Asymmetric-Key Cryptography Chapter 10 Asymmetric-Key Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.#

Objectives To distinguish between two cryptosystems: symmetric-key and asymmetric-key To introduce trapdoor one-way functions and their use in asymmetric-key cryptosystems To introduce the knapsack cryptosystem as one of the first ideas in asymmetric-key cryptography To discuss the RSA cryptosystem To discuss the Rabin cryptosystem To discuss the ElGamal cryptosystem To discuss the elliptic curve cryptosystem

Symmetric Key and Asymmetric Key Ciphers Symmetric-key cryptosystems Key distribution is difficult Many keys are needed Fast and efficient Asymmetric-key cryptosystems Key distribution is easy Number of keys are less than symmetric-key cryptosystems Slower to encrypt and decrypt

Asymmetric Key Cryptosystem General idea Asymmetric key cryptography uses two separate keys: one private and one public

C = f (Kpublic , P) P = g(Kprivate , C) Asymmetric Key Cryptosystem General idea Public key should be distributed in a trusted way C = f (Kpublic , P) P = g(Kprivate , C)

Asymmetric Key Cryptosystem Hybrid of symmetric and public-key approaches Public key cryptosystem is used to distribute a session key (key for conventional cryptosystem) among peers. Conventional cryptosystem is used to encrypt/decrypt messages

Applications for PK Crypto Encryption/decryption: provides confidentiality The sender encrypts a message with the receiver’s public key. The receiver decrypts the ciphertext with his/her private key. Digital signature : provides authentication The sender signs a message with its private key. The receiver decrypts the ciphertext with the sender’s public key Key exchange Two parties cooperate to exchange a session key The sender generates a session key, and encrypts the session key with the receiver’s public key and sends to the receiver

Applications for PK Crypto Authentication using public-key cryptosystem

Applications for PK Crypto Confidentiality and authentication using public-key cryptosystem

Requirements of Asymmetric Key Cryptosystem For a secure public-key crypto system between Alice and Bob: 1. It’s computationally easy for Bob to generate a key pair. 2. It’s computationally easy for Alice to encrypt a message M generating ciphertext C. 3. It’s computationally easy for Bob to decrypt C. 4. It’s computionally infeasible for an Attacker knowing Bob’s public key to recover the private key. 5. It’s computionally infeasible for an Attacker knowing Bob’s public key to recover the original message.

RSA Cryptosystem RSA Developed by Rivest, Shamir, and Adleman Relies on the difficulty of factoring large numbers

RSA Cryptosystem Encryption and decryption in RSA

RSA Cryptosystem Relies on the difficulty of factoring large numbers Choose two large prime numbers, p and q Compute n = pq and z = (p-1)(q-1) Choose a number, e, less than n, which has no common factors (other than 1) with z. (e and z are relatively prime) Find a number, d, such that ed  1 (mod z) Public key : (n, e), private key : (n, d)

RSA Cryptosystem Encryption of a plaintext Mi Ci = Mie (mod n) Decryption of a ciphertext Ci Mi = Cid (mod n)

RSA Cryptosystem Proof: Cid (mod n) = (Mie )d (mod n) ; Ci = Mie (mod n) = Mied (mod n) ; (a b) c = a bc = Mikz+1 (mod n) ; ed  1 (mod z) and ed = kz+1 = MiMikz (mod n) ; ab+1 = aab = MiMik(p-1)(q-1) (mod n) ; z = (p-1)(q-1) = Mi Euler theorem: when p and q are prime, Mik(p-1)(q-1) (mod n) = 1

RSA Example Choose two primes p=47 and q=71. Then, n = pq = 3337, z = 46x70 = 3220 Choose e, relatively prime to z : (e.g.) e = 79 We need a d such that ed  1 (mod z), in other words, d = e-1 mod z : (e.g.) d = 79 -1 (mod 3220) = 1019 Public key: (3337,79), Private key: (3337,1019) Encrypt: 688 -> 68879 mod 3337 = 1570. Decrypt: 1570 -> 15701019 mod 3337 = 688

Optimal asymmetric encryption padding (OAEP) Short message attack When attacker knows the set of possible plaintexts are small, he can encrypt all of the possible plaintexts until getting the ciphertext OAEP Uses random message padding to protect against short message attack

Optimal asymmetric encryption padding (OAEP)

RSA Example Example 10.8 Choose a 512-bit p and q (a 159-digit number)

RSA Example Example 10.8 n = p x q, Φ(n) = (p − 1)(q − 1) are 309 digit numbers

RSA Example Example 10.8 When e = 35535, the inverse of e mod Φ(n), d, is

RSA Example Example 10.8 Public key = (e, n), Private key = (d, n) Encryption of “This is a test” C = Pe mod n

ElGamal Cryptosystem Depends on the difficulty of computing discrete logarithms Discrete logarithm problem q: prime number :  < q and a primitive root of q  {  mod q, 2 mod q, …, (q-1) mod q } generates all from 1 to (q-1) When YA = mod q, its difficult to find XA even if we know q, , and YA. XA 

ElGamal Cryptosystem Encryption and decryption in ElGamal p must be at least 300 digits and r must be new for each encryption 2

ElGamal Cryptosystem Example 10.10 Bob chooses p = 11 and e1 = 2, and d = 3 e2 = e1d = 8 Public key is (2, 8, 11) and the private key is 3 Encryption: Alice chooses r = 4 and calculates C1 and C2 for the plaintext 7 Decryption: Bob receives the ciphertexts (5 and 6) and calculates the plaintext Plaintext:

Elliptic Curve Cryptosystem ECC gives the same level of security with smaller key sizes than RSA or ElGamal General elliptic curve Cryptographic elliptic curves y2 mod p = (x3 + ax + b) mod p p is a prime number a and b : non-negative integers less than p and satisfy (4a3 + 27b2) mod p  0

Elliptic Curve Cryptosystem Example elliptic curves y2 = x3 − 1 y2 = x3 − 4x

Elliptic Curve Cryptosystem Elliptic group Ep(a,b) consists of the non-negative integers in the quadrant from (0,0) to (p,p) on the curve Example: E13(1, 1)

Elliptic Curve Cryptosystem Point at infinity O The sum of three points which are on the EC and lies on a straight line O is the additive identity O + O = O (x1, y1) + O = (x1, y1) (x1, y1) + (x1, -y1) = O

Elliptic Curve Cryptosystem Adding points: P(x1,y1), Q(x2,y2), R(x3,y3)  Ep(a,b) When x1  x2 , (x1, y1) + (x2, y2) = (x3, y3), where x3 = (2 - x1 - x2 ) mod p, y3 = ( (x1 – x3 ) - y1) mod p, and  = (y2 - y1) / (x2 - x1) mod p 2(x1, y1) = (x1, y1) + (x1, y1) = (x3, y3), where x3 = (2 - 2x1) mod p, y3 = ( (x1 – x3 ) - y1) mod p, and  = (3x12 + a) / (2y1) mod p d(x1, y1) = (x1, y1) + (x1, y1) + … + (x1, y1) ; repeat the sum d times

Elliptic Curve Cryptosystem Addition of two points on an elliptic curve

Elliptic Curve Cryptosystem Example 10.15 Let us add two points, R = P + Q, where P = (4, 2) and Q = (10, 6) λ = (6 − 2) × (10 − 4)−1 mod 13 = 4 × 6−1 mod 13 = 5 mod 13 x = (52 − 4 −10) mod 13 = 11 mod 13 y = [5 (4 −11) − 2] mod 13 = 2 mod 13 R = (11, 2)

Elliptic Curve Cryptosystem Cryptography using ECC Find an EC (find a modulus p and parameters a and b) and a point on that curve, say P Take a random scalar d and find G = dP Keep d secret and make public P and G We can find G from d and P easily, but it is difficult to find d from P and G  elliptic curve logarithm problem

Elliptic Curve Cryptosystem Encryption/decryption using ECC –(1) Find an elliptic group Ep(a,b) and G on them; A and B share Ep(a,b) and G Encode message m to a point Pm on Ep(a,b)  now we encrypt Pm User A selects a private key nA and generates a public key PA = nA  G

Elliptic Curve Cryptosystem Encryption/decryption using ECC -(2) Encryption: A chooses a random positive integer k and produces the ciphertext Cm Decryption : B multiplies the first point in the pair by B’s secret key and subtracts the result from the second point: To recover the message, the attacker must compute k from the given G and kG  it is very hard Cm = { kG, Pm + kPB } Pm + kPB – nB(kG) = Pm + k(nBG) – nB(kG) = Pm

Elliptic Curve Cryptosystem Key-exchange using ECC Find an elliptic group Ep(a,b) and G on them and share Ep(a,b) and G among all participants Key-exchange between A and B A selects an integer nA (A’s private key) A generates a public key PA = nA  G B selects a private key nB and a public key PB = nB  G A generates the session key K = nA  PB B generates the session key K = nB  PA K = nB  PA = nB  (nA  G) = nA  (nB  G) = nA  PB