Public Key Cryptosystems RSA Diffie-Hellman Department of Computer Engineering Sharif University of Technology 3/8/2006

Public-Key Cryptosystems  Encryption and decryption procedure  A procedure consists of a general method and a key  D(E(M)) = M  Both E and D are easy to compute  D is not easily computable from E  E(D(M)) = M

Signatures  The signature must be message-dependent, as well as signer-dependent  Bob wants to send Alice a “signed” message  Sends E A (D B (M))  Bob cannot deny having sent Alice this message  Alice cannot modify M (use Bob’s sign for M’)

RSA  Ron Rivest, Adi Shamir and Leonard Adleman  Represent the message as integers between 0 and n-1  C  M e (mod n), for a message M  M  D(C)  C d (mod n), for a cipher text C  Encryption does not increase the size of a message  Encryption key is (e, n), Decryption key is (d, n)

The Keys  Generate two large random primes, p and q  n = pq  Pick d, a large random integer, relatively prime to (p-1)(q-1)  e is the “multiplicative inverse” of d mod (p-1)(q-1)  e.d  1 ( mod (p-1)(q-1) )  Prove that  D(E(M))  M (mod n)  E(D(M))  M (mod n)

An Example  p = 2, q = 11  n = 22 d should be relatively prime to (p-1)(q-1) = 10 d should be relatively prime to (p-1)(q-1) = 10  d = 7  e is the “multiplicative inverse” of d mod 10  e = 3 (e.d = 3 * 7 = 21  1 (mod 10)) The message, M = 4 The message, M = 4  C = M e mod 22 = 4 3 mod 22 = 20 M’ = C d mod 22 = 20 7 mod 22 = 4 = M M’ = C d mod 22 = 20 7 mod 22 = 4 = M

The Underlying Mathematics   (n) : The Euler totient function   (p) = p-1 for prime numbers   (n) =  (p).  (q) = (p-1).(q-1)  e.d  1 ( mod (p-1)(q-1) )  e.d  1 ( mod  (n) )  D(E(M))  (E(M)) d  (M e ) d  M e.d (mod n)  E(D(M))  (D(M)) e  (M d ) e  M e.d (mod n)  Using the corollary of Euler’s theorem  M e.d  M k  (n) + 1  (mod n)

How to find Large Prime Numbers?  Generate odd 100-digit random numbers (n)  by the prime numbers theorem, about ln( )/2 = 115 numbers will be tested before a prime is found  Test n with WITNESS(a, n) for 100 randomly choosen values of a  A negligible chance of for n to be composite  also the receiver would probably detect this (decryption doesn’t work correctly)

Large Prime Numbers (cont’d)  For more protection against factoring algorithms :  p and q should differ in length by a few digits  gcd (p - 1, q - 1) should be small  both (p - 1) and (q - 1) should contain large prime factors  to do so, generate a large prime u and let p be the first prime in the sequence ku + 1 for k = 2, 4, 6, …

Factoring n  Factoring n  break RSA  No polynomial-time algorithm known for Turing machines  Some quantum computer algorithm can factor in polynomial-time  Currently, unable to handle more than a half- dozen bits  The fastest algorithm known, by Richard Schroeppel, can factor n in ~ n steps sqrt ( ln ln(n) / ln(n) )

Factoring n (cont’d)  If P = NP breaking such systems is easy  An NP decision problem with complexity equivalent to that of integer factoring : L fact = { | there exist d (1 | there exist d (1 < d < a and d | b)}  The complement of L fact is also in NP (use the prime factorization of b as the certificate)  Factoring  NP  co-NP  If Factoring is NP-hard then NP = co-NP

Security (Cryptanalytic Approaches)  Obvious approaches for breaking this system are at least as difficult as factoring n  Computing  (n) without factoring n  Not easier than factoring n, n can be factored using  (n)  (n) = (p-1).(q-1) = n - (p + q) + 1  compute (p + q)  (n) = (p-1).(q-1) = n - (p + q) + 1  compute (p + q) (p - q) 2 = (p + q) 2 - 4n  compute p and q  Determining d without factoring n or computing  (n)  d  (e.d - 1) is a multiple of  (n)  n can be factored using any multiple of  (n) (Miller)

Diffie-Hellman Key Exchange  q and α: public elements  α < q and α a primitive root of prime number q  Alice  Select private X A < q  Calculate public Y A = α X mod q  Bob  Select private X B < q  Calculate public Y B = α X mod q  Generation of secret key: Alice: (Y B ) X mod q = Bob: (Y A ) X mod q A B A B

References  A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, R.L. Rivest, A. Shamir, and L Adleman ( The P versus NP problem, Stephen Cook ( f) f Introduction to Quantum Information Processing, Richard Cleve ( Cryptographic Algorithms ( Introducing Public Key Cryptosystems (