Problems with symmetric (private-key) encryption1) secure distribution of keys

2) large number of keys

Solution to both problems: Public-key (asymmetric) encryption

plaintext ciphertext

encryption algorithm decryption algorithm

plaintext

keypub keypriv

D( E(message, kpub), kpriv) = message

Data transmission via public-key encryption

Every user maintains a unique pair of keys: one private and one public.

Public keys are available for anyone to use.

For Lena to send a message to Ole, she first encrypts using Ole’s public key. This ensuresthat only Ole will be able to read the message.

lena ole

Note that this preserves data confidentiality, but does not ensure authenticity.

pub priv

Public-key Encryption - the Concept

Computationally easy to generate a pair of keys -- (Kpub, Kpriv)

Computationally easy to encrypt -- E(plaintext, Kpub) ciphertext

Proposed in 1976 by Witfield Diffie & Martin Hellman

Necessary Properties

Computationally easy to decrypt -- D(ciphertext, Kpriv) plaintext

Computationally infeasible to determine Kpriv, even knowing E, D, and Kpub

Computationally infeasible to decrypt without Kpriv, even knowing E, D, and Kpub

An Additional Useful Property

Keys can be used in the opposite order for encryption/decryption --D( E(plaintext, Kpriv), Kpub) plaintext

Encryption Algorithm (apply to each part of the transmission)

• Begin with two large primes (p and q). • n = p*q (Note that n should be more than 200 digits - roughly 512 bits.)

• Select e relatively prime to (p-1)*(q-1).

E(message, e, n) = (messagee) mod n

• Select d so that (e*d) mod ((p-1)*(q-1)) = 1.

• public key: (e, n) private key: (d, n)

Decryption Algorithm (apply to each part of the transmission)D(message, d, n) = (messaged) mod n

Side note: (p-1)*(q-1) comes from Euler’s definition of totient

(n) = number of positive integers less than n that are relatively prime to n.

Rivest-Shamir-Adelman (1978) is the best known of current public-key encryption methods.

more theory: www. di-mgt.com.au/rsa_theory.html

Example (note that numbers are artificially small.)

HI MOM SEND

3 2 32 28 24 28 32 18 30 21 27 7 8 26 12 14 12 26 18 4 13 3

p = 2 q = 17

Therefore, n = p*q = 34

Select e = 3Note that (p-1)*(q-1) = 16. (3 and 16 are relatively prime.)

d = 11 because e*d = 3*11 = 33 and 33 mod 16 = 1

Treat alphabet as integers from zero, and include blank: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 23 25 26

H 77e mod n = 73 mod 34 = 3

to encipher H

I 88e mod n = 83 mod 34 = 2

to encipher I7 H3d mod n = 311 mod 34 = 7

to decipher 3

8 I2d mod n = 211 mod 34 = 8

to decipher 2

3 2 32 28 24 28 32 18 30 21 27

Issues1) The values of p, q, and (n) are not divulged.2) Cryptanalysis of RSA accomplished by finding the prime factors of a large number.3) Factoring is not known to be an NP problem, but the best known algorithms are exponential.4) To date no serious security flaws have been discovered.

Finding p and q• Verifying that p and q are prime requires testing potential factors.• A practical alternative (Solovay & Strassen algorithm) tests a number

to any desired probability of being prime.

RSA-100RSA-100 100100 332332 19911991 77 Quadratic SieveQuadratic Sieve

RSA-129RSA-129 129129 428428 19941994 50005000 Quadratic SieveQuadratic Sieve

RSA-130RSA-130 130130 431431 19961996 10001000 Generalized num field SieveGeneralized num field Sieve

RSA-155RSA-155 155155 512512 19991999 80008000 Generalized num field SieveGeneralized num field Sieve

dec.digits bits Year MIPS-yrs Attack/factoring Method

Key Size EffortCrack History

512 1024 1536 2048

104

108

1012

1016

1020

MIP

S-y

ears

req

uir

ed f

or f

acto

rin

g

Key Size (in bits)

• Another factoring method (Special Number Field Sieve) is faster.

• Key sizes of 1024 to 2048 appear to be safe for the near future.

Genera

l number

field sie

ve

Special number field sie

ve

Generally, the strength of a public-key algorithm depends upon key size.

Suppose Lena sends a very short message - say one byte

E( LenasByte, KOlePub ) encipheredByte

Suppose the man in the middle (Hagar) intercepts encipheredByte

How can Hagar discover LenasByte ?

Note: This particular vulnerability is unique to public-key cryptosystems.

Solution: Append random bits to otherwise short messages, making them longer.

Other Public-key CryptosystemsElliptic Curve Cryptography (ECC)

• several different ciphers• based upon cubic equations of the form: y2 +axy + by = x3 + cx2 + dx + e • appears to have computational speed advantages over RSA• “test of time”?

Efficient?• RSA can be as much as 10,00 times slower than symmetric algorithms (Multiplication used in place of bit manipulation and table lookup/indexing). • to improve computation: (a * b) mod n = [(a mod n) * (b mod n)] mod n

Diffie-Hellman Key Exchange• not a full system, but a key-exchange technique built on public key concept

Digital Signature Standard (DSS)• not a full system, but a technique for implementing digital signatures built on

public key concept

The additional property of RSA & elliptic curve ciphers: D(E(plaintext, kpub), kpriv) = plaintext

D(E(plaintext, kpriv), kpub) = plaintext

Confidential transmission1) Lena encrypts the message using Ole’s public key.2) The message from (1) is transmitted.3) Ole decrypts message using his private key.

lena ole

Confidential & Authenticated transmission1) Lena encrypts the message (or part of it) using her private key.2) Lena uses Ole’s public key to encrypt the result of (1).3) The message from (2) is transmitted.4) Ole decrypts the message with his private key.5) Ole decrypts the result of (4) (or appropriate part) with Lena’s public key.