 # Session 4 Asymmetric ciphers.

## Presentation on theme: "Session 4 Asymmetric ciphers."— Presentation transcript:

Session 4 Asymmetric ciphers

Contents Definition of asymmetric (public key) ciphers
Applications of asymmetric ciphers The public key encipherment procedure The RSA public key cipher system

Asymmetric cipher definition
The general cryptographic procedure: A Plaintext KEY decipher decrypt Cryptanalysis Ciphertext encipher B

Asymmetric cipher definition
In a symmetric cipher system, the same key is delivered to both participants in advance, via a secure channel. If there are n participants, the keys have to be distributed pairwise, i.e. Each participant is given n -1 different keys The total number of keys is n (n -1)/2. Consequence: problems with distribution, storage and updating of keys.

Asymmetric cipher definition
An alternative key distribution system is needed, or a different cipher system. There is not much flexibility left within a symmetric cipher system to distribute the keys in a better way. Then we need a cipher system that would NOT use the secure channel to distribute the keys.

Asymmetric cipher definition
How can we define such a system? Does such a system exist? If such a system exists in theory, can we realize it in practice? What is the security of such a system?

Asymmetric cipher definition
Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (1): Let {K } be a finite key space and let {M } be a finite message space. A public key cipher system is a pair of families of transformations and representing irreversible transformations:

Asymmetric cipher definition
Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (2): In such a system, the following holds: For every K{K }, EK is the inverse of DK For every K{K } and M{M }, the algorithms EK and DK are easy to compute For almost every K{K }, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK For every K{K }, it is feasible to compute inverse pairs EK and DK from K.

Asymmetric cipher definition
From the property 3, EK can be made public, without compromising DK From the property 4, there is a guarantee that there is a feasible way of computing corresponding pairs of inverse transformations EK and DK.

Asymmetric cipher definition
Given a system of this kind, the problem of key distribution is vastly simplified: Each participant generates a pair of inverse transformations, E and D. The deciphering transformation D must be kept secret but need not be transmitted by any channel – we do not need a secure channel. The enciphering transformation E can be made public – placed in a public directory.

Asymmetric cipher definition
But we still do not know whether such a cipher system is (theoretically) possible. One of the possibilities to theoretically well define such a system is through so called one-way functions.

Asymmetric cipher definition
A function y =f (x ) is a one-way function if For any x, it is feasible to compute f (x ) For almost all y in the range of f, it is computationally infeasible to solve the equation x =f -1(y ), for any x in the domain.

Asymmetric cipher definition
The function f is not invertible from the computational point of view. A special class of one-way functions is of interest in the public key context – trap-door one-way functions.

Asymmetric cipher definition
A trap-door one-way function A simply computed inverse exists But given f, it is conditionally computationally infeasible to find a simply computed inverse Only through knowledge of certain trap-door information can easily computed inverse be found.

Asymmetric cipher definition
The problem Strictly mathematically speaking, the existence of (trap-door) one-way functions has not been proved yet. There are functions that have properties similar to these functions – we believe that they are candidates for (trap-door) one-way functions.

Asymmetric cipher definition
Rivest-Shamir-Adleman’s (RSA’s) definition of an asymmetric (public key) cipher system (1977) (1): Let E be an encipherment transformation and let D be the corresponding decipherment transformation.

Asymmetric cipher definition
RSA’s definition of an asymmetric (public key) cipher system (1977) (2): The properties of E and D D (E (M ))=M Both E and D are feasible to compute Publicly revealing E does not reveal a feasible way to compute D E (D (M ))=M

Asymmetric cipher definition
A function E satisfying the properties 1-3 is a trap-door one-way function. A function E satisfying the properties 1-4 is a trap-door one-way permutation (one-one and onto).

Applications of asymmetric ciphers
Confidentiality Integrity – digital signatures Authentication – hash functions Key exchange

The public key encipherment procedure
The participants in the communication are usually given names, such as Alice and Bob. Alice uses the transformation EA for encipherment and DA for decipherment Bob uses the transformation EB for encipherment and DB for decipherment.

The public key encipherment procedure
Illustration-confidentiality: Alice sends an enciphered message to Bob

The public key encipherment procedure
Alice takes EB from a public directory DB is kept secret by Bob. It is not transmitted by any means – no secure channel is needed.

The public key encipherment procedure
The confidentiality protocol

The RSA public key cipher system
The prerequisites: each participant does the following (1): Generates two large distinct random primes p and q, approximately of the same size (if encoded in bits) Computes n =pq and  (n )=(p -1)(q -1) Selects a random integer e, 1<e < (n ), such that (e,  (n ))=1

The RSA public key cipher system
The prerequisites: each participant does the following (2): Computes the unique integer d, 1<d < (n ) such that ed 1 (mod  (n )). This can be done by means of the extended Euclidean algorithm. The public key is (n,e ) and the private key is d.

The RSA public key cipher system
Encipherment: Alice enciphers a message for Bob Obtains Bob’s authentic public key (nB,eB) Represents the message in a form of an integer m on the segment [0,nB -1] Computes Sends c to Bob.

The RSA public key cipher system
Decipherment: Bob deciphers the message enciphered by Alice Bob uses his private key dB to compute m is converted to a meaningful text.

The RSA public key cipher system
The security of the RSA cipher system lies in the hope that the encipherment function is a one-way function. The trap-door is the knowledge of the factorization of n. This knowledge allows Bob to decipher.

The RSA public key cipher system
To realize RSA in practice we need (1) Random primes Generating random numbers Primality testing Euler’s function  (n )

The RSA public key cipher system
To realize RSA in practice we need (2) Extended Euclidean algorithm Multiplicative inverse Modular exponentiation – to compute powers with large exponents

Random primes Random primes generation Generate a random integer m
If m is even, replace m by m +1 Test if m is prime If m is not prime, test if m +2 is prime, etc.

Random primes Theorem (the prime number theorem)
If m is chosen at random, the probability that m is prime is approximately 1/ln m. Consequence: we can expect to test ln m numbers for primality.

Random primes Example: if m can be represented with 512 bits, (i.e. the maximum representable integer is 2256-1) then ln m 177, which means that we have to test approximately 177 integers before we find a prime of that size.

Random primes Primality testing
In practice, probabilistic (Monte Carlo) algorithms for testing primality are used, e.g. Solovay-Strassen Miller-Rabin These algorithms are fast, but they may give an integer that is not a prime at output, but the probability of this is small.

The Euler’s function  (n )
Let n be a positive integer. The Euler’s function  (n ) is defined to be the number of positive integers b less than or equal to n, which are relatively prime to n, i.e.

The Euler’s function  (n )
Theorem - computing  (n ) Given a positive integer n with the factorization Then

The Euler’s function  (n )
Example – RSA n =pq, where p and q are primes Then  (n ) = (p1-p 0)(q1-q 0)=(p -1)(q -1)

Extended Euclidean algorithm
Euclidean algorithm - computes (a,b), given integers a and b

Extended Euclidean algorithm
Example: find (1180,482) 1180 = 2 482 = 2 216 = 4 50 = 3 16 = 82 + 0 So, (1180,482)=2

Extended Euclidean algorithm
Theorem – extended Euclidean algorithm Let d =(a,b), where a >b. Then there exist integers u and v such that d =ua +vb.

Extended Euclidean algorithm
Example 1180=2 482=2216+50 216=450+16 50=316+2 16=82+0 2=50-316= =50-3(216-450)= =1350-3216= =13(482-2216)-3216= =13482-29216= =13482-29(1180-2482)= =71482-291180 So, u =-29, v =71

Multiplicative inverse
Arithmetic modulo m Zm is defined to be the set G = {0,...,m -1}, equipped with two operations, + and  , i.e. Zm is a structure (G,+,) The results of addition and multiplication are reduced modulo m

Multiplicative inverse
The structure (G,+) satisfies the axioms of the group – additive group: Closure: Associativity: Existence of the identity (neutral) element Existence of the inverse elements

Multiplicative inverse
The structure (G,) satisfies closure, associativity and the existence of the neutral element, but does not satisfy the existence of inverse element for each element of G (in general). Such a structure (G,+,) is called a ring.

Multiplicative inverse
Multiplicative inverse – inverse of an element of the structure (G,) of the ring Zm Theorem An element a of Zm has a multiplicative inverse if and only if (a,m )=1

Multiplicative inverse
Let a be an element of Zm and let (a,m )=1 (i.e. a and m are mutually prime). This can be shown by Euclidean algorithm. Then by extended Euclidean algorithm we get 1=ua +vm

Multiplicative inverse
Taking modulo m of the both sides of the expression 1=ua +vm we get 1ua (mod m ) This means that u is the multiplicative inverse of a modulo m.

Multiplicative inverse
Example Find the multiplicative inverse of 2 in Z17. The Euclidean algorithm gives 17=82+1 2=21+0 The extended Euclidean algorithm gives 1=17-82 Taking modulo 17 of both sides gives 1-82 (mod 17), or equivalently 192 (mod 17), i.e. 9=2-1

Modular exponentiation
Modular exponentiation is computing bn (mod m ) Let (n0,n1,...,nk-1) be the binary representation of n, i.e n =n0+2n1+22n k-1nk-1 The binary representation of n is obtained by means of the “arrow algorithm”

Modular exponentiation
The “arrow algorithm” – convert from base 10 to any base B Get the last digit of the converted number by dividing n by B and taking the remainder Replace n by the quotient Repeat until the quotient is 0.

Modular exponentiation
The modular exponentiation algorithm

Modular exponentiation
Example: compute 3875 (mod 103) We first convert the exponent 75 to base 2 Thus 7510=( )2 Then we run 7 iterations of the algorithm, using b =38, n =75 and m =103.

Modular exponentiation
The algorithm flow

Modular exponentiation
So at the output the algorithm gives that 3875 (mod 103)=79 Alternatively, we can pre-compute the values Each such value is obtained by squaring the previous one and taking modulo m.

Modular exponentiation
What the algorithm actually does is to compute 3875 as Then we have

Example – RSA encipher and decipher
Bob does the following (1): Chooses p =11 and q =13 Computes n =1113=143 and  (n )=1012=120 Sets e =7 and checks with EA that (e, (n ))=1, i.e. (7,120)=1. Indeed, 120=177+1

Example – RSA encipher and decipher
Bob does the following (2): Applies EEA to find that 7-1-17103 (mod 120), so d =103 Posts his public key (143,7) in a public repository and keeps the private key d =103 secret.

Example – RSA encipher and decipher
Alice wants to encipher the message 5 and to send the ciphertext to Bob (1) Obtains Bob’s public key (143,7) Computes c =57 (mod 143) As 7=(111)2, Alice carries out the pre-computations 51=5, 52=25, 54=252=53 (all mod 143)

Example – RSA encipher and decipher
Alice wants to encipher the message 5 and to send the ciphertext to Bob (2) c=57=52553=47 (mod 143) c=47 is sent to Bob

Example – RSA encipher and decipher
Bob receives c =47 and deciphers (1) Computes m =47103 mod 143 As 103=( )2, Bob carries out the pre-computations 471=47, 472=64, 474=92, 478=27, 4716=14, 4732=53 and 4764=92 (all mod 143)

Example – RSA encipher and decipher
Bob receives c =47 and deciphers (2) m =47103=4764925392=5 (mod 143)