18CS2005 Cryptography and Network Security

18CS2005 Cryptography and
Network Security
Module 2
Public Key Cryptography
Principles of public key cryptosystems-RSA algorithm-Diffie- Hellman Key
Exchange-El Gamal Cryptosystem- Elliptic Curve Cryptography
Dr.A.Kathirvel, Professor,
DCSE, KITS
kathirvel@karunya.edu

Chapter 9 – Public Key
Cryptography and RSA
Every Egyptian received two names, which were
known respectively as the true name and the
good name, or the great name and the little
name; and while the good or little name was
made public, the true or great name appears to
have been carefully concealed.
—The Golden Bough, Sir James George Frazer

Private-Key Cryptography
• traditional private/secret/single key
cryptography uses one key
• shared by both sender and receiver
• if this key is disclosed communications are
compromised
• also is symmetric, parties are equal
• hence does not protect sender from
receiver forging a message & claiming is
sent by sender

Public-Key Cryptography
• probably most significant advance in the
3000 year history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal
• uses clever application of number
theoretic concepts to function
• complements rather than replaces private
key crypto

Public-Key Cryptography
• public-key/two-key/asymmetric cryptography
involves the use of two keys:
– a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
– a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• is asymmetric because
– those who encrypt messages or verify signatures
cannot decrypt messages or create signatures

Why Public-Key Cryptography?
• developed to address two key issues:
– key distribution – how to have secure
communications in general without having to
trust a KDC with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
• public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
– known earlier in classified community

Public-Key Characteristics
• Public-Key algorithms rely on two keys
with the characteristics that it is:
– computationally infeasible to find decryption
key knowing only algorithm & encryption key
– computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
– either of the two related keys can be used for
encryption, with the other used for decryption
(in some schemes)

Public-Key Applications
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)
• some algorithms are suitable for all uses,
others are specific to one

Security of Public Key Schemes
• like private key schemes brute force exhaustive
search attack is always theoretically possible
• but keys used are too large (>512bits)
• security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
• more generally the hard problem is known, its
just made too hard to do in practise
• requires the use of very large numbers
• hence is slow compared to private key schemes

RSA
• by Rivest, Shamir & Adleman of MIT in 1977
• best known & widely used public-key scheme
• based on exponentiation in a finite (Galois) field
over integers modulo a prime
– nb. exponentiation takes O((log n)3) operations (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
– nb. factorization takes O(e log n log log n) operations
(hard)

RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p.q
– note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e
• where 1<e<ø(N), gcd(e,ø(N))=1
• solve following equation to find decryption key d
– e.d=1 mod ø(N) and 0≤d≤N
• publish their public encryption key: KU={e,N}
• keep secret private decryption key: KR={d,p,q}

RSA Use
• to encrypt a message M the sender:
– obtains public key of recipient KU={e,N}
– computes: C=Me mod N, where 0≤M<N
• to decrypt the ciphertext C the owner:
– uses their private key KR={d,p,q}
– computes: M=Cd mod N
• note that the message M must be smaller
than the modulus N (block if needed)

Why RSA Works
• because of Euler's Theorem:
• aø(n)mod N = 1
– where gcd(a,N)=1
• in RSA have:
– N=p.q
– ø(N)=(p-1)(q-1)
– carefully chosen e & d to be inverses mod ø(N)
– hence e.d=1+k.ø(N) for some k
• hence :
Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q =
M1.(1)q = M1 = M mod N

RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23×7=161= 10×160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}

RSA Example cont
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187)
• encryption:
C = 887 mod 187 = 11
• decryption:
M = 1123 mod 187 = 88

Exponentiation
• can use the Square and Multiply Algorithm
• a fast, efficient algorithm for exponentiation
• concept is based on repeatedly squaring base
• and multiplying in the ones that are needed to
compute the result
• look at binary representation of exponent
• only takes O(log2 n) multiples for number n
– eg. 75 = 74.71 = 3.7 = 10 mod 11
– eg. 3129 = 3128.31 = 5.3 = 4 mod 11

RSA Key Generation
• users of RSA must:
– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived
from modulus N=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use
Inverse algorithm to compute the other

RSA Security
• three approaches to attacking RSA:
– brute force key search (infeasible given size
of numbers)
– mathematical attacks (based on difficulty of
computing ø(N), by factoring modulus N)
– timing attacks (on running of decryption)

Factoring Problem
• mathematical approach takes 3 forms:
– factor N=p.q, hence find ø(N) and then d
– determine ø(N) directly and find d
– find d directly
• currently believe all equivalent to factoring
– have seen slow improvements over the years
• as of Aug-99 best is 130 decimal digits (512) bit with GNFS
– biggest improvement comes from improved algorithm
• cf “Quadratic Sieve” to “Generalized Number Field Sieve”
– barring dramatic breakthrough 1024+ bit RSA secure
• ensure p, q of similar size and matching other constraints

Timing Attacks
• developed in mid-1990’s
• exploit timing variations in operations
– eg. multiplying by small vs large number
– or IF's varying which instructions executed
• infer operand size based on time taken
• RSA exploits time taken in exponentiation
• countermeasures
– use constant exponentiation time
– add random delays
– blind values used in calculations

Chapter 10 – Key Management;
Other Public Key Cryptosystems
No Singhalese, whether man or woman,
would venture out of the house without a
bunch of keys in his hand, for without such
a talisman he would fear that some devil
might take advantage of his weak state to
slip into his body.
—The Golden Bough, Sir James George
Frazer

Key Management
• public-key encryption helps address key
distribution problems
• have two aspects of this:
– distribution of public keys
– use of public-key encryption to distribute
secret keys

Distribution of Public Keys
• can be considered as using one of:
– Public announcement
– Publicly available directory
– Public-key authority
– Public-key certificates

Public Announcement
• users distribute public keys to recipients or
broadcast to community at large
– eg. append PGP keys to email messages or
post to news groups or email list
• major weakness is forgery
– anyone can create a key claiming to be
someone else and broadcast it
– until forgery is discovered can masquerade as
claimed user

Publicly Available Directory
• can obtain greater security by registering
keys with a public directory
• directory must be trusted with properties:
– contains {name,public-key} entries
– participants register securely with directory
– participants can replace key at any time
– directory is periodically published
– directory can be accessed electronically
• still vulnerable to tampering or forgery

Public-Key Authority
• improve security by tightening control over
distribution of keys from directory
• has properties of directory
• and requires users to know public key for
the directory
• then users interact with directory to obtain
any desired public key securely
– does require real-time access to directory
when keys are needed

Public-Key Certificates
• certificates allow key exchange without
real-time access to public-key authority
• a certificate binds identity to public key
– usually with other info such as period of
validity, rights of use etc
• with all contents signed by a trusted
Public-Key or Certificate Authority (CA)
• can be verified by anyone who knows the
public-key authorities public-key

Public-Key Distribution of Secret
Keys
• use previous methods to obtain public-key
• can use for secrecy or authentication
• but public-key algorithms are slow
• so usually want to use private-key
encryption to protect message contents
• hence need a session key
• have several alternatives for negotiating a
suitable session

Simple Secret Key Distribution
• proposed by Merkle in 1979
– A generates a new temporary public key pair
– A sends B the public key and their identity
– B generates a session key K sends it to A
encrypted using the supplied public key
– A decrypts the session key and both use
• problem is that an opponent can intercept
and impersonate both halves of protocol

Public-Key Distribution of Secret
Keys
• if have securely exchanged public-keys:

Diffie-Hellman Key Exchange
• first public-key type scheme proposed
• by Diffie & Hellman in 1976 along with the
exposition of public key concepts
– note: now know that James Ellis (UK CESG)
secretly proposed the concept in 1970
• is a practical method for public exchange
of a secret key
• used in a number of commercial products

• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and
their private and public key information)
• based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard

Diffie-Hellman Setup
• all users agree on global parameters:
– large prime integer or polynomial q
– α a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
– compute their public key: yA = α
xA
mod q
• each user makes public that key yA

• shared session key for users A & B is KAB:
KAB = α
xA.xB
mod q
= yA
xB
mod q (which B can compute)
= yB
xA
mod q (which A can compute)
• KAB is used as session key in private-key
encryption scheme between Alice and Bob
• if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
• attacker needs an x, must solve discrete log

Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and α=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute public keys:
– yA=3
97
mod 353 = 40 (Alice)
– yB=3
233
mod 353 = 248 (Bob)
• compute shared session key as:
KAB= yB
xA
mod 353 = 248
97
= 160 (Alice)
KAB= yA
xB
mod 353 = 40
233
= 160 (Bob)

41
ELGAMAL
• To show that RSA is not the only public key
system
• To exhibit a public key system based on a
different one way function
• ElGamal is the basis for several well-known
cryptographic primitives
We will also take a look at the ElGamal public
key cipher system for a number of reasons:

42
SETTING UP ELGAMAL
• Let p be a large prime
– By “large” we mean here a prime rather typical
in length to that of an RSA modulus
• Select a special number g
– The number g must be a primitive element
modulo p.
• Choose a private key x
– This can be any number bigger than 1 and
smaller than p-1
• Compute public key y from x, p and g
– The public key y is g raised to the power of the
private key x modulo p. In other words:
y = gx mod p 42

43
SETTING UP ELGAMAL: EXAMPLE
Step 1: Let p = 23
Step 2: Select a primitive element g = 11
Step 3: Choose a private key x = 6
Step 4: Compute y = 116 (mod 23)
= 9
Public key is 9
Private key is 6

44
ELGAMAL ENCRYPTION
The first job is to represent the plaintext as a
series of numbers modulo p. Then:
1. Generate a random number k
2. Compute two values C1 and C2, where
C1 = gk mod p and C2 = Myk mod
p
3. Send the ciphertext C, which consists of
the two separate values C1 and C2.

45
ELGAMAL ENCRYPTION: EXAMPLE
To encrypt M = 10 using Public key 9
1 - Generate a random number k = 3
2 - Compute C1= 113 mod 23 = 20
C2= 10 x 93 mod 23
= 10 x 16 = 160 mod 23 = 22
3 - Ciphertext C = (20 , 22 )

46
ELGAMAL DECRYPTION
C1 = gk mod p C2 = Myk mod p
1 - The receiver begins by using their private key x to
transform C1 into something more useful:
C1
x = (gk)x mod p
NOTE: C1
x = (gk)x = (gx)k = (y)k = yk mod p
2 - This is a very useful quantity because if you divide
C2 by it you get M. In other words:
C2 / yk = (Myk) / yk = M mod p

47
ELGAMAL DECRYPTION: EXAMPLE
To decrypt C = (20 , 22 )
1 - Compute 206 = 16 mod 23
2 - Compute 22 / 16 = 10 mod 23
3 - Plaintext = 10

48
SECURITY OF ELGAMAL
1. Trying to decrypt a ciphertext without
knowledge of the private key
2. Trying to determine the private key
Recall the two different strategies for trying to
“break” RSA:
What hard problems do you come across if you try to follow
these two different strategies to break ElGamal?

PUBLIC-KEY CRYPTOSYSTEMS
Secrecy: Only B can Decrypt
the message
Authentication: Only A can
generate the encrypted message 49

ELGAMAL CRYPTOGRAPHY
• public-key cryptosystem related to D-H
• so uses exponentiation in a finite (Galois)
• with security based difficulty of computing discrete
logarithms, as in D-H
–chooses a secret key (number): 1 < xA < q-1
–compute their public key: yA = a
xA
mod q
52

ELGAMAL MESSAGE EXCHANGE
• Bob encrypt a message to send to A computing
– represent message M in range 0 <= M <= q-1
• longer messages must be sent as blocks
– chose random integer k with 1 <= k <= q-1
– compute one-time key K = yA
k
mod q
– encrypt M as a pair of integers (C1,C2) where
• C1 = a
k
mod q ; C2 = KM mod q
• A then recovers message by
– recovering key K as K = C1
xA mod q
– computing M as M = C2 K-1 mod q
• a unique k must be used each time
– otherwise result is insecure 53

ELGAMAL EXAMPLE
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=5 & computes yA=10
5
mod 19 = 3
• Bob send message m=17 as (11,5) by
– chosing random k=6
– computing K = yA
k
mod q = 3
6
mod 19 = 7
– computing C1 = a
k
mod q = 10
6
mod 19= 11;
C2 = KM mod q = 7.17 mod 19 = 5
• Alice recovers original message by computing:
– recover K = C1
xA mod q = 11
5
mod 19 = 7
– compute inverse K-1 = 7-1 = 11
– recover M = C2 K-1 mod q = 5.11 mod 19=17
54

ElGamal Digital Signatures
• signature variant of ElGamal, related to D-H
– so uses exponentiation in a finite (Galois)
– with security based difficulty of computing discrete
logarithms, as in D-H
• use private key for encryption (signing)
• uses public key for decryption (verification)
– chooses a secret key (number): 1 < xA < q-1
– compute their public key: yA = a
xA
mod q
55

ElGamal Digital Signature
• Alice signs a message M to Bob by computing
– the hash m = H(M), 0 <= m <= (q-1)
– chose random integer K with 1 <= K <= (q-1) and
gcd(K,q-1)=1
– compute temporary key: S1 = a
k
mod q
– compute K-1 the inverse of K mod (q-1)
– compute the value: S2 = K-1(m-xAS1) mod (q-1)
– signature is:(S1,S2)
• any user B can verify the signature by computing
– V1 = a
m
mod q
– V2 = yA
S1 S1
S2 mod q
– signature is valid if V1 = V2
56

ElGamal Signature Example
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=16 & computes yA=10
16
mod 19 = 4
• Alice signs message with hash m=14 as (3,4):
– choosing random K=5 which has gcd(18,5)=1
– computing S1 = 10
5
mod 19 = 3
– finding K-1 mod (q-1) = 5-1 mod 18 = 11
– computing S2 = 11(14-16.3) mod 18 = 4
• any user B can verify the signature by computing
– V1 = 10
14
mod 19 = 16
– V2 = 43.34 = 5184 = 16 mod 19
– since 16 = 16 signature is valid
57

Elliptic Curve Cryptography
• majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic
with very large numbers/polynomials
• imposes a significant load in storing and
processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes

Real Elliptic Curves
• an elliptic curve is defined by an equation
in two variables x & y, with coefficients
• consider a cubic elliptic curve of form
– y2 = x3 + ax + b
– where x,y,a,b are all real numbers
– also define zero point O
• have addition operation for elliptic curve
– geometrically sum of Q+R is reflection of
intersection R

Finite Elliptic Curves
• Elliptic curve cryptography uses curves
whose variables & coefficients are finite
• have two families commonly used:
– prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
– binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware

Elliptic Curve Cryptography
• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of
modulo exponentiation
• need “hard” problem equiv to discrete log
– Q=kP, where Q,P belong to a prime curve
– is “easy” to compute Q given k,P
– but “hard” to find k given Q,P
– known as the elliptic curve logarithm problem
• Certicom example: E23(9,17)

ECC Diffie-Hellman
• can do key exchange analogous to D-H
• users select a suitable curve Ep(a,b)
• select base point G=(x1,y1) with large
order n s.t. nG=O
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA×G, PB=nB×G
• compute shared key: K=nA×PB, K=nB×PA
– same since K=nA×nB×G

ECC Encryption/Decryption
• several alternatives, will consider simplest
• must first encode any message M as a point on
the elliptic curve Pm
• select suitable curve & point G as in D-H
• each user chooses private key nA<n
• and computes public key PA=nA×G
• to encrypt Pm : Cm={kG, Pm+k Pb}, k random
• decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

ECC Security
• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much
smaller key sizes than with RSA etc
• for equivalent key lengths computations
are roughly equivalent
• hence for similar security ECC offers
significant computational advantages

18CS2005 Cryptography and Network Security

More Related Content

What's hot (20)

Similar to 18CS2005 Cryptography and Network Security (20)

More from Kathirvel Ayyaswamy (20)

Recently uploaded (20)

18CS2005 Cryptography and Network Security