU)
Confusion
Diffusion
ek (x) = x + k
e (x) = (x)
e(a,b) (x) = ax + b
e(k1 ,...,km ) (x) = (x1 + k1 , . . . , xm + km )
ek (x) = xk
5 / 31
Exercise Solutions
Compute the encryption of the following plaintext

3243F6A8 885A308D 313198A2 E0370734
using the 128-bit key
2B7E1516 28AED2A6 ABF71588 09CF4F3C
under the (initial and) first round of AES.
Tjark Weber (UU)
6 / 31
Tjark Weber (UU)
7 / 31
Symmetric-key Cryptography
Symmetric-key Cryptography
All ciphers that we have discussed so far are symmetric-key ciphers: the
same key is used for encryption and decryption. In effect, the key is a
shared secret between Alice and Bob.
Major drawback: Alice and Bob first need to communicate the key via a
secure channel.
Tjark Weber (UU)
8 / 31
Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange protocol (1976) allows two parties to
jointly establish a shared secret key over an insecure communication
channel.
Alice
Bob
Common paint
+
Secret colors
Public transport
(assume
that mixture separation
is expensive)
+
Secret colors
=
6
Tjark Weber (UU)
=
Shared secret
9 / 31

The Diffie-Hellman key exchange protocol (1976) allows two parties to
jointly establish a shared secret key over an insecure communication
channel.
Alice
Bob
g
m
Generator
Modulus
g
m
+
a
=
Secret numbers
+
b
=
ga mod m
gb mod m
Public transport
(assume
that discrete logarithm
is expensive)
ga mod m
gb mod m
+
5
Tjark Weber (UU)
a
=
+
Secret numbers
b
=
a
b
(g b) mod m Shared secret (g a ) mod m
9 / 31
Public-key Cryptography
Public-key Cryptography
A public-key cryptosystem uses two separate keys: an encryption key
(public key), and a corresponding decryption key (private key). Only the
private key must be kept secret.
Tjark Weber (UU)
10 / 31
Public-key Communication
Public-key Communication
1
2
3
4
Bob generates a key pair, consisting of a public and a private key.

Bob publishes his public key, e.g., in a key directory.
Alice retrieves Bobs public key and uses it to encrypt the plaintext.
Bob uses his private key to decrypt the ciphertext.
Tjark Weber (UU)
11 / 31
A Brief History
A Brief History
The first public-key cryptosystems were developed by James Ellis et al. at

the Government Communications Headquarters (GCHQ) in the UK in
1970. This work was not released until 1997.
In 1976, Whitfield Diffie and Martin Hellman (Stanford U.), influenced by
Ralph Merkle, published a public-key algorithm that is now known as
Diffie-Hellman key exchange.
In 1978, Ron Rivest, Adi Shamir and Leonard Adleman (MIT), published a
public-key algorithm that can be used for encryption and digital message
signing. Their algorithm, now known as RSA, has become the most
widely-used public-key algorithm in the world.
Tjark Weber (UU)
12 / 31
Chosen Plaintext Attacks
Chosen Plaintext Attacks
Public-key encryption allows chosen plaintext attacks: an attacker, having

access to the public key, can encrypt just like everyone else.
Upon observing a ciphertext y , the attacker can (in principle) encrypt each
possible plaintext x until he finds one such that y = ek (x).
Consequently, we can only hope for computational security (rather than
perfect secrecy) of public-key cryptosystems.
Tjark Weber (UU)
13 / 31
Trapdoor One-way Functions
Trapdoor One-way Functions
Encryption should be easy (i.e., polynomial-time computable), given the

public key. Decryption should be hard without the private key.
A one-way function is a function that is easy to compute on every input,
but hard to invert for the image of a random input.
However, given the private key, decryption should be easy.

A trapdoor function is a one-way function that is easy to invert if one is
given additional information, the trapdoor.
Tjark Weber (UU)
14 / 31
The Integer Factorisation Problem
The Integer Factorisation Problem
It is an open problem whether one-way functions exist. (If so, then

P 6= NP.) Public-key cryptosystems use a variety of functions that are
believed to be one-way.
RSA relies on the integer factorisation problem: given to primes p and q,

their product p q is easy to compute. But no feasible (i.e., polynomialtime) algorithm is known that could factor an arbitrary product p q.
Hence, multiplication of primes is believed to be a one-way function.
Tjark Weber (UU)
15 / 31
Modular Exponentiation
Modular Exponentiation
Let e, m be positive integers. Define f : Zm Zm by f (x) := x e mod m.

f (x) can be computed efficiently using the square-and-multiply algorithm
(see next slide).
On the other hand, solving y = x e mod m for x (i.e., computing the e-th
root of y modulo m) is thought to be hard. This is known as the RSA
problem.
Hence, modular exponentiation is believed to be a one-way function.
Tjark Weber (UU)
16 / 31
Modular Exponentiation: Square-and-Multiply
Modular Exponentiation: Square-and-Multiply

Precondition: e 0, m > 0
function sqm(x, e, m)
r := 1
while e > 0 do
if e is odd then r := (r x) mod m endif
e := e div 2
x := (x x) mod m
done
return r
Postcondition: r = x e mod m
Exercise:
Use the square-and-multiply algorithm to compute 35 mod 7.
Tjark Weber (UU)
17 / 31
Towards RSA
Towards RSA
Suppose we want to use f (x) := x e mod m as encryption function.

1
In general, f is not one-to-one. We must choose e and m so that

decryption becomes possible.
Moreover, computing the e-th root modulo m is thought to be hard.

We need a trapdoor that makes decryption feasible. Also, it should be
hard to compute this trapdoor from e and m.
Tjark Weber (UU)
18 / 31
Fermats Little Theorem
Fermats Little Theorem
RSA relies on Fermats little theorem (Pierre de Fermat, 1640):

For any integer x and prime p, x p x (mod p).
Equivalently, for any integer x and prime p such that x 6 0 (mod p),
x p1 1 (mod p).
For fixed base, modular exponentiation (mod p) as a function of the

exponent is periodic, with period (at most) p 1.
Tjark Weber (UU)
19 / 31
The RSA Cipher
The RSA Cipher

Let m = pq, where p and q are (large) distinct primes. Let P = C = Zm ,
and define K = {(m, d, e) | d e 1 (mod (p 1)(q 1))}.
For k = (m, d, e), define
ek (x) = x e mod m
and
dk (y ) = y d mod m
(x, y Zm ).
The values m and e comprise the public key. The values m and d
comprise the private key.
Tjark Weber (UU)
20 / 31
RSA: Proof of Correctness

!
x = dk (ek (x))
Tjark Weber (UU)
21 / 31

!
x = dk (ek (x)) = (x e mod m)d mod m = x de mod pq :
Tjark Weber (UU)
21 / 31

!

Because p and q are distinct primes, it suffices to show x de x (mod p)
and x de x (mod q).
Tjark Weber (UU)
21 / 31

!

and x de x (mod q).
Wlog., assume x 6 0 (mod p).
Tjark Weber (UU)
21 / 31

!

and x de x (mod q).
Since de 1 (mod (p 1)(q 1)), there is a non-negative integer h such
that de 1 = h(p 1)(q 1). Now
x de = x de1 x = x h(p1)(q1) x = (x p1 )h(q1) x
Fermats little theorem
Tjark Weber (UU)
1h(q1) x (mod p) = x.
21 / 31

!

and x de x (mod q).
Since de 1 (mod (p 1)(q 1)), there is a non-negative integer h such
that de 1 = h(p 1)(q 1). Now
x de = x de1 x = x h(p1)(q1) x = (x p1 )h(q1) x
Fermats little theorem
1h(q1) x (mod p) = x.
The proof for x de x (mod q) is analogous.

Tjark Weber (UU)
21 / 31
RSA: Key Generation
RSA: Key Generation
Choose two (large) distinct prime numbers p and q.

Choose a large random number and test for primality. Repeat.
Compute m = pq.
Compute = (p 1)(q 1).
Choose an integer e such that 1 < e < and gcd(e, ) = 1.

In practice, e is chosen before p and q. Often, e = 65537.
Compute d = e 1 mod .
The extended Euclidean algorithm computes gcd(e, ) and d.
Publish m and e. Keep d private.
Tjark Weber (UU)
22 / 31
RSA: Example
RSA: Example
1
Bob chooses p = 5 and q = 11.
He computes m = pq = 55.
He also computes = (p 1)(q 1) = 40.
He chooses e = 3.
Using the extended Euclidean algorithm, he verifies that

gcd(e, ) = 1, and computes d = e 1 mod = 27.
Bob publishes m = 55 and e = 3 as his public key.
Tjark Weber (UU)
23 / 31
RSA: Example
RSA: Example
1
He chooses e = 3.

Alice wants to send a message, say x = 14, to Bob.
She uses his public key to encrypt: ek (14) = 143 mod 55 = 49.
Tjark Weber (UU)
23 / 31
RSA: Example
RSA: Example
1
He chooses e = 3.

Alice wants to send a message, say x = 14, to Bob.
She uses his public key to encrypt: ek (14) = 143 mod 55 = 49.
Bob receives the ciphertext and uses his private key (m = 55, d = 27)
to decrypt: dk (49) = 4927 mod 55 = 14.
Tjark Weber (UU)
23 / 31
Cryptanalysis of RSA
Cryptanalysis of RSA
Security of RSA relies on the (unproven) conjecture that both the integer
factorisation problem and the RSA problem are computationally hard. A
polynomial-time quantum factorisation algorithm is known.
There are a number of attacks against plain RSA: notably, an attacker can
simply try likely plaintexts. To prevent this and other attacks, RSA in
practice employs random padding of the message.
p, q, e, and d need to satisfy additional requirements; otherwise, specific
number-theoretic attacks (e.g., algorithms that can factor certain numbers
in polynomial time) are known.
Side-channel attacks on RSA implementations are known that determine
the private key, e.g., by carefully measuring decryption time.
Tjark Weber (UU)
24 / 31
Key Size and Integer Factorisation Records
Key Size and Integer Factorisation Records

The key size for RSA refers to the bit size of the modulus. A brute-force
attack is possible (in principle), but not necessary: an attacker can instead
try to factor the modulus.
Number
RSA-100
RSA-129
RSA-155
RSA-576
RSA-200
RSA-768
Bits
330
426
512
576
663
768
Factored in
1991
1994
1999
2003
2005
2009
NIST key management guidelines suggest that 15360-bit RSA keys are
equivalent in strength to 256-bit symmetric keys.
Tjark Weber (UU)
25 / 31
Comparison Symmetric-key/Public-key
Comparison Symmetric-key/Public-key
Feature
Number of keys
Types of keys
Typical key size
Relative speed
Tjark Weber (UU)
Symmetric-key
1
secret
50-250 bits
faster
Public-key
2 (related)
public, secret
500-4500 bits
slower (by a factor of 1, 000)
26 / 31
Hybrid Cryptosystems
Hybrid Cryptosystems
A hybrid cryptosystem consists of a key encapsulation scheme, which

is a public-key cryptosystem, and a data encapsulation scheme, which is
a symmetric-key cryptosystem.
The key encapsulation scheme is used to transmit an (encrypted, secret)
symmetric key between Alice and Bob. This key is then used with the data
encapsulation scheme to encrypt the actual message.
Hybrid cryptosystems combine the convenience of a public-key
cryptosystem with the efficiency of a symmetric-key cryptosystem.
Tjark Weber (UU)
27 / 31
Digital Signatures
Digital Signatures
A digital signature is a mathematical scheme for demonstrating the
authenticity of a digital message.
Tjark Weber (UU)
28 / 31
RSA: Digital Signatures
RSA: Digital Signatures

RSA has the property that ek (dk (x)) = x. This allows it to be used for
signing.
The basic idea is as follows:
1
Alice computes a hash, h(x), of her message x.
She decrypts h(x), using her own private key.
She then sends both x and dk (h(x)) to Bob.
Bob computes h(x). Independently, he encrypts dk (h(x)), using

Alices public key.
If the message was not altered, the encrypted signature will be

equal to h(x).
Tjark Weber (UU)
29 / 31
Exercises
Exercises
Tjark Weber (UU)
30 / 31
Exercises
Exercises
Exercises
For m = pq, where p and q are distinct primes, define
(m) =
(p 1)(q 1)
gcd(p 1, q 1)
Suppose that we modify the RSA cryptosystem by requiring that

d e 1
(mod (m))
Prove that encryption and decryption are still inverse operations in

this modified cryptosystem.
If p = 37, q = 79, and e = 7, compute d in this modified

cryptosystem, as well as in the original RSA cryptosystem.
Tjark Weber (UU)
31 / 31

04 Public Key Cryptography RSA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

04 Public Key Cryptography RSA

Uploaded by

Copyright:

Available Formats

Public-key Cryptography: RSA

Tjark Weber (UU)

Public-key Cryptography: RSA

Tjark Weber (UU)

Public-key Cryptography: RSA

Tjark Weber (UU)

Public-key Cryptography: RSA

Describe a chosen plaintext attack on the Hill cipher (assuming m is

Tjark Weber (UU)

Public-key Cryptography: RSA

Exercise Solutions (cntd.)

Exercise Solutions (cntd.)

Discuss whether the classical block ciphers presented in the course

Tjark Weber (UU)

Public-key Cryptography: RSA

Exercise Solutions (cntd.)

Exercise Solutions (cntd.)

Discuss whether the classical block ciphers presented in the course

Tjark Weber (UU)

Public-key Cryptography: RSA

Exercise Solutions (cntd.)

Exercise Solutions (cntd.)

Compute the encryption of the following plaintext

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Bob generates a key pair, consisting of a public and a private key.

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

The first public-key cryptosystems were developed by James Ellis et al. at

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Chosen Plaintext Attacks

Chosen Plaintext Attacks

Public-key encryption allows chosen plaintext attacks: an attacker, having

Tjark Weber (UU)

Public-key Cryptography: RSA

Public-key Cryptography: RSA

Trapdoor One-way Functions

Trapdoor One-way Functions

Encryption should be easy (i.e., polynomial-time computable), given the

However, given the private key, decryption should be easy.

Tjark Weber (UU)