1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David

2 Motivation Distributing the keys has always been the weakest link in most cryptosystems. No matter how strong a cryptosystem is, if an intruder can steal the key, the system was worthless. The key had to be distributed to all users of the system. Thus, it seemed as if there was an inherent built-in problem. Keys had to be protected from theft, but they also had to be distributed, so they could not just be locked up in a bank vault.

3 Public Key Will we gain something if encryption and decryption keys will be different? Actually, a lot! There are three requirements: 1.D(E(P)) = P. 2.It is exceedingly difficult to deduce D from E. 3.E cannot be broken by a chosen plaintext attack.

4 Public Key – Cont. The first requirement says that if we apply D to an encrypted message, E(P), we get the original plaintext message, P, back. The second requirement says the knowing E can not help to decrypt the encrypted message. The third requirement is needed because intruders may experiment with the algorithm. Under these conditions, the encryption key can be made public.

5 The Method If Alice wants to receive secret messages, she first devises two algorithms meeting the above requirements. The encryption algorithm and Alice's key are then made public. Alice might put her public key on her home page. E A - the encryption algorithm parameterized by Alice's public key. D A - the (secret) decryption algorithm parameterized by Alice's private key. Bob does the same thing, publicizing E B but keeping D B secret.

6 The Secure Channel Alice and Bob have never had any previous contact. Both Alice's encryption key, E A, and Bob's encryption key, E B, are public. Alice takes her first message, P, computes E B (P), and sends it to Bob. Bob then decrypts it by applying his secret key D B [computes D B (E B (P)) = P]. No one else can read the encrypted message, E B (P), because the encryption system is assumed strong and because it is too difficult to derive D B from the publicly known E B. To send a reply, R, Bob transmits E A (R). Alice and Bob can now communicate securely.

7 Modular Arithmetic Most public-key algorithms are based on modular arithmetic. non-negative integers <= n normal operations such as + and - result is the reminder of the division by n notation: x mod n

8 Examples let’s consider some arithmetic mod = 0 mod = 1 mod = 3 mod = 7 mod 10 because = 0 mod 10 3 * 5 = 5 mod 10 4 * 5 = 0 mod 10 7 * 3 = 1 mod 10 the multiplicative inverse of x, x -1 mod 10 is such that x * x -1 = 1 mod 10.

9 The Totient Function It is useful to know how many numbers less than n are relatively prime to n. That count is so important in number theory that it has been given a special notation. It’s called the totient function and it is denoted by  (n). How do we compute the  (n)?  (n) < n, because we said we are counting the numbers less than n. If n is prime, then  (n) = n - 1.

10 The Totient Function – Cont. If n is the product of two primes n = pq, there are some numbers, less than n, that are not relatively prime to n. Those are the multiples of p or q less than n = pq, plus 0 (which of course is not relatively prime to anything). In practice, the non relatively primes are p, 2p, 3p,... (q-1)p and q, 2q, 3q,... (p-1)q and 0.  (n) =  (pq) = pq – (q-1)-(p-1)-1=(p-1)(q-1)

11 Notation Public-key cryptography requires each user to have two keys: –a public key, used by the entire world for encrypting messages to be sent to that user –a private key, which the user needs for decrypting messages. We will refer to these keys as the public and private keys, respectively.

12 RSA One good method was discovered by a group at M.I.T. (Rivest et al., 1978). It is known by the initials of the three discoverers (Rivest, Shamir, Adleman): RSA. It has survived all attempts to break it for more than a quarter of a century and is considered very strong. Much practical security is based on it. Its major disadvantage is that it requires keys of at least 1024 bits for good security, which makes it quite slow.

13 Key Generation Bob generates his keys as follows –Choose two large distinct random primes p, q –Set n = pq –Compute  (n) =  (pq) = (p-1)(q-1) –Choose some e 2 Z  (n) * –Compute d = e -1 in Z  (n) * –Set public key = (e,n) and private key = (d,n)

14 RSA Encryption For any message M 2 Z n * –Alice has the public key = (e,n) –Alice computes C = M e mod n –That’s it To decrypt –Bob has the secret key = (d,n) –He computes C d mod n = M

15 RSA Proof Need to show that for any M 2 Z n *, M ed = M mod n –ed = 1 mod  (n) [by def of d] –So ed = k  (n) + 1 [by def of modulus] –So working in Z n *, M ed = M k  (n) + 1 = M k  (n) M 1 = (M  (n) ) k M = 1 k M = M LaGrange’s Theorem: M  (n) = 1 This doesn’t say anything about the security of RSA, just that we can decrypt

16 Security of RSA The security of the method is based on the difficulty of factoring large numbers. If the cryptanalyst could factor the (publicly known) n, he could then find p and q, and from these  (n). By knowing  (n) and e, d can be found. Fortunately, mathematicians have been trying to factor large numbers for at least 300 years, and the accumulated evidence suggests that it is an exceedingly difficult problem.

17 Example P = SUSSANE p=3, q=11, n=33,  (n) = 20 d=7, to find e, we need to solve the equation 7e = 1 (mod 20)  e=3 C = P 3 (mod 33) P = C 7 (mod 33)