1

Lecture8

PublicKeyCryptography(Diffie-HellmanandRSA)

•  Asymmetric cryptography •  Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir-

Adleman) •  Two keys: private (SK), public (PK)

–  Encryption: with public key; –  Decryption: with private key –  Digital Signatures: Signing by private key; Verification by public key. i.e.,

“encrypt” message digest/hash -- h(m) -- with private key •  Authorship (authentication) •  Integrity: Similar to MAC •  Non-repudiation: can’t do with secret key cryptography

•  Much slower than conventional cryptography •  Often used together with conventional cryptography, e.g., to encrypt session keys

2

PublicKeyCryptography

PublicKeyCryptography

3

plaintext message, m

ciphertext encryption algorithm

decryption algorithm

Bob’s public key

plaintext message PK (m)

B

PK B Bob’s private key

SK B

m = SK (PK (m)) B B

4

KeyPre-distribution:Diffie-Hellman“NewDirectionsinCryptography”1976

*p

System wide parameters :p large prime,

a generator in Z

−

−

−

Alice's secret: v, public: mod

Bob's secret: w, public: mod

va

wb

y a p y a p

=

=

Alice has: mod

Bob has: mod

( ) mod

( ) mod

wb

vav

ab b

wba a

y a py a p

K y p

K y p

=

=

=

=

=

5

PublicKeyPre-distribution:Diffie-Hellman

SecurecommunicationwithKab

AlicecomputesKab

BobcomputesKab=Kba

Eveknows:p,a,yaandyb

6

PublicKeyPre-distribution:Diffie-Hellman

*

Diffie Hellman Problem:

:

mod mod

: mod

Discrete Log Problem::

mod:

p

v wa b

vw

va

p large prime, a generator in Z

Given

y a p and y a p

FIND a p

Given

y a p FIND v

−

− −

= =

=

7

PublicKeyPre-distribution:Diffie-HellmanDecision DH Problem:

mod , mod:

mod

v wa b

vwab

p large prime, a generatorGiven :

y a p y a pDistinguish

K a pfrom a random number!

− −

= =

=

• DHAssumption:DHproblemisHARD(notP)• DLAssumption:DLproblemisHARD(notP)• DDHAssumption:solvingDDHproblemisHARD(notP)

8

Interactive(Public)KeyExchange:Diffie-Hellman

Eveispassive…

pay va mod=

SecurecommunicationwithKab

Chooserandomv

pay wb mod= Choose

randomw,Compute

pyK waba mod)(=

Compute( ) modv

ab bK y p=

9

TheMan-in-the-Middle(MitM)Attack(assumeEveisanactiveadversary!)

pay va mod=

SecurecommunicationwithKab

Chooserandomv

pay wb mod=

Chooserandomw,Compute

pyK waba mod)(=

Compute( ) modv

ab bK y p=

10

RSA(1976-8)Let n = pq where p,q − large primese,d ∈R Zn and ed ≡ 1 mod Φ(n)

where : Φ(n)= (p−1)(q−1)= pq− p− q−1

Secrets : p,q,d

Publics : n,e

Encryption : message =m < n

E(x) = y =me mod nDecryption : ciphertext = y

D( y) = x ' = yd mod n

11

Whydoesitallwork?

x ∈ Zn*

xed = x1modΦ(n) mod n =

xc*Φ(n)+1 mod n = x

But, recall that: gΦ(n) =1 mod n (Lagrange)

12

Howdoesitallwork?

Example:p=17q=13n=221(p-1)(q-1)=192=34*2

picke=5,d=77Canwepick16?9?27?185?

x=5,E(x)=3125mod221=31

D(y)=3177=

6.83676142775442000196395599558e+114mod221=5

Example:p=5q=7n=35(p-1)(q-1)=24=3*23

picke=11,d=11

x=2, E(x)=2048mod35=18=y

y=18, D(y)=6.426841007923e+13mod35=2

13

WhyisitSecure?

Why:nhasuniquefactorsp,q

Givenpandq,computing(p-1)(q-1)iseasy:

UseextendedEuclidian!

Conjecture:breakingRSAispolynomiallyequivalenttofactoringnRecallthatnisvery,verylarge!

)(1 n mod ed Φ≡

14

ExponentiationCosts

•  Integermultiplication--O(b2)wherebisbit-sizeofthebase

•  Modularreduction--O(b2)

•  Thus,modularmultiplication--O(b2)

•  Modularexponentiation(asinRSA)--memodn

•  Naïvemethod:e-1modularproducts--O(b2*e)

•  BUTwhatifeislarge,(almost)aslargeasn?

•  LetL=|e|(e.g.,l=1024for1024-bitRSAexponent)•  Wecanassumebandlareveryclose,almostthesame

•  Square-and-multiplymethodworksinO(b3)time…O(b2*2l)

15

Square-and-Multiply

}}

n;temp% mtemp {

e[i] if n% temp

temptemp* { i0 i 1li for

1tempnsizeofl

=

=

=

=

−−>=−=

=

=

−−−−−−−−−−−−

;*)(

;;

);;(;

);(

n mod m compute :goal e

• Example1:e=100• Example2:e=10000000• Example3:e=11111111

Fromlefttorightine

16

SpeedingupRSADecryption

: C - RSA ciphertextmod( 1)

mod( 1)

compute:

mod

mod

and solve:mod

mod

p

q

p

q

dp

dq

p

q

Letd d pd d q

M C p

M C q

M M pM M q

= −

= −

=

=

=

=

)mod()]mod(

)mod([1

1

pqqppM

pqqMM

q

p

−

−

+

=

17

MoreonRSA•  Modulusnisuniqueperuserà

–  2ormorepartiescannotsharethesamen•  WhathappensifAliceandBobsharethesamemodulus?

–  Alicehas(e’,d’,n)andBob–(e”,d”,n)–  Alicewantstocomputed”(Bob’sprivatekey)–  Sheknowsthat:e’*d’=1modphi(n)–  So:e’*d’=k*phi(n)+1and:e’*d’-1=k*phi(n)–  Alicejustneedstocomputeinverseofe”modX

•  whereX=e’*d’–1=k*phi(n)•  let’scallthisinversed’”•  andrememberthat:d”’*e”=k’*k*phi(n)+1•  canwebesurethat:d”’=d”?

–  Isitpossiblethate”hasnoinversemodX?•  Yes,ife”=phi(n)orgcd(e”,k)>1butthisisvery,veryUNLIKELY!

–  Foralldecryptionpurposes,d”’isEQUIVALENTtod”–  SupposeEveencryptedforBob:C=(m)e”modn–  Alicecomputes:

Cd”’modn=me”d”’modn=(m)k’*k*phi(n)+1modn=m