IT325-Introduction to Cryptography

Lecture 26-27

06-04-2016

Instructor: Prof. Manik Lal Das Scribe(s): Shruti Naik (201511058)

1 Introduction
Cryptography is an encryption that the code of outsiders of system would
not understand, but the desired receiver is able to decrypt an encrypted
message. Public key cryptography was introduced by Di_e and Hellman,
They introduced the idea which is trap-door one-way function. This oneway function is a function whose inverse is infeasible to calculate but it exist,
therefore by making the public key encryption process without compromising
the privacy. Before the introduction of public key cryptography if people
want to send message, they will have to meet _rst and agree on keys and
methods for encoding and decoding messages. IT is an in_nite loop between
encryption and key distribution that can not be solved easily. Indeed, the
Germans would have won the war if solution to key distribution exist. There
had been that they had to print their everyday connection (wiring settings)
of the Enigma and distribute them to all the Nazi leaders. One of the major
books was intercepted by the English o_cer, and this led to a crucial defeat
for the Germans who have paralyzed their submarine eet. key distribution
problem remained a problem until the 20th century to Whit_eld Di_e and
Martin Hellman had introduced PKC(Public key Cryptography). They had
discovered a encryption type which made revolution, encryption
incorporated
an asymmetric key. In an asymmetric key encryption, there are two separate
keys public keys (pk) and private key (sk). The private key (sk) is the
decryption key and the public key (pk) is the encryption key. If A wants
to send a message to B, it must encrypt a message M using B's public key
(pk). Only B can decrypt the message M because it's private decryption
key (sk), A encrypts the message using the public key (pk), but it can not
decrypt the encryption technique is a one-way function unique, which is
irreversible. Di_e and Hellman and Merkle partners could not _nd such a
cipher (a one-way function). This discovery was made by another
researchers:
1
Rivest, Shamir and Adleman. Rivest is a computer scientist with an ability
to implement new ideas in places. He also followed the latest mathematical
and scienti_c articles, so he always had these new ideas for the one-way
function. Shamir also a computer engineer. It Rivest who generated ideas
for the one-way function. Adleman is a mathematician. whose work was to
identify defects in the ideas of Rivest and Shamir, and assured that they
were
not going in wrong direction. Rivest and Shamir spent a year coming up with
ideas, and Adleman spent a year proving wrong them. In April 1977 Rivest,
Shamir and Adleman found RSA algorithm. The RSA algorithm is used
for public key encryption and digital signatures. It is the most widely used

public key encryption algorithm. It was showed that basic technique was
discovered in 1973 by Cli_ord Cocks of CESG (part of the British GCHQ)
but it was a secret until 1997. The basic security of the RSA algorithm is that
it is mathematically impossible to account su_ciently large prime integers.
The RSA algorithm is supposed to be secure if its keys have a length of at
least 1024 bits.
Figure 1: Rivest,Shamir and Adleman
2

2 Private key Cryptography

In private key encryption users uses symmetric key for encryption and decryption. To get such security in this cryptosystem we need to have secure
channel and secure key distribution procedure. But in this cryptosystem key
distribution is main threat , attacker can easily jumble or guess the key and
use it to get original message.
Figure 2: Private key Cryptography

3 Public Key Cryptography

This idea omits the need of same key for encryption and decryption over
secure channel before transmission. Basic idea is everyone get their own encryption and decryption key. Encryption keys are public and Decryption keys
are private for all. In RSA private keys are only use for decryption which
is known by receiver only so no one can decrypt original message. The key
is made up using one way function so it is not easy to get idea from public
key or brute force attack. It resolves key distribution problem. Here all the
public keys are available publically. So anyone can easily encrypt message
and send ciphertext to communicate.
If X wants to communicate con_dentially to Y then X encrypts message using Y's public key. only Y can decrypt such ciphertext because Y only has
private key.
3
In Figure two parties are given : Party A and Party B. Here As public
and private keys are respectively PUA and PRA and Bs public and private
keys are respectively PUB and PRB . In given _gure 3 Party A wants to
send M to Party B con_dentially then A will convert M into C likewise :
C = E ( PUB , M )
And B will decrypt message M likewise :
M = D ( PRB , C )
Figure 3: Con_dentiality
If X wants to send authentication message to Y then X encrypts message
using X's private key. So, decryption could be done by X's public key. So, it
ensures Y authenticity of message.
In given _gure 4 Party A wants to send M to Party B with provided
authenticity then A will convert M into C likewise :
C = E ( PRA , M )
And B will decrypt message M likewise :
M = D ( PUA , C )

4
Figure 4: Authentication
If X wants to send authentication and con_dential message to Y then X
encrypts message using X's private key and obtain C and after this encryption again X encrypt C with Y's public key and obtain C0 . Here, C provides
authentication and C0 provides con_dentiality. Decryption could be done
_rst by Y's private key and later with X's public key.
In given _gure 5 Party A wants to send M to Party B with provided
authenticity and con_dentiality then A will convert M into C likewise :
C = E ( PUB , E(PRA , M ) )
And B will decrypt message M likewise :
M = D ( PUA , D (PRB , C ) )
To achieve con_dentiality and authenticity both at a same time leaves
us in trouble, we have to process our message 4 times in encryption and
decryption. Message is encrypted and decrypted twice. So, time taken would
be more and computation complexity is also more.
5
Figure 5: Authentication and Con_dentiality

4 Digital Signature
It is used to verify that message came from sender or attacker. This is
achieved with the use of private key encryption at the time of decryption
receiver can verify using sender's public key that message was sent by
sender
or attacker. So, forgery of signature is impossible.
Suppose user X wanted to send a digitally signed message, M, to user Y :
_ X apply the decryption process to M and get ciphertext C.
_ X apply the encryption process of user Y to C and get result message
S.
_ Ciphertext S is sent to Y.
_ After receiving message user Y applies decryption process to S and get
ciphertext message C.
_ Y applies user X's encryption process to message C and get message
M.
Y cannot alter the message or use the signature with any other message.
To do so would require user B to know how to decrypt a message using X's
decryption process.
6

5 RSA Cryptosystem
Plaintext is encrypted in blocks, block size is dependent upon number n.
Block size <= log2n. In general block size k bits: 2k < n < 2k+1. There are
main 3 steps of RSA cryptosystem : Key Generation, Encryption Function,
Decryption Function.

5.1 Key Generation

_ Select p and q such that p 6= q and both are large primes.
_ Calculate n = p _ q.

_ Calculate _(n) = (p 1) _ (q 1).

_ Chooses an encryption exponent e Such that gcd(_(n); e) = 1; 1 < e <
_(n)
_ Calculate decryption exponent d such that de = 1mod(_(n)).
_ Got Public Key PK = (e,n).
_ Got Private key SK = (d,n).
Given p and q, it is easy to _nd their product, n = pq. So, Multiplication is
easy But, Factoring in p and q given n is quite hard. If 100 digit numbers
are used for p and q, the resulting n will be approximately 200 digits. The
fastest known factoring algorithm would take far too long for an attacker
to ever break the code. Other methods for determining d without factoring
n are equally as di_cult. In RSA n is 1024 bit long. So, Factorization is
so hard. Here, _(n) is Euler totient function. e and d are multiplicative
inverse of mod(_(n)).This is true only when d is relatively prime to _(n), i.e.
gcd(_(n),d) = 1. The public key PK (d,n) which is publically available use
for encryption and private key SK (e,n) use for decryption.

5.2 Encryption Process

_ Choose Plaintext (Block size) M < n.
_ Encrypt message using function C = Memod n.
7
Given n, m, and e,Modular exponentiation is easy to compute c = me mod
n. The value me mod n is formally the result of multiplying e copies of m,
dividing by n, and keeping the remainder. This may seem to be an expensive
computation, involving e-1 multiplications by m with increasingly large intermediate results, followed by a division by n. However, two optimizations
make the operation easy:
_ Multiplying by an appropriate sequence of previous intermediate values, rather than only by m, can reduce the number of multiplications
to no more than twice the size of e in binary.
_ Dividing and taking the remainder after each multiplication keeps the
intermediate results the same size as n.

5.3 Decryption Process

_ Get Ciphertext C.
_ Decrypt message using function M = Cdmod n.
Reverse of modular exponentiation is easy, Given n, e, C, and the prime
factors p and q, it is easy to recover the value m such that C = Me mod
n.The value M can be recovered from C by a modular exponentiation operation with d. Integer d is easy to compute given e, p and q. Modular
root extraction is otherwise hard, Given only n, e and C, but not the prime
factors, it is quite hard to recover the value M. Its possible that there may be
methods that compute modular roots without factoring n or determining d.
But so far no general methods have been found for doing so that are faster
than factoring n. It is easy to compute modular roots without knowledge of
the prime factors. For instance, if M is known to be very small, such C = Me
< n, then M can be recovered from C by taking e th roots over the integers,

which is easy.
Suppose gcd(m,n) = 1,
de = 1mod(_(n)), We can write de = 1 +k_(n) for some k,
Cd = (Me)d
= M1+k_(n)
8
= M . (M_(n))k
= M . 1k
= M (mod n)
So, one can recover the message.

5.4 RSA Explanation

B chooses two distinct large primes p and q and multiplies them together to
form n, He also chooses an encryption exponent e and sends the pair (n, e)
to A but keeps the values of p and q secret. A dont need to know p and q
to send her message to B securely. A writes her message as a number M. If
M is larger than n, she breaks the message into block, each of which is less
than n. A computes C (Ciphertext) using encryption function and send to
B. Since B knows p and q, he can compute (p 1)(q 1) and therefore can
_nd the decryption exponent d and M using decryption function and only
can read message.

6 Example
Generate two primes p and q.
p = 257 and q = 337
Now, n is product of this 2 number,
n = p _ q.
So, n = 257 _ 337, n = 86609.
_(n) will be calculated as,
_(n) = (p 1) _ (q 1) = 256 _ 337 = 86016.
Now, Choose e exponent,
e=17,
17 is relatively prime to 86016 because they share no factors. We know
this because 17 itself is a prime number, so its only factors are 1 and 17.
9113 is not divisible by 17, so the numbers are relatively prime.
Our next step is to calculate d, which is the inverse of e and modulo n,
9
de = 1mod(_(n)) ,
17_d = 1 mod 866016.
Using the Extended Euclidean Algorithm, we can calculate one possible
value for d is 65777.
We can verify by computing C_d mod_(n) which is equals 1.
C_d mod_(n) = 17 _ 65777 mod 86016 = 1118209 mod 86016 = 1.
d is private key and is used to decrypt message. Now that we have both
a public key and a private key, we can encrypt and decrypt message.
Public key = (17 , 86609)
Private key = (65777 , 86609)

For encryption, M will be encrypted as C = Memod n. We use 18537 as

our message.
C = Memod n
C = 1853717 mod 86609
C = 12448
Checking can we decrypt it in the same message ? we use SK : Private
key = (65777 , 86609)
M = Cdmod n.
M = 1244865777 mod 86609.
M = 18537.
So, We got exact message from our ciphertext.
10

7 Attacks on RSA
How secure RSA is? Is it possible to break RSA cryptosystem? Certainly
nothing can withstand with time. We cannot say any cryptosystem is perfectly secure , one can decrypt message using brute force attack in timely
manner. But, _nding a probabilistic approach is much di_cult which solve
a problem in given time. Despite years of attempts, no one has been known
to crack either algorithm. Such a resistance to attack makes RSA secure in
practice. To show RSA is secure we analyze how attacker will obtain key
from public parameters and ciphertext. The RSA algorithm has proven to
be e_ective, if it is implemented correctly.
Two approaches :
_ Suppose (n, e) is an RSA public key and n has m digits. Let d be the
decryption exponent. If we have at least the last m /4 digits of d, we
can e_ciently _nd d in time that is linear in e log e.
_ Suppose (n, e) is an RSA public key and n has m digits. Let d be the
decryption exponent. If we have at least the last m /4 digits of d, we
can e_ciently _nd d in time that is linear in e log e.

7.1 Low Exponent Attacks

Low exponent cause certain problem which should be avoided. Lower value
of e and d will be easy to get by brute force attack. So, this problem can
be avoided by choosing high value exponent(Popular choice of e = 65537).
To obtain desired properties of d is to choose d _rst, then _nd e. So, it is
compulsory to choose value of e and d large enough.
There is theorem which proves that this 2 exponent should be large
enough :
_ Suppose we select two primes p and q as q < p < 2q and n = pq and
1 < d; e < _(n) satisfy de = 1mod(_(n)) . If d < 1
3n
1

then calculation
of d is easy (i.e. in polynomial given time).
11
7.1.1 Coppersmiths Theorem
Let N be an integer and f 2 Z[x] be a monic polynomial of degree d. Set x=
4

N
1

for some 2> 0. Then, given (N, f) an attacker can e_ciently _nd all
integers jx0j < X satisfying f(x0) = 0 mod N. The running time is dominated
by the time it takes to run the LLL algorithm on a lattice of dimension O(w)
with w = min( 1
2; log2 N). The theorem provides an algorithm for e_ciently
_nding all roots of f modulo N that are less than X = N
d2

. The algorithm's
running time decreases as X gets smaller. The strength of this theorem is its
ability to _nd small roots of polynomials modulo a composite N.
7.1.2 Hastads broadcast attack
Suppose B wishes to send an encrypted message M to a number of parties
P1, P2,......Pk. Each party has its own RSA key (Ni; ei). We assume M is
less than all the Ni's.To send M, B encrypts it using each of the public keys
and sends out of the ith ciphertext to pi. An attacker Eve can eavesdrop on
the connection out of B's sight and collect the k transmitted ciphetexts. He
shows linear padding to M prior to encryption is insecure. He proved one
can easily solve system of univariate equation if provided many equation.
d

7.2 Common Modulus

Suppose A sends message to B and C with exponent respectively e1 and e2.
Respective messages are X = Me1 mod n and Y = Me2 mod n. Now, attacker
has access to the public keys n,e1 , e2 and the encrypted messages X and Y.
Now, given that gcd(e1 , e2) = 1. Now, attacker use extended euclidean algorithm to compute constant c1 , c2 such that c1e1 + c2e2 = 1. Then attacker
easily _nd c1 and c2.
Xc1 Y c2 mod n = M.
So, easily attacker can compute original message from X and Y.

7.3 Short Plaintext

DES and AES uses RSA for key transmission. Here, DES uses 56 bit of key
for M = 1017. So, M is small respective ciphertext is also small nearly 200
12
digits. So, attacker make a list of following 2 things :
_ Computes C Xe(mod n) where 8X, 1_ X _ 109
_ Y e (mod n) where 8Y , 1_ Y _ 109
Now, attacker match this 2 values where they both matches he will get
original message. To _nd all 1017 possibility on computer is infeasible in
su_cient time. So, in given attack attacker make 2 list of 109 possibility
and computation takes 2 _109 cost. It is easy to prevent this message. We
can use padding of random number to prevent this attack. While decryption
receiver discard those random bits and will get original message.
There is another method Optical Asymmetric Encryption Padding, which
is optimal method to prevent this attack. Basically, in OAEP an element
of randomness is used to make encryption process probabilistic. By doing
this it prevent partial decryption of ciphertexts by attacker without one-way

function.
Figure 6: OAEP Working
13
Figure 7: OAEP Working
In given diagram,
_ n is the number of bits in RSA mod.
_ k0 and k1 are random integers which are speci_ed.
_ m is the plaintext, an (nk0k1) is a bit string
_ G and H are some cryptographic hash functions used.
_ is an XOR operation.

7.4 Timing attacks

It is also called Kocher's attack because similar system was discovered by
Paul Kocher in 1995. He showed that it is possible to discover the decryption exponent e in e_cient timing for a series of decryptions. This attack
works like : if B is decrypting ciphertexts y , attacker times how long this
takes to decrypt all y. By knowing all y and it's decryption time will allow
attacker to _nd exponent d.
14
How to mount the attack against a simple implementation of RSA using
the repeated squaring algorithm. here d = dn; dn1; :::; d0 is a binary representation of d. The repeated squaring algorithm computes C = Md mod N,
using at most 2n modular multiplications.
Here, take z = M and C = 1. For i=0 to n do following steps.
_ if di = 1 set C equal to C , z mod N.
_ set z equal to z2 mod N
_ Get C's value as Md mod N.
Attacker ask ciphertext for many no of random messages and calculate
time Ti. The attack recovers bits of d one at a time beginning with the least
signi_cant bit. We know d is odd. Thus d0 = 1. Consider the second iteration. Initially z = M2 mod N and C = M. If d1 = 1, the attacker computes
the product C _ z = M _M2 mod N. Otherwise, it does not. Let ti be the
time it takes to compute Mi _ M2 i mod N. The ti's di_er from each other
since the time to compute Mi _M2 i mod N depends on the value of Mi.By
measuring the correlation, can determine whether d1 is 0 or 1. Continuing
this way, can recover d2, d3, and so on
There are defenses against these timing attacks with RSA blinding, randomness is introduced into the RSA computations to make timing information unusable. Another possible defense is to make all private key operations
not depend on the input. This modi_cation should be relatively easy to implement and does not a_ect the performance by much. One other alternative
is to quantize all RSA computations, i.e. make them always a multiple of
some prede_ned time quantum.

7.5 Random attacks

RSA uses Chinese Remainder Theorem for speeding up decryption process.
In this CRT theorem one use p and q instead of n for fast decryption and

combine this two result to get actual result.

Cp = Mdp mod p and Cq = Mdq mod q
15
where dp = dmod(p 1) and dp = dmod(p 1). Then obtains the signature C by,
C = T1Cp + T2Cq(mod N)
Where,
Here, CRT's running time is negligible with using two exponentiation and
p and q are half in length then N. So, _nding multiplication modulo of p and
q takes one forth of time then _nding N.

8 Conclusion
RSA is strong algorithm that has withstood a partial test of time. RSA is
implementing a public key cryptosystem that allows secure communications
over channel and the digital signatures, and its security depends on the dif_culty of factoring large numbers. The authors asked anyone to try to break
their code, whether by factoring techniques or any other technique, and no
one this date seem to have succeeded. This has RSA Certi_ed e_ect and
will continue to ensure its security as long as it withstands the test of time
against such break-ins.
At the time, the RSA encryption function seemed to be the only known
candidate for the one-way permutation, but now other formula certainly exist. Size of n should increase over time as more e_cient factoring algorithms
are taken and as computers get faster. In 1978, the RSA authors suggested
long values 200 numbers for n. As 2008, the largest the number taken into
account by a general purpose factoring algorithm was [200 numbers (663 bit)]
long.Now, the RSA keys are typically between 1024 and 2048 bits, which
predicted that may be breakable in the near future. Experts don't see the
4096-bit keys to be broken soon. Nowadays, n is more than 300 bits, may
be taken into account on a PC in a few hours, so the keys are typically 4-7
16
times longer today.
RSA is much slower than some symmetric cryptosystems. RSA is in fact
often used securely transmit the keys to a less secure algorithm but it is
faster.
Several problems exist in RSA could a_ect the safety of RSA, such as timing
attacks and problems with key distribution. These issues have solutions; the
only drawback is that any device using RSA should have a lot more hardware
and software to address certain types of eavesdropping. If a solution of the
prime numbers would be found which is too easy to _nd, and RSA would
surely fall apart. No doubt much more sophisticated algorithms then RSA
will continue to be developed because of mathematicians who discover more
things in the _elds of number theory and cryptanalysis.

References
[1] W. Trappe and L. C. Washington. Introduction to Cryptography with

Coding Theory. Pearson Education (pp. 164-192).

[2] [RIVE78] R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems. Communications of
the ACM, 21 (2), pp. 120-126, February 1978
[3] Bidzos, Jim, "Threats to Privacy and Public Keys for Protection", COMPCON Spring '91 Digest of Papers, IEEE Computer Society Press, p.
189-94
[4] www.math.uchicago.edu
[5] www.math.washington.edu
[6] www.Wikipedia.com
[7] www.Mathworld.com
17