Computer and Network Security
Dr. Jinyuan (Stella) Sun
Dept. of Electrical Engineering and Computer Science
University of Tennessee
Fall 2011
Public Key Cryptography
Modular Arithmetic
Elliptic Curve Cryptography
Public Key Cryptography
Aka: asymmetric cryptography, invented in 1970s
Use two keys: a public key known to everyone, a private
key kept secret to the owner
Encryption/decryption: encryption can be done by
everyone using the recipient’s public key, decryption can
be done only by the recipient with his/her private key
Digital signature: signing is done with signer’s private key,
and verification is done with signer’s public key
Key exchange: establish a shared session key with PKC,
SKC is used afterwards
Modular Arithmetic
Fundamental to PKC
Modulo n or mod n: non-negative integers <
some integer n, sometimes “mod n” is omitted
Modular addition
Modular multiplication
Modular exponentiation
Modular Addition
Example: mod 10
Additive inverse: an additive inverse of x is the
number we need to add to x to get 0, e.g., what’s
the additive inverse of 4 mod 10?
Modular Multiplication
Example: 3  7 = 1 mod 10
• Multiplicative inverse: if xy = 1 mod n, then x and y are
each other’s multiplicative inverse mod n
• Relatively prime: no common factors other than 1
• Existence of multiplicative inverse: x has multiplicative
inverse mod n iff x is relatively prime to n
• Euclid’s algorithm: provides efficient method to find
multiplicative inverses mod n
Modular Multiplication (Cont’d)
(n): totient function
• number of integers < n and relatively prime to n
• (n) = n – 1 if n is prime
• (pq) = pq – (p + q – 1) = (p – 1)(q – 1), if p and q
are prime
Euclid’s Algorithm—gcd
Finds the greatest common divisor (gcd) of two integers:
subtract y from x and still have the same gcd
• subtract as many ys as possible and replace x with the remainder
• switch x and y when x becomes smaller than y
• each step looks like: <x, y>  <y, remainder(x/y)>
• eventually x or y will be zero and the other is the gcd
Example: gcd (408, 595) = 17
595/408 = 1 remainder 187
408/187 = 2 remainder 34
187/34 = 5 remainder 17
34/17 = 2 remainder 0
Each step we can write the remainder r = ux + vy (e.g., 17 =
-16x408 + 11x595)
Euclid’s Algorithm—
Multiplicative Inverse
Efficiently finds a number m’s multiplicative inverse mod n
• We
are looking for u that makes um = 1 mod n
• In other words, we are looking for u and v s.t. um + vn = 1
• Calculate r = gcd (m, n) = um + vn and find r = 1 (only exists
when m and n are relatively prime, i.e., gcd (m, n) = 1)
Q: Will there be
more than one
multiplicative inverse
for a given number?
Modular Exponentiation
Example: 46 = 4096 = 6 mod 10
• xy mod n = x(y mod (n)) mod n
(n) = 4
If y = 1 mod (n), then xy mod n = x mod n
Named after Rivest, Shamir, and Adleman
• Public key / private key, use one to encrypt and the other
to decrypt
• Key length: variable, most commonly 512 bits
• Plaintext block: smaller than the key length
• Ciphertext block: same as key length
• Advantage: Easy key management
• Disadvantage: much slower than secret key algorithms
RSA Algorithm
Choose two large primes, p and q, ~256 bits each
• n = pq, (n) = (p – 1)(q – 1)
• Choose e that is relatively prime to (n)
• By Euclid’s algorithm, find d that is the multiplicative
inverse of e mod (n), i.e., ed = 1 mod (n)
• Let <e, n> be the public key, d the private key
Encryption and Decryption
• Encryption with public key <e, n>: c = me mod n
• Decryption with private key d: m = cd mod n
c d mod n = (m e mod n) d mod n
= (m e ) d mod n
= m mod n
Signature and Verification
• Sign with private key d: Sig = md mod n
• Verify with public key <e, n>: m = Sige mod n
Sig e mod n = (m d mod n) e mod n
= (m d ) e mod n
= m mod n
Why is RSA Secure?
• Given n, it is hard to factor it to get p and q
• RSA misuse: Alice uses Bob’s public key to
encrypt a message sent to Bob. If Frank knows the
message is one of many possible messages, he can
use the same public key to compute and compare
the ciphertexts to find the message (Solution?)
Efficiency of RSA Operations
• Exponentiation
of large numbers of several
hundred digits
• Find big primes, p and q
• Find e and d
Exponentiating With Big Numbers
• Page 154 – 155
Finding Big Primes p and q
• The probability of a randomly chosen number n to
be prime is 1 / ln n, which is about one in 230 for n of
a hundred digit
• Test whether a random number n is a prime
- Fermat’s Theorem: if n is a prime and 0 < a < n,
then a n-1 = 1 mod n
- For a non-prime n of a hundred bits, the chance of
a n-1 = 1 mod n is about 1 in 1013 (run more times)
- Unfortunately, there are Carmichael numbers (very
rare) that show a n-1 = 1 mod n for all a’s
- Use Miller-Rabin algorithm
An Efficient Method of Finding Primes
Pick an odd random number n in the proper range.
Test n's divisibility by small primes and go back to 1 if you find a factor.
Repeat the following until n is proven not prime (in which case go back
to step 1) or as many times as you feel necessary to show that n is
probably prime (using Miller-Rabin algorithm):
• Pick an a at random and compute ac mod n (where c is the odd number
for which n-1 = 2bc).
• Each time squaring of ac mod n is performed, check if the result is 1; if so,
check if the number that was squared is ±1; if not, n is not prime (Chinese
remainder theorem: 1 has many square roots if n is not prime).
• Next, if the result of ac mod n is ±1, n passes the primality test for this a.
• Otherwise, at most b-1 times, replace the result by its square and check if
it is ±1. If it is 1, n is not prime (because the previous result is a square root
of 1 different from ±1). If it is -1, n passes the primality test for this a.
• If you've done the squaring b-1 times, n is not prime (because a(n-1)/2 is not
Even if n is a Carmichael number, at least ¾ a’s will show it
Finding e and d
• e: can be randomly chosen, relatively prime to (n)
• d: calculated by Euclid’s algorithm, s.t. ed =1 mod (n)
• If e is chosen to be small such as 3, the encryption
and signature verification will be faster, while the
decryption and digital signature remain the same
• d should not be small (Why?)
Popular Values of e
• 3 and 65537 (216 + 1)
• Advantage: computationally efficient
- 3: 2 multiplies
- 65537: 17 multiplies
Problems of e=3
• Problem 1: c = m e mod n, if e is 3 and m is less than n1/3,
then m 3 < n and thus c = m 3 mod n = m 3  m = c1/3
Solution: pad m to be larger than n1/3
• Problem 2: If a message is encrypted for three recipients
using their public keys, <3, n1> <3, n2> <3, n3> to get three
ciphertexts, c1 = m3 mod n1, c2 = m3 mod n2, c3 = m3 mod n3
, an attacker can compute c = m3 mod n1n2n3 by Chinese
Remainder Theorem. Since m is smaller than n1, n2, and n3,
c = m3  m = c1/3
Solution: pad m with different numbers for c1, c2, c3
• Problem 3: Need to choose p and q s.t. 3 is relatively prime
to (p-1)(q-1). It is easier to choose eligible p and q for 65537.
Attacks on RSA
• Brute-force attacks: trying all possible private keys
• Mathematical attacks: trying to factor the product of
two primes
• Timing attacks: depend on the running time of the
decryption algorithm (one type of side channel attacks)
• Chosen ciphertext attacks: exploit properties of the
RSA algorithm
• Brute-force attacks: use a large key space
• Mathematical attacks: use large enough n (1024-2048
bits), select p and q with constraints
• Timing attacks: constant exponentiation time,
random delay, blinding the ciphertext
• Chosen ciphertext attacks: randomly pad the
plaintext before encryption, e.g., optimal asymmetric
encryption padding (OAEP)
PKCS—Public Key Cryptography
Standard: Encryption
• Standard for the encoding of information that will be
signed or encrypted through RSA
• A suite of standards PKCS #1—15
• PKCS #1 for formatting a message to be encrypted:
• The encoding addresses several RSA threats:
- guessable message
- sending same encrypted message to >=3 recipients (e=3)
- Encrypting messages<1/3 length of n (e=3)
PKCS—Public Key Cryptography
Standard: Signature
• PKCS #1 for formatting a message to be signed:
• The encoding addresses several RSA threats:
- padding avoids smooth numbers w.h.p.
- avoids cube root problem
- including digest type avoids an obscure threat:
• The
first public key cryptosystem
• But does neither encryption nor
• Used for key exchange: Alice and Bob
negotiate a shared secret key over a public
communication channel
Why Is Diffie-Hellman Secure?
• It
is difficult to compute discrete logarithm:
knowing g and gx, it is difficult to compute x
Man-in-the-Middle Attack
A, gA
B, gB
F, gF
A, gA
B, gB
Publish public numbers:
• Alice keeps x private, but publishes X = g x mod p
through a reliable, trusted service such as PKI
• Bob keeps y private, but publishes Y = g y mod p
• Alice retrieves Y from the trusted service
• Bob retrieves X from the trusted service
• No place for Frank to get in the middle. The key between
Alice and Bob is in fact pre-determined.
Countermeasures (Cont’d)
Authenticated Diffie-Hellman:
• Encrypt the Diffie-Hellman exchange with the pre-shared
• Encrypt the Diffie-Hellman public number with the other
side’s public key
• Sign the Diffie-Hellman public number with your private key
• Following the Diffie-Hellman exchange, transmit a hash of the
agreed key and the pre-shared secret
• Following the Diffie-Hellman exchange, transmit a hash of the
pre-shared secret and your public number
Encryption with Diffie-Hellman
• Alice uses Diffie-Hellman to generate a shared secret key,
gAB, with Bob
• Encryption: Alice uses any secret key encryption scheme
with the above secret key
• The secret key need not be shared with Bob before
encryption: Bob can retrieve the encrypted message and
the secret key simultaneously given that he has published
his <pB, gB, TB= gB>
ElGamal Signatures
• Each party has a long-term public/private key pair
• Public key is <g, p, T= gS mod p> and private key is S
• For each message m signed, generate a new public/private
key pair: <g, p, Tm= gSm mod p>, Sm (a random number)
• Signature: X=Sm+dmS mod (p-1), where dm=MD(m|Tm)
• Transmitted to the recipient: <m, Tm, X>
• Verification: check if gX=Tm Tdm mod p
• If signature is valid, verification will pass because:
• Other requirements for a secure signature: verification
will fail if message/signature is modified, knowing signature
will not divulge S, not knowing S will not be able to sign
Elliptic Curve Cryptography
• Known subexponential algorithms for breaking RSA and
Diffie-Hellman (a brute-force attack requires exponential
amount of computation), so required key size is large
• No known subexponential algorithm for breaking ECC
• ECC offers the same security with much smaller key size
Comparable key sizes in terms of computational effort for cryptanalysis
Read [Kaufman] Chapter 6

similar documents