Transcript Document
Problems with symmetric (private-key) encryption
1) secure distribution of keys
2) large number of keys
Solution to both problems: Public-key (asymmetric) encryption
keypub
keypriv
plaintext
plaintext
ciphertext
encryption algorithm
decryption algorithm
D( E(message, kpub), kpriv) = message
Data transmission via public-key encryption
lena
ole
Every user maintains a unique pair of keys: one private and one public.
Public keys are available for anyone to use.
For Lena to send a message to Ole, she first encrypts using Ole’s public key. This ensures
that only Ole will be able to read the message.
Note that this preserves data confidentiality, but does not ensure authenticity.
Public-key Encryption - the Concept
Proposed in 1976 by Witfield Diffie & Martin Hellman
Necessary Properties
Computationally easy to generate a pair of keys -- (Kpub, Kpriv)
Computationally easy to encrypt -- E(plaintext, Kpub) ciphertext
Computationally easy to decrypt -- D(ciphertext, Kpriv) plaintext
Computationally infeasible to determine Kpriv, even knowing E, D, and Kpub
Computationally infeasible to decrypt without Kpriv, even knowing E, D, and Kpub
An Additional Useful Property
Keys can be used in the opposite order for encryption/decryption -D( E(plaintext, Kpriv), Kpub) plaintext
Rivest-Shamir-Adelman (1978) is the best known of current public-key encryption methods.
• Begin with two large primes (p and q).
• n = p*q
(Note that n should be more than 200 digits - roughly 512 bits.)
• Select e relatively prime to (p-1)*(q-1).
• Select d so that (e*d) mod ((p-1)*(q-1)) = 1.
• public key: (e, n)
private key: (d, n)
Encryption Algorithm (apply to each part of the transmission)
E(message, e, n) = (messagee) mod n
Decryption Algorithm (apply to each part of the transmission)
D(message, d, n) = (messaged) mod n
Side note: (p-1)*(q-1) comes from Euler’s definition of totient
(n) = number of positive integers less than n that are relatively prime to n.
more theory: www. di-mgt.com.au/rsa_theory.html
Example
(note that numbers are artificially small.)
p = 2 q = 17
Therefore, n = p*q = 34
Select e = 3
Note that (p-1)*(q-1) = 16. (3 and 16 are relatively prime.)
d = 11 because e*d = 3*11 = 33 and 33 mod 16 = 1
Treat alphabet as integers from zero, and include blank:
K
B
C
D
E
F
G
H
I
J
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 23 25 26
to encipher H
H 7
7e mod n = 73 mod 34 = 3
to encipher I
I 8
8e mod n = 83 mod 34 = 2
HI MOM SEND
3 2 32 28 24 28 32 18 30 21 27
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
A
to decipher 3
3d mod n = 311 mod 34 = 7
7H
to decipher 2
2d mod n = 211 mod 34 = 8
8I
3 2 32 28 24 28 32 18 30 21 27
7 8 26 12 14 12 26 18 4 13 3
Issues
1) The values of p, q, and (n) are not divulged.
2) Cryptanalysis of RSA accomplished by finding the prime factors of a large number.
3) Factoring is not known to be an NP problem, but the best known
algorithms are exponential.
4) To date no serious security flaws have been discovered.
Finding p and q
• Verifying that p and q are prime requires testing potential factors.
• A practical alternative (Solovay & Strassen algorithm) tests a number
to any desired probability of being prime.
Crack History
RSA-100
Key Size
dec.
bits
digits
100
332
Effort
Year
MIPS-yrs
Attack/factoring Method
1991
7 Quadratic Sieve
RSA-129
129
428
1994
5000 Quadratic Sieve
RSA-130
130
431
1996
1000 Generalized num field Sieve
RSA-155
155
512
1999
8000 Generalized num field Sieve
MIPS-years required for factoring
• Another factoring method (Special Number Field Sieve) is faster.
1020
1016
1012
108
104
512
1024
1536
Key Size (in bits)
• Key sizes of 1024 to 2048 appear to be safe for the near future.
2048
Generally, the strength of a public-key algorithm depends upon key size.
Suppose Lena sends a very short message - say one byte
E( LenasByte, KOlePub ) encipheredByte
Suppose the man in the middle (Hagar) intercepts encipheredByte
How can Hagar discover LenasByte ?
Note: This particular vulnerability is unique to public-key cryptosystems.
Solution: Append random bits to otherwise short messages, making them longer.
Efficient?
• RSA can be as much as 10,00 times slower than symmetric algorithms
(Multiplication used in place of bit manipulation and table lookup/indexing).
• to improve computation: (a * b) mod n = [(a mod n) * (b mod n)] mod n
Other Public-key Cryptosystems
Elliptic Curve Cryptography (ECC)
• several different ciphers
• based upon cubic equations of the form: y2 +axy + by = x3 + cx2 + dx + e
• appears to have computational speed advantages over RSA
• “test of time”?
Diffie-Hellman Key Exchange
• not a full system, but a key-exchange technique built on public key concept
Digital Signature Standard (DSS)
• not a full system, but a technique for implementing digital signatures built on
public key concept
The additional property of RSA & elliptic curve ciphers:
D(E(plaintext, kpub), kpriv) = plaintext
D(E(plaintext, kpriv), kpub) = plaintext
lena
ole
Confidential transmission
1) Lena encrypts the message using Ole’s public key.
2) The message from (1) is transmitted.
3) Ole decrypts message using his private key.
Confidential & Authenticated transmission
1) Lena encrypts the message (or part of it) using her private key.
2) Lena uses Ole’s public key to encrypt the result of (1).
3) The message from (2) is transmitted.
4) Ole decrypts the message with his private key.
5) Ole decrypts the result of (4) (or appropriate part) with Lena’s public key.