Lecture 3.2: Public Key
Cryptography II
CS 436/636/736
Spring 2016
Nitesh Saxena
Course Administration
• HW1 due coming Monday 11am
– Please submit on time.
• Questions?
2
Outline
• The RSA Cryptosystem (Encryption)
3
“Textbook” RSA: KeyGen
• Alice wants people to be able to send her encrypted
messages.
• She chooses two (large) prime numbers, p and q and
computes n=pq and (n). [“large” = 1024 bits +]
• She chooses a number e such that e is relatively prime to (n)
and computes d, the inverse of e in Z  (n ) , i.e., ed =1 mod (n)
• She publicizes the pair (e,n) as her public key. (e is called RSA
exponent, n is called RSA modulus). She keeps d secret and
destroys p, q, and (n)
• Plaintext and ciphertext messages are elements of Zn and e is
the encryption key.
4
RSA: Encryption
• Bob wants to send a message x (an element of
Zn*) to Alice.
• He looks up her encryption key, (e,n), in a
directory.
• The encrypted message ise
y  E ( x)  x mod n
• Bob sends y to Alice.
5
RSA: Decryption
• To decrypt the message
y  E ( x)  x mod n
e
she’s received from Bob, Alice computes
D( y)  y mod n
d
Claim: D(y) = x
6
RSA: why does it all work
• Need to show
 D[E[x]] = x
 E[x] and D[y] can be computed efficiently if
keys are known
 E-1[y] cannot be computed efficiently without
knowledge of the (private) decryption key d.
• Also, it should be possible to select keys
reasonably efficiently
 This does not have to be done too often, so
efficiency requirements are less stringent.
7
E and D are Inverses
D ( y )  y mod n
d
 ( x e mod n) d mod n
 ( x ) mod n
e d
 x ed mod n
x
t ( n ) 1
 (x
mod n
Because ed  1 mod  (n)
(n) t
) x mod n
 1 x mod n  x mod n
t
From Euler’s Theorem
8
Tiny RSA example.
• Let p = 7, q = 11. Then n = 77 and
(n)  60
•
•
•
•
Choose e = 13. Then d = 13-1 mod 60 = 37.
Let message = 2.
E(2) = 213 mod 77 = 30.
D(30) = 3037 mod 77=2
9
Slightly Larger RSA example.
• Let p = 47, q = 71. Then n = 3337 and
( pq)  46 * 70  3220
• Choose e = 79. Then d = 79-1 mod 3220 =
1019.
• Let message = 688232… Break it into 3 digit
blocks to encrypt.
• E(688) = 68879 mod 3337 = 1570.
E(232) = 23279 mod 3337 = 2756
• D(1570) = 15701019 mod 3337 = 688.
D(2756) = 27561019 mod 3337 = 232.
10
Security of RSA: RSA assumption
• Suppose Oscar intercepts the encrypted
message y that Bob has sent to Alice.
• Oscar can look up (e,n) in the public directory
(just as Bob did when he encrypted the
message)
• If Oscar can compute d = e-1 mod (n) then he
can use D( y)  y d mod n  x to recover the
plaintext x.
• If Oscar can compute (n), he can compute d
(the same way Alice did).
11
Security of RSA: factoring
• Oscar knows that n is the product of two
primes
• If he can factor n, he can compute (n)
• But factoring large numbers is very difficult:
– Grade school method takes O( n ) divisions.
– Prohibitive for large n, such as 160 bits
– Better factorization algorithms exist, but they are
still too slow for large n
– Lower bound for factorization is an open problem
12
How big should n be?
• Today we need n to be at least 1024-bits
– This is equivalent to security provided by 80-bit
long keys in private-key crypto
• No other attack on RSA known
– Except some side channel attacks, based on
timing, power analysis, etc. But, these exploit
certain physical charactesistics, not a theoretical
weakness in the cryptosystem!
13
Key selection
• To select keys we need efficient algorithms to
– Select large primes
• Primes are dense so choose randomly.
• Probabilistic primality testing methods known. Work in
logarithmic time.
– Compute multiplicative inverses
• Extended Euclidean algorithm
14
RSA in Practice
• Textbook RSA is insecure
– Known-plaintext?
– CPA?
– CCA?
• In practice, we use a “randomized” version of
RSA, called RSA-OAEP
– Use PKCS#1 standard for RSA encryption
http://www.rsa.com/rsalabs/node.asp?id=2125
– Interested in details of OAEP: refer to (section 3.1
of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf
15
Some questions
• c1 = RSA_Enc(m1), c2 = RSA_Enc(m2).
– What is RSA_Enc(m1m2)?
• Homomorphic property
– What is RSA_Enc(2m1)?
• Malleability (not a good property!)
• Is it possible to find inverses mod n (RSA modulus)?
16
Some Questions
• RSA stands for Robust Security Algorithm, right?
• If e is small (such as 3)
– Encryption is faster than decryption or the other way round?
• Private key crypto has key distribution problem and Public key
crypto is slow
– How about a hybrid approach?
– Do you know how ssl/ssh works?
17
Some Questions
• I encrypt m with Alice’s RSA PK, I get c
– I encryt m again, I get --?
– What does this mean?
• What if I do the above with DES?
18
Further Reading
• Section 8.2 of HAC
• Section 9 of Stallings
19
Outline
• Discrete Logarithm System
• El Gamal Encryption
• Digital Signatures
Lecture 3.4: Public Key Cryptography IV
Discrete Logarithm Assumption
•
•
•
•
Work with a cyclic group G with generator g
Let |G| = m
G = {g0, g1, g2,…,gm-1}
Given any y = gx in G (where x belongs to Zm), g
and and m, it is not possible to compute x
• This is known as the DL assumption
• Of course, x should be fairly large – at least
160-bits in length
• This suggests that one can possibly use x as
the secret key, and y (and other parameters)
as the public key
El Gamal Encryption -- KeyGen
• p, q primes such that q|p-1
• g is an element of order q and generates a
group Gq of order q
– g = g ’(p-1)/q (were g’ is the generator of Zp*)
• x in Zq, y = gx mod p
• DL assumption -- given (p, q, g, y), it is
computationally hard to compute x
– No polynomial time algorithm known
– p should be 1024-bits and q be 160-bits
• x becomes the private key and y becomes the
public key
ElGamal Encryption/Decryption
• Encryption (of m in Gq):
– Choose random r in Zq
– k = gr mod p
– c = myr mod p
– Output (k,c)
• Decryption of (k,c)
– M = ck-x mod p
• Secure under (a variant of) the discrete
logarithm assumption
Lecture 3.4: Public Key Cryptography IV
ElGamal Example: dummy
• Let’s construct an example
• KeyGen:
–
–
–
–
p = 11, q = 2 or 5; let’s say q = 5
g’ = 2 is a generator of Z11*
g = 22 = 4
x = 2; y = 42 mod 11 = 5
• Enc(3):
– r = 4  k = 44 mod 11 = 3
– c = 3*54 mod 11 = 5
• Dec(3,5):
– m = 5*3-2 mod 11 = 3
Lecture 3.4: Public Key Cryptography IV
El Gamal Security
• Secure against CPA attacks assuming that
discrete logarithm is hard
• Not secure against CCA attacks; why?
– It is possible to massage the ciphertext in a
meaningful way
– Given a ciphertext (k, c), compute k’ = kgr’and c’ =
cyr’ (r’ is picked by the adversary)
– Query the decryption oracle on (k’,c’); it decrypts
and returns the response -- m
Lecture 3.4: Public Key Cryptography IV
CCA Security
• Like in the case of symmetric key encryption,
we can derive CCA secure encryption using
CPA secure encryption
• Just prevent any massaging of the ciphertext
• Integrity protection mechanism is needed
– But, now a public-key based mechanism is needed
• Digital signatures -- next
Lecture 3.4: Public Key Cryptography IV
Digital Signatures
• Message Integrity
– Detect if message is tampered with while in the
transit
• Source/Sender Authentication
– No forgery possible
• Non-repudiation
– If I sign something, I can not deny later
– A trusted third party (court) can resolve dispute
• Many applications – signed email, e-contracts,
e-transactions…
Public Key Signatures
• Signer has public key, private key pair
• Signer signs using its private key
• Verifier verifies using public key of the signer
Lecture 3.4: Public Key Cryptography IV
Security Notion/Model for
Signatures
• Existential Forgery under (adaptively) chosen
message attack (CMA)
– Adversary (adaptively) chooses messages mi of its
choice
– Obtains the signature si on each mi
– Outputs any message m (≠ mi) and a signature s
on m
Lecture 3.4: Public Key Cryptography IV
RSA Signatures
• Key Generation: same as in encryption
• Sign(m): s = md mod N
• Verify(m,s): (se == m mod N)
• The above text-book version is insecure; why?
• In practice, we use a randomized version of
RSA (implemented in PKCS#1)
– Hash the message and then sign the hash
Lecture 3.4: Public Key Cryptography IV
Digital Signature Standard (DSS)
• Adopted as standard in 1994
• Security based on hardness of the discrete
logarithm problem
Lecture 3.4: Public Key Cryptography IV
DSS – KeyGen; Signing; Verification
• KeyGen: the same way as El Gamal
– p, q primes such that q|p-1
– g is an element of order q and generates a group Gq of
order q
• g = g ’(p-1)/q (were g’ is the generator of Zp*)
– x in Zq, y = gx mod p
• Sign:
– Pick random r from Z*q
– k = (gr mod p) mod q; c = (m + xk)r-1 mod q
– Output (k,c) and also the message m
• Verify: kc == gm.yk mod p
Lecture 3.4: Public Key Cryptography IV
DSS Example
• Refer to 11.57 of HAC
Lecture 3.4: Public Key Cryptography IV
Some Questions
• I encrypt m with Alice’s ElGamal PK, I get c
– I encrypt m again, I get --?
– What does this mean?
• Is RSA-OAEP CCA secure?
• Is El Gamal CCA secure?
Lecture 3.4: Public Key Cryptography IV
Further Reading
• Stalling Chapter 10
• HAC Chapter 8 and Chapter 11
Lecture 3.4: Public Key Cryptography IV