1. Lecture 3: Public Key Cryptography
CS 392/6813: Computer Security
Fall 2008
Nitesh Saxena
*Adopted from Previous Lectures by Nasir Memon

2. Lecture 3: Pubic Key Cryptography
Course Admin
Good/Bad News
HW#1 will not be graded!
Not a trick – just for the benefit of this course
HW#2 due coming Monday (09/22)
HW#3 will be posted soon after
9/22/2018
Lecture 3: Pubic Key Cryptography

3. Outline of Today’s Lecture
Public Key Crypto Overview
Number Theory Background
Public Key Encryption
RSA
ElGamal
Public Key Signatures (digital signatures)
DSS
9/22/2018
Lecture 3: Pubic Key Cryptography

4. Recall: Private Key/Public Key Cryptography
Private Key: Sender and receiver share a common (private) key
Encryption and Decryption is done using the private key
Also called conventional/shared-key/single-key/ symmetric-key cryptography
Public Key: Every user has a private key and a public key
Encryption is done using the public key and Decryption using private key
Also called two-key/asymmetric-key cryptography
9/22/2018
Lecture 3: Pubic Key Cryptography

5. Private key cryptography revisited.
Good: Quite efficient (as you’ll see from the HW#2 exercise on AES)
Bad: Key distribution and management is a serious problem – for N users O(N2) keys are needed
9/22/2018
Lecture 3: Pubic Key Cryptography

6. Public key cryptography model
Good: Key management problem potentially simpler
Bad: Much slower than private key crypto (we’ll see later!)
9/22/2018
Lecture 3: Pubic Key Cryptography

7. Lecture 3: Pubic Key Cryptography
Public Key Encryption
Two keys:
public encryption key e
private decryption key d
Encryption easy when e is known
Decryption easy when d is known
Decryption hard when d is not known
We’ll study such public key encryption schemes; first we need some number theory.
Security notions/attacks very similar to what we studied for private key encryption
9/22/2018
Lecture 3: Pubic Key Cryptography

8. Lecture 3: Pubic Key Cryptography
Group: Definition
(G,.) (where G is a set and . : GxGG) is said to be a
group if following properties are satisfied:
Closure : for any a, b G, a.b G
Associativity : for any a, b, c G, a.(b.c)=(a.b).c
Identity : there is an identity element such that a.e = e.a = a, for any a G
Inverse : there exists an element a-1 for every a in G, such that a.a-1 = a-1.a = e
Abelian Group: Group which also satisfies
commutativity , i.e., a.b=b.a
Examples: (Z,+) ; (Z,*)?; (Zm, “modular addition”)
9/22/2018
Lecture 3: Pubic Key Cryptography

9. Definitions related to a group
An element g in G is said to be a generator of a group if a = gi for every a in G, for a certain integer i
A group which has a generator is called a cyclic group
The number of elements in a group is called the order of the group
Order of an element a is the lowest i such that ai = e
A subgroup is a subset of a group that itself is a group
9/22/2018
Lecture 3: Pubic Key Cryptography

10. Lecture 3: Pubic Key Cryptography
Divisors
x divides y (written x | y) if the remainder is 0 when y is divided by x
1|8, 2|8, 4|8, 8|8
The divisors of y are the numbers that divide y
divisors of 8: {1,2,4,8}
For every number y
1|y
y|y
9/22/2018
Lecture 3: Pubic Key Cryptography

11. Lecture 3: Pubic Key Cryptography
Prime numbers
A number is prime if its only divisors are 1 and itself:
2,3,5,7,11,13,17,19, …
Fundamental theorem of arithmetic:
For every number x, there is a unique set of primes {p1, … ,pn} and a unique set of positive exponents {e1, … ,en} such that
9/22/2018
Lecture 3: Pubic Key Cryptography

12. Lecture 3: Pubic Key Cryptography
Common divisors
The common divisors of two numbers x,y are the numbers z such that z|x and z|y
common divisors of 8 and 12:
intersection of {1,2,4,8} and {1,2,3,4,6,12}
= {1,2,4}
greatest common divisor: gcd(x,y) is the number z such that
z is a common divisor of x and y
no common divisor of x and y is larger than z
gcd(8,12) = 4
9/22/2018
Lecture 3: Pubic Key Cryptography

13. Euclidean Algorithm: gcd(r0,r1)
Main idea: If y = ax + b then gcd(x,y) = gcd(x,b)
9/22/2018
Lecture 3: Pubic Key Cryptography

14. Lecture 3: Pubic Key Cryptography
Example – gcd(15,37)
37 = 2 *
15 = 2 * 7 + 1
7 = 7 * 1 + 0
gcd(15,37) = 1
9/22/2018
Lecture 3: Pubic Key Cryptography

15. Lecture 3: Pubic Key Cryptography
Relative primes
x and y are relatively prime if they have no common divisors, other than 1
Equivalently, x and y are relatively prime if gcd(x,y) = 1
9 and 14 are relatively prime
9 and 15 are not relatively prime
9/22/2018
Lecture 3: Pubic Key Cryptography

16. Lecture 3: Pubic Key Cryptography
Modular Arithmetic
Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m.
Notation:
Example:
We work in Zm = {0, 1, 2, …, m-1}, the group of integers modulo m
Example: Z9 ={0,1,2,3,4,5,6,7,8}
We abuse notation and often write = instead of
9/22/2018
Lecture 3: Pubic Key Cryptography

17. Lecture 3: Pubic Key Cryptography
Addition in Zm :
Addition is well-defined:
3 + 4 = 7 mod 9.
3 + 8 = 2 mod 9.
9/22/2018
Lecture 3: Pubic Key Cryptography

18. Additive inverses in Zm
0 is the additive identity in Zm
Additive inverse of a is -a mod m = (m-a)
Every element has unique additive inverse.
4 + 5= 0 mod 9.
4 is additive inverse of 5.
9/22/2018
Lecture 3: Pubic Key Cryptography

19. Lecture 3: Pubic Key Cryptography
Multiplication in Zm :
Multiplication is well-defined:
3 * 4 = 3 mod 9.
3 * 8 = 6 mod 9.
3 * 3 = 0 mod 9.
9/22/2018
Lecture 3: Pubic Key Cryptography

20. Multiplicative inverses in Zm
1 is the multiplicative identity in Zm
Multiplicative inverse (x*x-1=1 mod m)
SOME, but not ALL elements have unique multiplicative inverse.
In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9)
On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1=7, (mod 9)
9/22/2018
Lecture 3: Pubic Key Cryptography

21. Which numbers have inverses?
In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1
E.g., 4 in Z9
9/22/2018
Lecture 3: Pubic Key Cryptography

22. Extended Euclidian: a-1 mod n
Main Idea: Looking for inverse of a mod n means looking for x such that x*a – y*n = 1.
To compute inverse of a mod n, do the following:
Compute gcd(a, n) using Euclidean algorithm.
Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1.
So you can obtain linear combination of rm and rm-1 that yields 1.
Work backwards getting linear combination of ri and ri-1 that yields 1.
When you get to linear combination of r0 and r1 you are done as r0=n and r1= a.
9/22/2018
Lecture 3: Pubic Key Cryptography

23. Lecture 3: Pubic Key Cryptography
Example – 15-1 mod 37
37 = 2 *
15 = 2 * 7 + 1
7 = 7 * 1 + 0
Now,
15 – 2 * 7 = 1
15 – 2 (37 – 2 * 15) = 1
5 * 15 – 2 * 37 = 1
So, 15-1 mod 37 is 5.
9/22/2018
Lecture 3: Pubic Key Cryptography

24. Modular Exponentiation: Square and Multiply method
Usual approach to computing xc mod n is inefficient when c is large.
Instead, represent c as bit string bk-1 … b0 and use the following algorithm:
z = 1
For i = k-1 downto 0 do
z = z2 mod n
if bi = 1 then z = z* x mod n
Show an example: x^64 will require 6 squarings (or 6 multiplications).
9/22/2018
Lecture 3: Pubic Key Cryptography

25. Lecture 3: Pubic Key Cryptography
Example: 3037 mod 77
z = z2 mod n
if bi = 1 then z = z* x mod n i b z 5 1
=1*1*30 mod 77 4
=30*30 mod 77 3
=53*53 mod 77 2
=37*37*30 mod 77
=29*29 mod 77
=71*71*30 mod 77
9/22/2018
Lecture 3: Pubic Key Cryptography

26. Lecture 3: Pubic Key Cryptography
Lagrange’s Theorem
Order of an element in a group divides the order of the group
9/22/2018
Lecture 3: Pubic Key Cryptography

27. Euler’s totient function
Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n
Fact: If p is prime then
{1,2,3,…,p-1} are relatively prime to p.
9/22/2018
Lecture 3: Pubic Key Cryptography

28. Euler’s totient function
Fact: If p and q are prime and n=pq then
Each number that is not divisible by p or by q is relatively prime to pq.
E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-}
pq-p-(q-1) = (p-1)(q-1)
9/22/2018
Lecture 3: Pubic Key Cryptography

29. Euler’s Theorem and Fermat’s Theorem
If a is relatively prime to n then
If a is relatively prime to n then ap-1 = 1 mod p
Proof : follows from Lagrange’s Theorem
9/22/2018
Lecture 3: Pubic Key Cryptography

30. Lecture 3: Pubic Key Cryptography
RSA Cryptosystem
9/22/2018
Lecture 3: Pubic Key Cryptography

31. “Textbook” RSA: KeyGen
Alice wants people to be able to send her encrypted messages.
She chooses two (large) prime numbers, p and q and computes n=pq and [“large” =512 bits +]
She chooses a number e such that e is relatively prime to and computes d, the inverse of
e in (i.e., ed =1 mod \phi(n))
She publicizes the pair (e,n) as her public key.(e is called RSA exponent, n is called RSA modulus)She keeps d secret and destroys p, q, and
Plaintext and ciphertext messages are elements of Zn and e is the encryption key.
Mention why textbook RSA is not secure.
For example, if it is used to establish a key (160-bit long), as in SSL. C = K^d mod N
One can set K = K1*K2  C/(K1^e) = K2^e (this can be done with 2^80 exponentiations, if K1 and K2 are each 80-bit long)
9/22/2018
Lecture 3: Pubic Key Cryptography

32. Lecture 3: Pubic Key Cryptography
RSA: Encryption
Bob wants to send a message x (an element of Zn*) to Alice.
He looks up her encryption key, (e,n), in a directory.
The encrypted message is
Bob sends y to Alice.
9/22/2018
Lecture 3: Pubic Key Cryptography

33. Lecture 3: Pubic Key Cryptography
RSA: Decryption
To decrypt the message
she’s received from Bob, Alice computes
Claim: D(y) = x
9/22/2018
Lecture 3: Pubic Key Cryptography

34. RSA: why does it all work
Need to show
D[E[x]] = x
E[x] and D[y] can be computed efficiently if keys are known
E-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d.
Also, it should be possible to select keys reasonably efficiently
This does not have to be done too often, so efficiency requirements are less stringent.
9/22/2018
Lecture 3: Pubic Key Cryptography

35. E and D are inverses: Case 1: gcd(x,n)=1
Because
From Euler’s Theorem
9/22/2018
Lecture 3: Pubic Key Cryptography

36. Alternative Proof that E and D are inverses
9/22/2018
Lecture 3: Pubic Key Cryptography

37. Lecture 3: Pubic Key Cryptography
By analogous argument So
9/22/2018
Lecture 3: Pubic Key Cryptography

38. Lecture 3: Pubic Key Cryptography
Tiny RSA example.
Let p = 7, q = 11. Then n = 77 and
Choose e = 13. Then d = 13-1 mod 60 = 37.
Let message = 2.
E(2) = 213 mod 77 = 30.
D(30) = 3037 mod 77=2
9/22/2018
Lecture 3: Pubic Key Cryptography

39. Slightly Larger RSA example.
Let p = 47, q = 71. Then n = 3337 and
Choose e = 79. Then d = 79-1 mod 3220 = 1019.
Let message = … Break it into 3 digit blocks to encrypt.
E(688) = mod 3337 = 1570.
E(232) = mod 3337 = 2756
D(1570) = mod 3337 = 688.
D(2756) = mod 3337 = 232.
9/22/2018
Lecture 3: Pubic Key Cryptography

40. Security of RSA: RSA assumption
Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice.
Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message)
If Oscar can compute d = e-1 mod then he can use to recover the plaintext x.
If Oscar can compute , he can compute d (the same way Alice did).
9/22/2018
Lecture 3: Pubic Key Cryptography

41. Security of RSA: factoring
Oscar knows that n is the product of two primes
If he can factor n, he can compute
But factoring large numbers is very difficult:
Grade school method takes divisions.
Prohibitive for large n, such as 160 bits
Better factorization algorithms exist, but they are still too slow for large n
Lower bound for factorization is an open problem
9/22/2018
Lecture 3: Pubic Key Cryptography

42. Lecture 3: Pubic Key Cryptography
How big should n be?
Today we need n to be at least 1024-bits
This is equivalent to security provided by 80-bit long keys in private-key crypto
No other attack on RSA known
Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem!
Say something about the brute force attack on RSA. Why exactly should N be 1024 bits?
9/22/2018
Lecture 3: Pubic Key Cryptography

43. Lecture 3: Pubic Key Cryptography
Key selection
To select keys we need efficient algorithms to
Select large primes
Primes are dense so choose randomly.
Probabilistic primality testing methods known. Work in logarithmic time.
Compute multiplicative inverses
Extended Euclidean algorithm
9/22/2018
Lecture 3: Pubic Key Cryptography

44. Lecture 3: Pubic Key Cryptography
RSA Key Generation
To select keys we need efficient algorithms to
Select large primes
Primes are dense so choose randomly.
Probabilistic primality testing methods known. Work in logarithmic time.
See references
Compute multiplicative inverses
Extended Euclidean algorithm
9/22/2018
Lecture 3: Pubic Key Cryptography

45. Lecture 3: Pubic Key Cryptography
RSA in Practice
Textbook RSA is insecure
Why?
In practice, we use a “randomized” version of RSA, called RSA-OAEP
Interested in details: refer to (section 3.1 of)
9/22/2018
Lecture 3: Pubic Key Cryptography

46. Discrete Logarithm Assumption
p, q primes such that q|p-1
g is an element of order q and generates a group of order q
x in Zq, y = gx mod p
Given (p, q, g, y), it is computationally hard to compute x
No polynomial time algorithm known
p should be 1024-bits and q be 160-bits
x becomes the private key and y becomes the public key
Explain the math involved, in choosing the parameters.
9/22/2018
Lecture 3: Pubic Key Cryptography

47. Lecture 3: Pubic Key Cryptography
ElGamal Encryption
Encryption (of m in Zp):
Choose random r in Zq
k = gr mod p
c = myr mod p
Output (k,c)
Decryption of (k,c)
M = ck-x mod p
Secure under discrete logarithm assumption
Show the computation – they somehow don’t get it right away.
9/22/2018
Lecture 3: Pubic Key Cryptography

48. ElGamal Example: dummy
Let’s construct an example
KeyGen:
p = 11, q = 2 or 5; let’s say q = 5
2 is a generator of Z11*
g = 22 = 4
x = 7; y = 47 mod 11 = 5
Enc(3):
r = 9  k = 49 mod 11 = 3
c = 3*59 mod 11 = 5
Dec(3,5):
m = 5*3-7 mod 11 = 3
9/22/2018
Lecture 3: Pubic Key Cryptography

49. Lecture 3: Pubic Key Cryptography
Digital Signatures
Message Integrity
Detect if message is tampered with while in the transit
Source/Sender Authentication
No forgery possible
Non-repudiation
If I sign something, I can not deny later
A trusted third party (court) can resolve dispute
9/22/2018
Lecture 3: Pubic Key Cryptography

50. Lecture 3: Pubic Key Cryptography
Public Key Signatures
Signer has public key, private key pair
Signer signs using its private key
Verifier verifies using public key of the signer
Show the exact operation: when you verify, you either get a “yes” or a “no”. Not really something as in encryption.
9/22/2018
Lecture 3: Pubic Key Cryptography

51. Security Notion/Model for signatures
Existential Forgery under (adaptively) chosen message attack
Adversary (adaptively) chooses messages mi of its choice
Obtains the signature si on each mi
Outputs any message m (≠ mi) and a signature s on m
9/22/2018
Lecture 3: Pubic Key Cryptography

52. Lecture 3: Pubic Key Cryptography
RSA Signatures
Key Generation: same as in encryption
Sign(m): s = md mod N
Verify(m,s): (se == m mod N)
The above text-book version is insecure
In practice, we use a randomized version of RSA
Hash the message and then sign the hash
9/22/2018
Lecture 3: Pubic Key Cryptography

53. Digital Signature Standard (DSS)
Adopted as standard in 1994
Security based on hardness of the discrete logarithm problem
9/22/2018
Lecture 3: Pubic Key Cryptography

54. DSS Signing/Verification
9/22/2018
Lecture 3: Pubic Key Cryptography

55. Lecture 3: Pubic Key Cryptography
DSA Example:
Refer to of HAC
9/22/2018
Lecture 3: Pubic Key Cryptography

56. Lecture 3: Pubic Key Cryptography
Some questions
2-1 mod 4 =?
What is the complexity of
(a+b) mod m
(a*b) mod m
a-1 mod (m)
xc mod (n)
c1 = RSA_Enc(m1), c2 = RSA_Enc(m2).
What is RSA_Enc(m1m2)?
Homomorphic property
What is RSA_Enc(2m1)?
Malleability (not a good property!)
Is it possible to find inverses mod n (RSA modulus)?
9/22/2018
Lecture 3: Pubic Key Cryptography

57. Lecture 3: Pubic Key Cryptography
Order of a group is 5. What can be the order of an element in this group?
RSA stands for Robust Security Algorithm, right?
If e is small (such as 3)
Encryption is faster than decryption or the other way round?
What about signing and verification?
Private key crypto has key distribution problem and Public key crypto is slow
How about a hybrid approach?
Do you know how ssl/ssh works?
9/22/2018
Lecture 3: Pubic Key Cryptography

58. Lecture 3: Pubic Key Cryptography
Key generation in RSA is than in DL-based schemes (El Gamal/DSS)
I encrypt m with Alice’s RSA PK, I get c
I encryt m again, I get --?
What does this mean?
I encrypt m with Alice’s ElGamal PK, I get c
What if I do the above with DES?
9/22/2018
Lecture 3: Pubic Key Cryptography

59. Lecture 3: Pubic Key Cryptography
Find x such that
x = 4 mod 5
x = 7 (mod 8)
x = 3 (mod 9)
Chinese Remainder Theorem
Can be applied to speed up RSA decryption/signing
At home reading assignment!!!
9/22/2018
Lecture 3: Pubic Key Cryptography

60. Lecture 3: Pubic Key Cryptography
Further Reading
Cryptography: Theory and Practice – D. Stinson. CRC Press.
Cryptography and Network Security – William Stallings.
Applied Cryptography – B. Schneier. John Wiley.
North American Crypto archive
Crypto Resource page
Ron Rivest’s crypto page
Cryptography Research Inc. Resource page
Cryptography archive:
AES home page
9/22/2018
Lecture 3: Pubic Key Cryptography