Outline CPSC 418/MATH 318 Introduction to Cryptography Public Key - PowerPoint PPT Presentation

Outline CPSC 418/MATH 318 Introduction to Cryptography Public Key Cryptography, RSA Public-Key Cryptography 1 Renate Scheidler The RSA Cryptosystem 2 Department of Mathematics & Statistics Department of Computer Science University of Calgary More Number Theory – Modular Inverses 3 Week 8 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 1 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 2 / 26 Public-Key Cryptography Public-Key Cryptography Back to Cryptographic Key Agreement Public-Key Cryptography Whitfield Diffie and Martin Hellman, “New Directions in Cryptography”, 1976. Note that Diffie and Hellman did not describe a specific means of Recall efficient solutions to the key establishment problem: implementing a public-key cryptosystem. 1 Diffie-Hellman key agreement protocol They merely described how one could be used to achieve security, authentication, (and indirectly, integrity and non-repudiation). 2 Public key cryptography — next! also used for authentication — later! Also secretly discovered in 1970 as “non-secret encryption” by James H. Ellis of the UK’s Government Communications Headquarters (GCHQ) disclosed in 1987; see https: //web.archive.org/web/20030610193721/http://jya.com/ellisdoc.htm . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 3 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 4 / 26

Public-Key Cryptography Public-Key Cryptography Idea of Public-Key Cryptography Diagram of a Public-Key Cryptosystem Every user has two keys encryption key is public (so everyone can encrypt messages) decryption key is only known to the receiver Deducing the decryption key from the encryption key should be computationally infeasible. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 5 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 6 / 26 Public-Key Cryptography Public-Key Cryptography Trap-door One-Way Functions Public-Key Cryptosystem Definition 2 (Public Key Cryptosystem (PKC)) Definition 1 (Trap-door one-way function) A PKC consists of a plaintext space M , a ciphertext space C , a public key A function f that satisfies the following properties: space K , and encryption functions E K 1 : M → C , indexed by public keys 1 Ease of Computation: f ( x ) is easy to compute for any x . K 1 ∈ K , with the following properties: 2 Pre-image Resistance with Trap-door: Given y = f ( x ) it is 1 Every encryption function E K 1 has a left inverse D K 2 , where K 2 is the computationally infeasible to determine x unless certain special private key corresponding to the public key K 1 . information used in the design of f is known. 2 E K 1 ( M ) and D K 2 ( C ) are easy to compute when K 1 and K 2 are known. When this trap-door k is known, there exists a function g which is easy 3 D K 2 ( E K 1 ( M )) = M for all M ∈ M . to compute such that x = g ( k , y ) . 4 Given K 1 , E K 1 , and C = E K 1 ( M ), it is computationally infeasible to find M or K 2 . Key to designing public-key cryptosystems: decryption key acts as a trap door for the encryption function. Properties 2, 3, 4 describe E K 1 as a trapdoor one-way function. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 7 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 8 / 26

Public-Key Cryptography Public-Key Cryptography Schematic of a Public-Key Cryptosystem Properties of a PKC COMMUNICATION CHANNEL Unlike conventional cryptosystems, messages encrypted using public key M C = E (M) MESSAGE TRANSMITTER K1 RECEIVER M cryptosystems contain sufficient information to uniquely determine the SOURCE ENCRYPTS M WHO DECRYPTS plaintext and the key (given enough ciphertext, resources etc) TO E (M) C USING D (C) K1 K2 The entropy contained in these systems is zero . EAVESDROPPER K 2 This is the exact opposite of a perfectly secret system like the one-time pad. KEY SOURCE K 1 Security in a public key cryptosystem lies solely in the computational cost of computing the plaintext and/or private key from the ciphertext Note 1 (computional security). In a public-key cryptosystem (PKC), it is not necessary for the key channel to be secure. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 9 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 10 / 26 Public-Key Cryptography The RSA Cryptosystem Hybrid Encryption The RSA Cryptosystem Named after Ron Rivest, Adi Shamir, and Len Adleman, 1978. Initially, NSA pressured these guys to keep their invention secret. All PKC’s in use today are much slower (by a factor of 1000-1500 or so) than conventional systems like AES, so they are generally not used for bulk Independently invented in 1973 by Clifford Cocks of CESG encryption. Most common uses: (Communications-Electronics Security Group, part of GCHQ) after he Encryption and transmission of keys for conventional cryptosystems learned about Ellis’ concept of non-secret encryption; disclosed in 1997. ( hybrid encryption) Authentication and non-repudiation via digital signatures (later). Both encryption and decryption are modular exponentiations (same modulus, different exponents): Encryption: C ≡ M e (mod n ) Decryption: M ≡ C d (mod n ) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 11 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 12 / 26

The RSA Cryptosystem The RSA Cryptosystem RSA Setup RSA Encryption and Decryption The designer 1 Selects two distinct large primes p and q (each around 2 1536 ≈ 10 463 ) Encryption: Messages for the designer are integers in Z ∗ n 2 Computes n = pq and φ ( n ) = ( p − 1)( q − 1) . if a message exceeds n , block it into less-than- n size blocks 3 Selects a random integer e ∈ Z ∗ φ ( n ) (so 1 ≤ e < φ ( n ) and To send M encrypted, compute and send gcd( e , φ ( n )) = 1). C ≡ M e (mod n ) where 0 < C < n . 4 Solves the linear congruence de ≡ 1 (mod φ ( n )) Decryption: To decrypt C , the designer computes for d ∈ Z ∗ φ ( n ) . M ≡ C d (mod n ) where 0 < M < n . 5 Keeps d , p , q secret and makes n and e public: the public key is K 1 = ( e , n ) the private key is K 2 = { d } (or ( d , p , q ); see Assignment 3). Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 13 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 14 / 26 The RSA Cryptosystem The RSA Cryptosystem Why this Works What if gcd( M , n ) � = 1? We have C d ≡ ( M e ) d ≡ M ed (mod n ) , We have assumed that gcd( M , n ) = 1 in the description of RSA and for applying Euler’s Theorem. Is this a problem? Since d is chosen such that ed ≡ 1 (mod φ ( n )) we have ed = 1 + k φ ( n ) for some k ∈ Z , Can prove that encryption/decryption still work. The probability that gcd( M , n ) � = 1 is 1 / p + 1 / q , i.e., very small. and M ed ≡ M 1+ k φ ( n ) ≡ MM k φ ( n ) ≡ M ( M φ ( n ) ) k (mod n ) . Note that since n = pq and M < n , gcd( M , n ) ∈ { 1 , p , q } , and thus in these extremely rare cases we would likely find a factor of n . Euler’s Theorem implies that M φ ( n ) ≡ 1 (mod n ) , so we have C d ≡ M ( M φ ( n ) ) k ≡ M (1) k ≡ M (mod n ) . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 15 / 26 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 8 16 / 26