session 4
DESCRIPTION
Session 4. Asymmetric ciphers. Contents. Definition of asymmetric (public key) ciphers Applications of asymmetric ciphers The public key encipherment procedure The RSA public key cipher system. KEY. KEY. encipher. Ciphertext. decipher. Plaintext. Plaintext. A. B. Cryptanalysis. - PowerPoint PPT PresentationTRANSCRIPT
Contents
• Definition of asymmetric (public key) ciphers
• Applications of asymmetric ciphers• The public key encipherment
procedure• The RSA public key cipher system
2/61
Asymmetric cipher definition
• The general cryptographic procedure:
3/61
A
Plaintext
KEY
decipher
decrypt
Cryptanalysis
Ciphertextencipher
Plaintext
KEY
B
Asymmetric cipher definition
• In a symmetric cipher system, the same key is delivered to both participants in advance, via a secure channel.
• If there are n participants, the keys have to be distributed pairwise, i.e.– Each participant is given n -1 different keys– The total number of keys is n (n -1)/2.
• Consequence: problems with distribution, storage and updating of keys.
4/61
Asymmetric cipher definition
• An alternative key distribution system is needed, or a different cipher system.– There is not much flexibility left within a
symmetric cipher system to distribute the keys in a better way.
– Then we need a cipher system that would NOT use the secure channel to distribute the keys.
5/61
Asymmetric cipher definition
• How can we define such a system?• Does such a system exist?• If such a system exists in theory, can
we realize it in practice?• What is the security of such a
system?
6/61
Asymmetric cipher definition
• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (1):– Let {K } be a finite key space and let {M
} be a finite message space.– A public key cipher system is a pair of
families of transformations and representing irreversible transformations:
7/61
KKKE KKKD
MMEK :
MMDK :
Asymmetric cipher definition
• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (2):– In such a system, the following holds:
1. For every K{K }, EK is the inverse of DK
2. For every K{K } and M{M }, the algorithms EK and DK are easy to compute
3. For almost every K{K }, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK
4. For every K{K }, it is feasible to compute inverse pairs EK and DK from K.
8/61
Asymmetric cipher definition
• From the property 3, EK can be made public, without compromising DK
• From the property 4, there is a guarantee that there is a feasible way of computing corresponding pairs of inverse transformations EK and DK.
9/61
Asymmetric cipher definition
• Given a system of this kind, the problem of key distribution is vastly simplified:– Each participant generates a pair of
inverse transformations, E and D.– The deciphering transformation D must be
kept secret but need not be transmitted by any channel – we do not need a secure channel.
– The enciphering transformation E can be made public – placed in a public directory.
10/61
Asymmetric cipher definition
• But we still do not know whether such a cipher system is (theoretically) possible.
• One of the possibilities to theoretically well define such a system is through so called one-way functions.
11/61
Asymmetric cipher definition
• A function y =f (x ) is a one-way
function if
– For any x, it is feasible to compute f (x )
– For almost all y in the range of f, it is
computationally infeasible to solve the
equation y =f -1(x ), for any x in the
domain.
12/61
Asymmetric cipher definition
• The function f is not invertible from
the computational point of view.
• A special class of one-way functions
is of interest in the public key context
– trap-door one-way functions.
13/61
Asymmetric cipher definition
• A trap-door one-way function
– A simply computed inverse exists
– But given f, it is conditionally
computationally infeasible to find a
simply computed inverse
– Only through knowledge of certain trap-
door information can easily computed
inverse be found. 14/61
Asymmetric cipher definition
• The problem
– Strictly mathematically speaking, the
existence of (trap-door) one-way
functions has not been proved yet.
• There are functions that have
properties similar to these functions –
we believe that they are candidates
for (trap-door) one-way functions.15/61
Asymmetric cipher definition
• Rivest-Shamir-Adleman’s (RSA’s)
definition of an asymmetric (public
key) cipher system (1977) (1):
– Let E be an encipherment
transformation and let D be the
corresponding decipherment
transformation.
16/61
Asymmetric cipher definition
• RSA’s definition of an asymmetric
(public key) cipher system (1977)
(2):
– The properties of E and D
1. D (E (M ))=M
2. Both E and D are feasible to compute
3. Publicly revealing E does not reveal a
feasible way to compute D
4. E (D (M ))=M 17/61
Asymmetric cipher definition
• A function E satisfying the properties
1-3 is a trap-door one-way function.
• A function E satisfying the properties
1-4 is a trap-door one-way
permutation (one-one and onto).
18/61
Applications of asymmetric ciphers
• Confidentiality
• Integrity – digital signatures
• Authentication – hash functions
• Key exchange
19/61
The public key encipherment procedure
• The participants in the
communication are usually given
names, such as Alice and Bob.
• Alice uses the transformation EA for
encipherment and DA for
decipherment
• Bob uses the transformation EB for
encipherment and DB for
decipherment.
20/61
The public key encipherment procedure
• Illustration-confidentiality: Alice
sends an enciphered message to Bob
21/61
The public key encipherment procedure
• Alice takes EB from a public directory
• DB is kept secret by Bob. It is not
transmitted by any means – no
secure channel is needed.
22/61
The RSA public key cipher system
• The prerequisites: each participant
does the following (1):
– Generates two large distinct random
primes p and q, approximately of the
same size (if encoded in bits)
– Computes n =pq and (n )=(p -1)(q -1)
– Selects a random integer e, 1<e < (n ),
such that (e, (n ))=124/61
The RSA public key cipher system
• The prerequisites: each participant
does the following (2):
– Computes the unique integer d, 1<d < (n ) such that ed 1 (mod (n )). This can
be done by means of the extended
Euclidean algorithm.
– The public key is (n,e ) and the private
key is d.25/61
The RSA public key cipher system
• Encipherment: Alice enciphers a
message for Bob
– Obtains Bob’s authentic public key
(nB,eB)
– Represents the message in a form of an
integer m on the segment [0,nB -1]
– Computes
– Sends c to Bob. 26/61
Be nmc B mod
The RSA public key cipher system
• Decipherment: Bob deciphers the
message enciphered by Alice
– Bob uses his private key dB to compute
–m is converted to a meaningful text.
27/61
Bd ncm B mod
The RSA public key cipher system
• The security of the RSA cipher
system lies in the hope that the
encipherment function is
a one-way function.
• The trap-door is the knowledge of the
factorization of n. This knowledge
allows Bob to decipher.
28/61
nmc e mod
The RSA public key cipher system
• To realize RSA in practice we need (1)
– Random primes
• Generating random numbers
• Primality testing
– Euler’s function (n )
29/61
The RSA public key cipher system
• To realize RSA in practice we need (2)
– Extended Euclidean algorithm
–Multiplicative inverse
–Modular exponentiation – to compute
powers with large exponents
30/61
Random primes
• Random primes generation
1. Generate a random integer m
2. If m is even, replace m by m +1
3. Test if m is prime
4. If m is not prime, test if m +2 is prime,
etc.
31/61
Random primes
• Theorem (the prime number
theorem)
– If m is chosen at random, the probability
that m is prime is approximately 1/ln m.
• Consequence: we can expect to test
ln m numbers for primality.
32/61
Random primes
• Example: if m can be represented
with 512 bits, (i.e. the maximum
representable integer is 2256-1) then
ln m 177, which means that we have
to test approximately 177 integers
before we find a prime of that size.
33/61
Random primes
• Primality testing
– In practice, probabilistic (Monte Carlo)
algorithms for testing primality are
used, e.g.
• Solovay-Strassen
• Miller-Rabin
– These algorithms are fast, but they may
give an integer that is not a prime at
output, but the probability of this is
small.
34/61
The Euler’s function (n )
• Let n be a positive integer.
• The Euler’s function (n ) is defined
to be the number of positive integers
b less than or equal to n, which are
relatively prime to n, i.e.
35/61
11 n,b,nbbn
The Euler’s function (n )
• Theorem - computing (n )
– Given a positive integer n with the
factorization
– Then
36/61
r
rpppn 21
21
np
r
iii p
nppn ii1
11
1
• Example – RSA
– n =pq, where p and q are primes
– Then (n ) = (p1-p 0)(q1-q 0)=(p -1)(q -
1)
The Euler’s function (n )
37/61
• Example: find (1180,482)
1. 1180= 2482 + 216
2. 482 = 2216 + 50
3. 216 = 450 + 16
4. 50 = 316 + 2
5. 16 = 82 + 0
• So, (1180,482)=2
Extended Euclidean algorithm
39/61
• Theorem – extended Euclidean
algorithm
– Let d =(a,b), where a >b.
– Then there exist integers u and v such
that d =ua +vb.
Extended Euclidean algorithm
40/61
• Example
1180=2482+216
482=2216+50
216=450+16
50=316+2
16=82+0
Extended Euclidean algorithm
41/61
2=50-316=
=50-3(216-450)=
=1350-3216=
=13(482-2216)-3216=
=13482-29216=
=13482-29(1180-
2482)=
=71482-291180So, u =-29, v =71
• Arithmetic modulo m
– Zm is defined to be the set G = {0,...,m -
1}, equipped with two operations, + and
, i.e. Zm is a structure (G,+,)
– The results of addition and multiplication
are reduced modulo m
Multiplicative inverse
42/61
• The structure (G,+) satisfies the
axioms of the group – additive group:
1. Closure:
2. Associativity:
3. Existence of the identity (neutral)
element
4. Existence of the inverse elements
Multiplicative inverse
43/61
GY*XGY,X
z*y*xz*y*xGz,y,x
xx*ee*xGxGe
ex*xx*xGxGx 111
• The structure (G,) satisfies closure,
associativity and the existence of the
neutral element, but does not satisfy
the existence of inverse element for
each element of G (in general).
• Such a structure (G,+,) is called a
ring.
Multiplicative inverse
44/61
• Multiplicative inverse – inverse of an
element of the structure (G,) of the
ring Zm
• Theorem
– An element a of Zm has a multiplicative
inverse if and only if (a,m )=1
Multiplicative inverse
45/61
• Let a be an element of Zm and let
(a,m )=1 (i.e. a and m are
mutually prime). This can be
shown by Euclidean algorithm.
• Then by extended Euclidean
algorithm we get
1=ua +vm
Multiplicative inverse
46/61
Multiplicative inverse
• Taking modulo m of the both sides of the expression 1=ua +vm we get
1ua (mod m )
• This means that u is the multiplicative inverse of a modulo m.
47/61
• Example
– Find the multiplicative inverse of 2 in Z17.
• The Euclidean algorithm gives
1. 17=82+1
2. 2=21+0
• The extended Euclidean algorithm gives
1. 1=17-82
• Taking modulo 17 of both sides gives
1-82 (mod 17), or equivalently 192 (mod 17), i.e.
9=2-1
Multiplicative inverse
48/61
• Modular exponentiation is computing
bn (mod m )
• Let (n0,n1,...,nk-1) be the binary
representation of n, i.e.
n =n0+2n1+22n2+...+2k-1nk-1
• The binary representation of n is
obtained by means of the “arrow
algorithm”
Modular exponentiation
49/61
• The “arrow algorithm” – convert
from base 10 to any base B
1. Get the last digit of the
converted number by dividing n
by B and taking the remainder
2. Replace n by the quotient
3. Repeat until the quotient is 0.
Modular exponentiation
50/61
• Example: compute 3875 (mod 103)
–We first convert the exponent 75 to base
2
– Thus 7510=(1001011)2
– Then we run 7 iterations of the
algorithm, using b =38, n =75 and m
=103.
Modular exponentiation
52/61
• So at the output the algorithm gives
that 3875 (mod 103)=79
• Alternatively, we can pre-compute
the values
• Each such value is obtained by
squaring the previous one and taking
modulo m.
Modular exponentiation
54/61
i238
Modular exponentiation
55/61
• What the algorithm actually does is
to compute 3875 as
• Then we have
63 222138
79631623838383838103mod386310 222275
• Bob does the following (1):
1. Chooses p =11 and q =13
2. Computes n =1113=143 and
(n )=1012=120
3. Sets e =7 and checks with EA
that (e, (n ))=1, i.e. (7,120)=1.
Indeed, 120=177+1
Example – RSA encipher and decipher
56/61
• Bob does the following (2):
4. Applies EEA to find that 7-1-
17103 (mod 120), so d =103
5. Posts his public key (143,7) in a
public repository and keeps the
private key d =103 secret.
Example – RSA encipher and decipher
57/61
• Alice wants to encipher the message
5 and to send the ciphertext to Bob
(1)
1. Obtains Bob’s public key (143,7)
2. Computes c =57 (mod 143)
• As 7=(111)2, Alice carries out
the pre-computations 51=5,
52=25, 54=252=53 (all mod
143)
Example – RSA encipher and decipher
58/61
• Alice wants to encipher the message
5 and to send the ciphertext to Bob
(2)
3. c=57=52553=47 (mod 143)
4. c=47 is sent to Bob
Example – RSA encipher and decipher
59/61
• Bob receives c =47 and deciphers
(1)
1. Computes m =47103 mod 143
• As 103=(1100111)2, Bob
carries out the pre-
computations 471=47, 472=64,
474=92, 478=27, 4716=14,
4732=53 and 4764=92 (all mod
143)
Example – RSA encipher and decipher
60/61