Professional Documents
Culture Documents
Spring 2006
http://www.abo.fi/~ipetre/crypto/
Ion Petre
Academy of Finland and
Department of IT, Åbo Akademi University
April 6, 2006 1
Some unanswered questions on symmetric
cryptosystems
April 6, 2006 2
A breakthrough idea
Rather than having a secret key that the two users must share, each
users has two keys
One key is secret and he is the only one who knows it
The other key is public and anyone who wishes to send him a
message uses that key to encrypt the message
Diffie and Hellman first (publicly) introduced the idea in 1976 – this was
radically different than all previous efforts
NSA claims to have known it sine mid-1960s!
Communications-Electronic Security Group (the British counterpart of
NSA) documented the idea in a classified report in 1970
April 6, 2006 3
A word of warning
April 6, 2006 4
The idea of public-key cryptography
April 6, 2006 5
Essential steps in public-key encryption
April 6, 2006 6
Bob sends an encrypted message to Alice
April 6, 2006 7
Some notation
April 6, 2006 8
A first attack on the public-key scheme –
authenticity
April 6, 2006 9
A scheme to authenticate the sender of the message
April 6, 2006 10
Encryption and authenticity
April 6, 2006 11
Secrecy and authentication using public-key schemes
April 6, 2006 12
Applications for public-key cryptosystems
April 6, 2006 13
Requirements for public-key cryptosystems
April 6, 2006 14
Designing a public-key cryptosystem
April 6, 2006 15
RSA
April 6, 2006 16
Motto for our introduction to Number Theory
The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything
in the world you ask for."
Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has
no non-trivial solution in the integers."
They agreed on a three-day period for the labour, and the Devil disappeared.
At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel
Webster said to him, "Well, how did you do at my task? Did you prove the theorem?'
"What? Oh, that—of course. But listen! If we could just prove the following two lemmas—"
—The Mathematical Magpie, Clifton Fadiman
April 6, 2006 17
Notions of number theory
April 6, 2006 18
Euler’s totient function
Euler’s function associates to any positive integer n a number φ(n): the
number of positive integers smaller than n and relatively prime to n
Example:
φ(37)=36
φ(p)=p-1, for any prime p
φ(35)=24: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}
Easy to see that for any two primes p,q, φ(pq)=(p-1)(q-1)
All numbers smaller than pq are relatively primes with pq except for multiples of
p (q-1 of them) and multiples of q (p-1 of them)
Euler’s theorem: for any relatively prime integers a,n we have aφ(n)≡1
mod n
Corollary: For any integers a,n we have aφ(n)+1≡ a mod n
Corollary: Let p,q be two odd primes and n=pq. Then:
φ(n)=(p-1)(q-1)
For any integer m with 0<m<n, m(p-1)(q-1)+1≡m mod n
For any integers k,m with 0<m<n, mk(p-1)(q-1)+1≡m mod n
April 6, 2006 19
Back to RSA
Euler’s theorem provides us the numbers d,e such that Med=M mod n
We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e-1 mod φ(n)
Extended Euclid’s algorithm!
The RSA scheme
Key generation
Choose two odd primes p,q – keep private
Compute n=pq – make public
Choose e, 1<e<φ(n) with gcd(φ(n),e)=1 – make public
Compute d≡e-1 mod φ(n) – keep private
Private key is {d,n}
Public key is {e,n}
Encryption
Plaintext: block of k bits, where 2k<n≤2k+1 – can be considered a number M with M<n
Ciphertext: C=Me mod n
Decryption:
Ciphertext: C
Plaintext: Cd mod n = Mde mod n = M
April 6, 2006 20
Example
Key generation RSA scheme
Select primes p=17, q=11
–Key generation
Compute n=pq=187
•Choose primes p,q
Compute φ(n)=(p-1)(q-1)=160
•Compute n=pq
Select e=7 •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
Compute d: d=23 (use the extended •Compute d≡e-1 mod φ(n)
Euclid’s algorithm)
•Private key is {d,n}
KU={7,187}
•Public key is {e,n}
KR={23,187}
–Encryption
Encrypt M=88: 887 mod 187 •C=Me mod n
887 mod 187 = [ (884 mod 187)(882 mod
187) (88 mod 187) ] = 11 –Decryption:
•Cd mod n = Mde mod n = M
Decrypt C=11: 1123 mod 187
M=1123 mod 187= [ (1116 mod 187)(114
mod 187) (112 mod 187)(11 mod 187)]
112 mod 187 =121
114 mod 187= 1212 mod 187=55
118 mod 187=552 mod 187= 33
1116 mod 187=332 mod 187=154
M=154 x 55 x 121 x 11 mod 187 = 88
April 6, 2006 21
Computational aspects – RSA implementation
Fast modular exponentiation
April 6, 2006 22
Fast modular exponentiation
RSA scheme
Square-and-multiply algorithm –Key generation
Input: n,x,b (b is in base 2 (bk-1,…,b1,b0), b≠0 •Choose primes p,q
Output: xb mod n •Compute n=pq
1. z=1 •Choose e, 1<e<φ(n) with gcd(φ(n),e)=1
2. for i=k-1 downto 0 •Compute d≡e-1 mod φ(n)
3. z=z2 mod n
•Private key is {d,n}
4. if bi=1 then z=zx mod n
•Public key is {e,n}
Complexity O(r3), where r=[log2n]
–Encryption
Example: encrypt 9726 with
•C=Me mod n
KU={3533,11413}: 97263533mod 11413
3533=(1,1,0,1,1,1,0,0,1,1,0,1) –Decryption:
Ciphertext: 5761 •Cd mod n = Mde mod n = M
i bi z i bi z
11 1 9726 5 0 77832=6298
10 1 97262x9726=2659 4 0 62982=4629
9 0 26592=5634 3 1 46292x9726=10185
8 1 56342x9726=9167 2 1 101852x9726=105
7 1 91672x9726=4958 1 0 1052=11025
6 1 49582x9726=7783 0 1 110252x9726=5761
April 6, 2006 23
Computational aspects – RSA implementation
Key generation
April 6, 2006 24
Computational aspects – RSA implementation
Key generation
April 6, 2006 25
Miller-Rabin primality test
April 6, 2006 26
Miller-Rabin primality test
Fermat’s little theorem: if p is prime and a is positive integer not divisible by p, then ap-1 ≡
1 mod p
Idea of the Miller-Rabin test:
We need to test if the odd integer n is prime
n-1 is even, i.e., of the form n-1=2kq, with k>0, q odd: k and q easy to find
Choose an integer a such that 1<a<n-1
j k-1 k
Compute modulo n the values a2 q, 0≤j≤q: aq, a2q,…, a2 q, a2 q
By Fermat’s theorem, if n is prime, then the last value in the sequence is 1 –
the sequence may have some other 1s, consider the first 1 in the sequence
Case 1: the first number in the sequence is 1
j j-1
Case 2: some number a2 q in the sequence is 1 – in this case a2 q = n-1 mod n
j j-1 j-1 j-1 j-1
0 = (a2 q -1) mod n = (a2 q – 1) (a2 q + 1) mod n, i.e., n divides (a2 q – 1) or (a2 q + 1)
j-1 j-1
Since we took the first 1 in the sequence, it follows that n divdes (a2 q + 1): a2 q = n-1 mod n
The test: if either the first element in the sequence is 1, or some other element
is n-1, then n could be prime. Otherwise n is certainly not prime
April 6, 2006 27
Miller-Rabin primality test
April 6, 2006 28
Computational aspects – RSA implementation
Key generation
April 6, 2006 29
Attacking RSA
Brute force attacks: try all possible private keys
As in the other cases defend using large keys:
nowadays integers between 1024 and 2048 bits
Mathematical attacks
Factor n into its two primes p,q: this is a hard problem RSA scheme
for large n –Key generation
Challenges by RSA Labs to factorize large integers
Smallest unsolved challenge: 704 bits •Choose primes p,q
•Compute n=pq
Determine φ(n) directly without first determining p,q:
this math problem is equivalent to factoring •Choose e with gcd(φ(n),e)=1
Determine d directly, without first determining φ(n): this •Compute d≡e-1 mod φ(n)
is believed to be at least as difficult as factoring •Private key is {d,n}
Suggestions for design •Public key is {e,n}
The larger the keys, the better but also the slower the –Encryption
algorithm •C=Me mod n
Choosing p,q badly may weaken the algorithm –Decryption:
p,q should differ in length by only a few bits: for a 1024-bit •Cd mod n = Mde mod n = M
key, p,q should be on the order of magnitude 1075 to 10100
p-1 and q-1 should both contain a large prime factor
gcd(p-1,q-1) should be small
d should be larger than n1/4
April 6, 2006 30
Attacks on RSA
Timing attacks: determine a private key by keeping track
of how long a computer takes to decipher a message Square-and-multiply algorithm
(ciphertext-only attack) – this is essentially an attack on the – Input: n,x,b
fast exponentiation algorithm but can be adapted for any (b is in base 2 (bk-1 ,…,b1,b0)
other algorithm – Output: xb mod n
Whenever a bit is 1 the algorithm has more computations to 1. z=1
do and takes more time 2. for i=k-1 downto 0
3. z=z2 mod n
Countermeasures: 4. if bi=1 then z=zx mod n
Ensure that all exponentiations take the same time before
returning a result: degrade performance of the algorithm
Add some random delay: if there is not enough noise the
attack succeeds
Blinding: multiply the ciphertext by a random number before
performing exponentiation – in this way the attacker does not
know the input to the exponentiation algorithm. (implemented
in the commercial products from RSA Data Security Inc.)
Decryption M=Cd mod n is modified as follows:
Generate a secret random number r between 0 and n-1
Compute C’=C(re) mod n where e is the public exponent
Compute M’=(C’d) mod n with the ordinary exponentiation
Compute M=M’r-1 mod n
Reported performance penalty: 2 to 10%
April 6, 2006 31
Pseudo-random number generators
April 6, 2006 32
Pseudo-random number generators
The most widely used technique is the linear congruential method (Lehmer
1951)
Xn+1=(aXn+c) mod m
One should be very careful in choosing constants a, c, m: a=c=1 is bad
choice!
Value of m should be as large as possible: usually close to 231, very often
chosen to be the prime number 231-1; in this case one can take c=0
There are very few good choices for a: for m= 231-1 only a handful of choices
are advisable – very often used is a=75=16807
Xn+1=16807 Xn mod (231-1)
Using this in cryptography needs extra care:
If the attacker finds one single value, then he will be able to compute all
subsequent values
Idea: restart the sequence often, using the clock as seed (initial value)
April 6, 2006 33
Cryptographically generated pseudo-random numbers
April 6, 2006 34
Another speed-up in RSA implementation
April 6, 2006 35