Public-key encryption

Symmetric-key encryption
Invertible function Security depends on the shared secret a particular key. Fast, highly secure Fine for repeated communication Poor fit for one-shot communication, signatures

Asymmetric-key (public key) encryption

The basic idea: A user has two keys: a public key and a private key. A message can be encrypted with the public key and decrypted with the private key to provide security. A message can be encrypted with the private key and decrypted with the public key to provide signatures.

One-way functions
Most common functions are invertible; for any F(x) = y, there is an F-1(y) = x.
Multiplication and division DES

A function which is easy to compute in one direction, but hard to compute in the other, is known as a one-way function.
Hashing, modular arithmetic.

A one-way function that can be easily inverted with an additional piece of knowledge is called a trapdoor one-way function.

One-way functions
Public key encryption is based on the existence of trapdoor one-way functions.
Encryption with the public key is easy. Decryption is computationally hard. Knowledge of the private key opens the trapdoor, making inversion easy.

Password systems also use one-way functions.

Overview of RSA
RSA is the most common and well-known public key cryptosystem Basic notation: a key pair (e,d) contains two keys:
e is the public key (used to encrypt documents) d is the private key (used to decrypt documents)

M is the plaintext message. Let R be the encryption function. R(e,M) = C. R(d,C) = M. - encryption R(d,M) = C R(e,C) = M - signing R(e,R(d,M)) = M = R(d,R(e,M))
Same function is used for both operations.

Modular Arithmetic
RSAs security is based on modular arithmetic.
a = b (mod n) <-> there is a q such that a-b=qn b is the remainder after dividing a by n 23 = 3 (mod 5)

A set {0,1,,n-1} is closed under modular addition and multiplication.

(a(mod n) + b(mod n))(mod n) = (a+b) (mod n) (ab)(mod n) = (a(mod n) b(mod n))(mod n)

Modular Arithmetic
Two numbers p and q are said to be relatively prime if their greatest common divisor is 1.
5 and 17, 8 and 9, 10 and 21

To compute gcd:
gcd(a,b) = gcd(b, a mod b) (Euclid, 300BC)

Identities and Inverses

An identity is a number that maps a number to itself under some operation.
0 in normal addition, 1 in multiplication.

An inverse is a number (within the input set) and maps a given number to the identity
X * 1/X, X + -X in integer math

We are particularly interested in multiplicative inverses for modular arithmetic.

(ab) = 1 (mod n)

Multiplicative Inverses
3 and 2 are multiplicative inverses mod 5. 7 and 6 are multiplicative inverses mod 41. 5 and 2 are multiplicative inverses mod 9. For n > 1, if a and n are relatively prime, there is a unique x such that
ax = 1 (mod n)

More preliminaries
Fermats Little Theorem:
If p is prime, then for all a:
ap-1 = 1 (mod p)

Chinese Remainder Thm (corollary)

If p and q are prime, then for all x and a: x = a(mod p) and x = a(mod q) iff x=a mod(pq)

These are needed to prove RSAs correctness.

The RSA Algorithm

Pick two large (100 digit) primes p and q. Let n = pq Select a relatively small integer d that is prime to (p1)(q-1) Find e, the multiplicative inverse of d mod (p-1)(q-1) (d,n) is the public key. To encrypt M, compute
En(M) = Me(mod n)

(e,n) is the private key. To decrypt C, compute

De(C) = Cd(mod n)

RSA example
Let p = 11, q = 13 n = pq = 143 (p-1)(q-1) = 120 = 3 x 23 x 5 Possible d: 7, 11, 13, 17, (lets use 7) Find e: e*7 = 1(mod 120) = 103 Public key: (7, 143) Private key: (103, 143) En(42) = 427 (mod 143) = 81 De(81) = 81103(mod 143) = 42

Correctness of RSA
To show RSA is correct, we must show that encryption and decryption are inverse functions:
En(De(M)) = De(En(M)) = M = Med (mod n) Since d and e are multiplicative inverses, there is a k such that:
ed=1+ kn = 1 + k(p-1)(q-1) Med = M1+k(p-1)(q-1) = M*(Mp-1)k(q-1) By Fermat: Mp-1=1(mod p) Med = M(1)k(q-1)(mod p) = M(mod p)

Correctness of RSA
Med = M(1)k(q-1)(mod p) = M(mod p) Med = M(1)k(q-1)(mod q) = M(mod q) By Chinese Remainder Thm, we get: M^{ed} = M (mod p) M (mod q) = M (mod pq) = M (mod n)

Therefore, RSA reproduces the original message and is correct.

Strengths of RSA
No prior communication needed Highly secure (for large enough keys) Well-understood Allows both encryption and signing

Weaknesses of RSA
Large keys needed (1024 bits is current standard) Relatively slow
Not suitable for very large messages

Public keys must still be distributed safely.

Security of RSA
The security of RSA is dependent on the assumption that its difficult to generate the private key d from the public key e and the modulus n. Equivalent to integer factorization problem.
This is how we got e and d in the first place.

Factoring is thought to be computationally hard.

No proof, though!

Difficulty of Factoring
The fastest known factoring algorithm is the generalized number field sieve.
Sub-exponential time Greater than polynomial space.

Some statistics:
Number Length 430 760 1020 1620 Machines 1 215,000 342 million 1.6x10^15 Memory/Machine Trivial 4Gb 170 Gb 120 Tb

Security and Problem Difficulty

Another way to think about the problem is to ask how long a keylength will be secure, given Moores law:

From the RSA labs factoring FAQ

Security and Problem Difficulty

RSA-155 (512 bit asymmetric-key) broken in 1999. Estimate: capability grows by ~4.25 digits per year. (approx.13-14 bits per year) 1024-bit RSA should be secure until 2037. Using Moores Law 1024-bit is 7 million times harder than 512-bit
So, we need a 7 millionX speedup to crack 1024-bit RSA with the same relative computational power. Also about 34 years.

Question: How long does your data need to be secure?

Digital Signatures
Desirable properties of a digital signature:
A receiver must be able to validate the signature The signature must not be forgeable The signer must not be able to repudiate the signature.

Encrypt with private key, validate with public key.

For security and authenticity, encrypt the signed message with the receivers public key.

Hash Functions
A hash function is a one-way function that maps a message M into a (typically smaller) hashed message H. Sometimes this is called a fingerprint Also sometimes a message digest.
Goals:
Non-invertible fast low collision rate

Hash Functions
To sign a document, I compute its hash, encrypt that with my private key, and send the encrypted hash along with the original document as plaintext. The receiver hashes the plaintext and then uses my public key to verify that I was the one who sent the document. Can also detect tampering.

Combining Public and Secret Keys

Public-key encryption is often used to synchronize secret session keys.
SSL uses this.

A generates a secret key and sends it to B, encrypted with Bs public key.

For handshaking, include a random number.

B decrypts the message and has the secret key.

For handshaking, B encrypts the random number with As public key and returns it.

Authentication
A sends Please authenticate me to B B creates a random message and signs it with As public key. A decrypts the message with its private key, encrypts it with Bs public key, and returns it.
Only someone with As private key can do this.

Potential attack: B gets to pick a string that A will encrypt

This could yield information about As private key.

Zero-knowledge Protocols
One application of public-key cryptography is zero-knowledge protocols. Often, one party might want to prove something to another without revealing any information
Nuclear treaties Bank balances Sensitive information

Zero-knowledge protocols
Alice wants to prove to Bob that she is Alice.
If she sends identification, Bob (or an eavesdropper) can use it.

Example: Authority chooses a number N=77, known by all. Alices public ID: (58, 67) Alices private ID: (9,10)
These are multiplicative inverses mod 77

Zero-knowledge protocols
Alice chooses some random numbers and computes their square mod N.
{19, 24, 51} -> 192(mod 77) = 53, 242(mod 77) = 37, 512(mod 77) = 60 Alice sends {53,37,60} to Bob. Bob sends back a random 2x3 matrix of 1s and 0s. 01 10 11

Zero-knowledge protocols
Alice uses this grid, plus her original random numbers and her secret numbers, to compute: 19 * 90 * 101 (mod 77) = 36 24 * 91 * 100 (mod 77) = 62 51 * 91 * 101 (mod 77) = 47 She sends {36,62,47} to Bob.

Zero-knowledge protocols
Bob verifies Alices identity by computing:
{58,67} are Alices public numbers

36^2 *58^0 *67^1 (mod 77)= 53 62^2 *58^1 * 67^0 (mod 77) = 37 47^2 * 58^1 * 67^1 (mod 77) = 60 Alices original numbers reappear!
(Actually, an attacker would have a 1 in 64 chance of guessing correctly )

Zero-knowledge protocols
In a real system, N would be very large
160 digits.

Many more numbers would be generated. This works because Alices secret numbers are multiplicative inverses of her public numbers mod N. Also, Bob learns nothing that he didnt know before.

Summary
Public key encryption provides a flexible system for secure communication in open environments. Based on one-way functions Allows for both authentication and signing Secure public key distribution remains a problem.