Public-Key CryptosystemsCHAPTER 4

Introduction

How to distribute the cryptographic keys?

Naïve Solution

Naïve Solution

• Give every user Pi a

separate random key

Kij to communicate

with every Pj.

• Disadvantage: a

quadratic number of

keys is needed

Problems

• Someone (Key Distribution Center, KDC) need to “distribute the keys”.

• Feasible: if the users are, e.g., working in one company.

• Infeasible: if the users on the internet.

• Relies on the honesty of KDC.

• KDC needs to be permanently available.

• …

• The users need to store large number of keys in a secure way

• For 1000 users, we need to 10002 = 1000000 keys.

• Solution?

Public Key Cryptography

• PKC also solves the message source authentication problem: • Only Alice can “sign” a message, using K. • Anyone can verify the signature, using K'.

• Only if such a function could be found...

Diffie-Hellman Key Exchange

• The DHKE established in 1976 fundamentally has its security based on

the DLP.

• It is obvious that to solve the DLP via polynomial time algorithms is

not feasible.

• The protocol allows two users to exchange a secret key over an

insecure medium without any prior secrets.

Diffie-Hellman Key Exchange

Some Preliminaries:

• Def: An element g is called a generator of a group G if every elementin G can be expressed as the product of finitely many powers of g.

• Def: If p 1 is an integer, then the numbers coprime to p, takenmodulo p, form a group with multiplication as its operation. It iswritten as (Z/pZ)× or Z p*.

• This group is cyclic and any generator, g, of the group is called aprimitive root mod p.

Diffie-Hellman Key Exchange

Public Parameter Creation

A trusted party chooses and publishes a large prime p and an integer g having a large order in ℤ𝑝

Private Computation (Setup)

Alice Bob

Chooses a secret random integer a.

Computes A ≡ ga(mod p)

Chooses a secret random integer b.

Computes B ≡gb (mod p)

Public Exchange of Values

Along sends A to Busu Busu sends B to Along

Private Computation

Along computes Ba (mod p) Busu computes Ab (mod p)

The shared secret key is

Ba (mod p) ≡(gb)a ≡ gab ≡ (ga)b ≡ Ab (mod p)

Diffie-Hellman Key Exchange

• If Eve wants to compute k, then she would need either a or b.

• Otherwise, Eve would need to solve a Discrete Logarithm Problem.

• There is no known algorithm to accomplish this in a reasonable

amount of time.

Diffie-Hellman Key ExchangeExample:

Suppose Alice and Bob agree to use p = 47 and g = 5.

Setup

• Alice chooses a number between 0 and 46, say a = 18.

• Bob chooses a number between 0 and 46, say b = 22.

Exchange

• Alice publishes ga (mod p), i.e. u = 518 (mod 47) = 2.

• Bob publishes gb (mod p), i.e. v = 522 (mod 47) = 28.

Diffie-Hellman Key Exchange

Private Computation:

• If Alice wants to know the secret key k, she takes Bob’s public number, v =

28, and raises it to her private number, a = 18 (taking the result mod 47).

• This gives her: 2818 (mod 47) = 24.

• If Bob wants to know the secret key, he takes Alice’s public number, u = 2,

and raises it to his private number, b = 22 (taking the result mod 47).

• This gives him: 222 (mod 47) = 24.

• Thus, Alice and Bob have agreed upon a secret key, k = 24.

El-Gammal Public Key Cryptosystem

• The El-Gammal PKC was designed by Taher El-Gammal in 1985.

• It came after the RSA, but because of its underlying structure that

utilizes the DLP, we present it first.

• Differing from the objective of a key exchange mechanism, a

cryptosystem has the objective to encrypt messages.

Public Parameter Creation

A trusted third party chooses and publishes a large prime p and a primitive root g modulo p.

Key Creation

Alice Bob

Choose a private key 1 ≤ a ≤ p-1.

Compute A = ga (mod p).

Publish the public key A.

Encryption

Choose plaintext m.

Choose random ephemeral key k.

Use Along’s public key A to compute:

i. c1 = gk (mod p)

ii. c2 = mAk (mod p)

4. Send ciphertext (c1 , c2) to Along.

Decryption

Compute (c1a )-1 c2 (mod p)=m.

El-Gammal Public Key Cryptosystem

• Proof: (Proof of correctness)

• 𝑐1𝑎 −1𝑐2 ≡ 𝑔𝑘𝑎

−1𝑚𝐴𝑘 ≡ 𝑔𝑘𝑎

−1𝑚𝑔𝑎𝑘 ≡ 𝑚 mod 𝑝 .∎

•

• Example 4.1.1

• Create your own example.

El-Gammal Public Key Cryptosystem

• Plaintext x is masked by a random factor, gαk mod p.

• DH problem: Given gα, gk mod p, what is gαk mod p?

• p, g can be common. Then gk mod p can be computed in advance.

• Same k should not be used repeatedly.

• Performance:

• encryption: two exponentiations

• decryption: one exponentiation, one inversion

• Size: Ciphertext twice as large as plaintext.

Cryptanalysis on DHKE

• In general Eve has the following objective in order to “break’ into a DHKE protocol:• obtain Alice’s random secret exponent or Bob’s random secret exponent

• solving the DLP, but no sufficient algorithm solve it in feasible time.

• Is that the only way where Eve can “break” into the system?

Cryptanalysis on DHKE

• Definition 4.7.1(Diffie – Hellman Problem)

• Let 𝑝 be a prime number and 𝑔 an integer. The Diffie – Hellman Problem

(DHP) is the problem of computing the value 𝑔𝑎𝑏 mod 𝑝 from the known

values 𝑔𝑎 mod 𝑝 and 𝑔𝑏 mod 𝑝 .

Cryptanalysis on DHKE

• Remark 4.7.1

• It is clear that DHP is NOT MUCH HARDER THAN DLP (DHP ≤𝑝 DLP). That is, if

you solve DLP you solve DHP.

• BUT if Eve has an algorithm that solves DHP, Eve does not need to solve DLP.

• This means, there MAYBE a way to solve DHP without solving DLP.

• Unless if you can prove that DHP ≡𝑝 DLP, it is only then Eve will have no other

option to break DHKE other than solving the DLP. (DO YOU UNDERSTAND???)

Man in the middle attack on DHKE

• The MITM attack upon the DHKE is conducted as follows:• Eve observes a key exchange between Alice and Bob.

• Eve intercepts Bob’ public value, 𝐵 ≡ 𝑔𝑏 mod 𝑝 .

• Eve masquerades as Alice and returns to Bob her public value, 𝐸 ≡ 𝑔𝑒 mod 𝑝 .

• Eve masquerades as Bob and returns to Alice her public value, 𝐸 ≡ 𝑔𝑒 mod 𝑝 .

• Then both Eve and Alice have the same shared key 𝐸𝐴 = 𝑔𝑎𝑒 mod 𝑝 and Eve and Bob have the same shared key 𝐸𝐵 = 𝑔𝑏𝑒 mod 𝑝

• Then upon intercepting intended from Bob to Alice, Eve can now read/modify.

• After reading, Eve can either modify or relay the cipher back to Alice encrypted with 𝐸𝐴.

• Alice can decrypt by using Eve’s public (to generate 𝐴𝐸 = 𝑔𝑒𝑎 mod 𝑝 ).

RSA Cryptosystem

Definition 4.3.1 (Euler’s 𝜙 –function)

defined as the number of positive integers less than and relatively prime to nLet 𝜙 𝑁 be the number of integers 1 ≤ 𝑎 ≤ 𝑁 such that gcd 𝑎,𝑁 = 1

Example 4.3.1𝜙 10 = 4. The integers are 1,3,7,9

Proposition 4.3.1Let 𝑝 and 𝑞 be 2 distinct primes and 𝑁 = 𝑝𝑞. Then, 𝜙 𝑁 = 𝑝 − 1 𝑞 − 1

Proof: (Assignment)

Remark 4.3.1The function 𝜙 𝑁 counts the number of numbers that are relatively prime to 𝑁.

RSA Cryptosystem

Theorem 4.3.2 (Euler’s theorem)

If gcd 𝑎,𝑁 = 1 , then 𝑎𝜙 𝑁 ≡ 1 mod 𝑁 , where ∅ is Euler’s totient function.

Proof:

Example 4.3.2

Compute 243210 mod 101 .

Solution:

101 is prime. From Fermat’s little theorem 2100 ≡ 1 mod 101 . Therefore,

243210 ≡ 2100 432210 ≡ 1432210 ≡ 1024 ≡ 14 mod 101 .

RSA Cryptosystem

Remark 4.3.2

It is obvious that FLT helps to reduce the number of exponentiations involved.

Exercises 4.3.1

1. Divide 210203 by 101. What is the remainder?

2. Suppose you write a message as a number 𝑚 mod 31 . Encrypt 𝑚 as 𝑚7 mod 31 . How would you decrypt? Assignment

Hint:

Decryption is done by raising the ciphertext to a power mod 31. Fermat’s little theorem will be useful.

The RSA Algorithm

• Key Generation

INPUT: The size n of the prime numbers.

OUTPUT: A public key tuple 𝑁, 𝑒 and a private key tuple 𝑝, 𝑞, 𝑑 .

1. Generate two random and distinct n-bit strong primes 𝑝, 𝑞 .

2. Compute 𝑁 = 𝑝𝑞 and 𝜙 𝑁 = 𝑝 − 1 𝑞 − 1 .

3. Choose random 𝑒 such that gcd 𝑒, 𝜙 𝑁 = 1.

4. Compute integer 𝑑 such that 𝑒𝑑 ≡ 1 mod 𝜙 𝑁 .

5. Return the public key tuple 𝑁, 𝑒 and a private key pair 𝑝, 𝑞, 𝑑 .

The RSA Algorithm

• Encryption

INPUT: The public key pair 𝑁, 𝑒 and the message 𝑀 ∈ ℤ𝑁.

OUTPUT: The ciphertext 𝐶.

Compute 𝐶 ≡ 𝑀𝑒 mod 𝑁

• Decryption

INPUT: The private key 𝑑 and the message ciphertext 𝐶.

OUTPUT: The message 𝑀.

Compute 𝑀 ≡ 𝐶𝑑 mod 𝑁

Proof: (Proof of correctness)

The RSA Algorithm

Example:

• Perform encryption and decryption using the RSA algorithm for thefollowing:

1. p = 17; q = 11, e = 7;M = 88

2. p = 11; q = 13, e = 11;M = 7

3. p = 17; q = 31, e = 7;M = 2

• In a public-key system using RSA, you intercept the ciphertext C = 10sent to a user whose public key is e = 5, n = 35.What is the plaintextM?

RSA Cryptosystem

Remark 4.3.31. What is difficult for the adversary to do in order to break RSA?

2. Are the problems that the adversary need to overcome solvable in polynomial time?

3. Do you have an idea how to “break” RSA?

Remark 4.3.4The RSA PKC relies on the difficulty of solving equations of the form 𝑥𝑒 ≡ 𝑐 mod 𝑁(or 𝑐 ≡ 𝑥𝑒 mod 𝑁 ) where the quantities 𝑒, 𝑐 and 𝑁 are known.

The security of RSA relies on the assumption that it is difficult to compute the 𝑒𝑡ℎ roots modulo 𝑁. This problem is also known as the RSA problem.

RSA Cryptosystem

Proposition 4.3.3

Solving RSA problem ≤𝑝 Factoring 𝑁 = 𝑝𝑞.

Proof:

If 𝑁 = 𝑝𝑞 is factored then 𝑑 can be computed via 𝑑𝑒 ≡ 1 mod 𝜙 𝑁 . Then RSA problem will be solved.∎

Remark 4.3.5

It is still unknown whether if one solves the RSA problem, one is able to factor 𝑁 = 𝑝𝑞.

RSA Cryptosystem

Proposition 4.3.2Let 𝑝 and 𝑞 be distinct primes and let 𝑒 ≥ 1 be an integer that satisfies the condition

gcd 𝑒, 𝑝 − 1 𝑞 − 1 = 1.

We know there exists a multiplicative inverse 𝑑 of 𝑒 such that 𝑑𝑒 ≡ 1 mod 𝑝 − 1 𝑞 − 1 .

Then the congruence relation 𝑥𝑒 ≡ 𝑐 mod 𝑝𝑞 has the unique solution 𝑥 ≡ 𝑐𝑑 mod 𝑝𝑞 .

Remark 4.3.6

What happens when if 𝑁 is just a prime? We will now discuss that if 𝑁 is just a prime

(not a product of primes) it is comparatively easy to compute 𝑒𝑡ℎ roots modulo 𝑁.

RSA Cryptosystem

Proposition 4.3.3Let 𝑝 be a prime and let 𝑒 ≥ 1 be an integer that satisfies the condition gcd 𝑒, 𝑝 − 1 = 1. We know there exists an inverse 𝑑such that 𝑑𝑒 ≡ 1 mod 𝑝 − 1 . Then the congruence relation 𝑥𝑒

≡ 𝑐 mod 𝑝 has the solution 𝑥 ≡ 𝑐𝑑 mod 𝑝 .

Proof:

From 𝑑𝑒 ≡ 1 mod 𝑝 − 1 there exists 𝑘 ∈ ℤ such that we have 𝑑𝑒

= 1 + 𝑘 𝑝 − 1 . Now, 𝑐𝑑𝑒≡ 𝑐𝑑𝑒 ≡ 𝑐1+𝑘 𝑝−1 ≡ 𝑐 ∙ 𝑐𝑝−1 𝑘 ≡ 𝑐

∙ 1𝑘 ≡ 𝑐 mod 𝑝 . This completes the proof that 𝑐𝑑 is the 𝑒𝑡ℎ root modulo 𝑝 of 𝑐.∎

RSA Cryptosystem

• Example 4.3.3

• Solving 𝑥1583 ≡ 4714 mod 7919 . Observe that 7919 is a prime. Now, let us find 𝑑 in order to solve 𝑑1583 ≡ 1 mod 7918 .We get (via Extended Euclidean Algorithm) 𝑑 ≡ 5277 mod 7918 . Hence, 𝑥≡ 47145277 ≡ 6059 mod 7919 is the solution.∎

RSA Cryptosystem

Example 4.3.4

Solve the congruence relation 𝑥9843 ≡ 134872 mod 30069476293 . Observe

that the modulus 30069476293 is not a prime since from our earlier lectures

(section 2.6) we can see that

230069476293−1 ≡ 18152503626 ≢ 1 mod 30069476293

It happens that 30069476293 is a product of 2 prime numbers. But since we

do not know the prime factors, we cannot use Proposition 4.3.2 to help us!!!

RSA Cryptosystem

ASSIGNMENT

Alice publishes his Public key N= 2038667 and exponent e = 103.

1. Bob wants to send to Alice the message m=8923283. Determine the ciphertext.

2. Determine Alice’s private key d.

3. Alice receives a ciphertext c=317730 from Bob. Decrypt the ciphertext. (Just provide the numbers)

Rabin Cryptosystem

• Introduced on 1979 by Rabin.

• The Rabin cryptosystem utilizes the square root modulo problem.

• Its an optimal implementation of RSA with the encryption exponent 𝑒= 2.

• The scheme utilizes the CR for decryption.

• The situation of a 4-to-1 mapping during decryption has deterred it from being utilized.

Rabin Cryptosystem

Key Generation

INPUT: The size n of the prime numbers.

OUTPUT: A public key 𝑁 = 𝑝𝑞 and a private key pair 𝑝, 𝑞 .

• Generate two random and distinct n-bit strong primes 𝑝, 𝑞 satisfying

𝑝 ≡ 3 𝑚𝑜𝑑 4 and 2𝑛 < 𝑝 < 2𝑛+1, 𝑞 ≡ 3 𝑚𝑜𝑑 4 and 2𝑛 < 𝑞 < 2𝑛+1.

• Compute 𝑁 = 𝑝𝑞.

Rabin Cryptosystem

Encryption

INPUT: The public key 𝑁 = 𝑝𝑞 and the message 𝑀 ∈ ℤ𝑁.

OUTPUT: The ciphertext 𝐶.• Compute 𝐶 ≡ 𝑀2 mod 𝑁

Decryption

INPUT: The private key 𝑝, 𝑞 and the ciphertext 𝐶.

OUTPUT: The message 𝑀.• Compute the square roots of 𝐶 via CRT since we have the factors of 𝑁.

Rabin Cryptosystem

Let m = 32

1) The key: K = {n, p, q} = {77, 7, 11}

2) The encryption function is applied:ek (m) = m2 mod n = ek (32) = 322 mod 77 = 23 = c

Now, the ciphertext c = 23 can be sent.

3) The decryption algorithm is applied:mp = c(p+1)/4 mod p = 23(7+1)/4 mod 7 = 4

mq = c(q+1)/4 mod q = 23(11+1)/4 mod 11 = 1

Rabin Cryptosystem

The Rabin Cryptosystem: example (2)

•First, we compute b1 y b2 :N/7 · b1 ≡ 1 mod 7 → b1 = 2N/11 · b2 ≡ 1 mod 11 → b2 = 8

•x ≡ 4 mod 7 and x ≡ 1 mod 11 :x = a1 b1 (M/m1) + a2 b2 (M/m2) = 4 x 2 x 11 + 1 x 8 x 7 → x ≡ 144 = 67 mod 77 ⇒x = 67

•x ≡ 3 mod 7 and x ≡ 1 mod 11 :x = a1 b1 (M/m1) + a2 b2 (M/m2) = 11 x 2 x 3 + 7 x 8 x 1 → x ≡ 122 = 45 mod 77 ⇒x = 45

•For symmetry:77 – 67 = 10 ⇒ x = 1077 – 45 = 32 ⇒ x = 32

Rabin Cryptosystem

• Remark 4.4.1The Rabin cryptosystem is known to have decryption failure due to its 4-1 mapping.

• strategies to overcome this feature of the Rabin cryptosystem.• Redundancy in the message [Menezes et.al., 1996]. This scheme has a probability

decryption failure of approximately 1

2𝑙−1where 𝑙 is the least significant binary string

of the message.

• Extra bits [Kurosawa et. al, 2001]. One will send 2 extra bits of information to specify the square root. The encryption process requires the computation of the Jacobi symbol. This results in a computational overhead which is much more than just computing a single square modulo 𝑁.

• Williams technique [Williams, 1980]. The encryption process requires the encryptorto compute a Jacobi symbol. Hence, losing the performance advantage of Rabin over RSA (as in point no.2).

Rabin-RZ Cryptosystem

Key Generation

INPUT: The size n of the prime numbers.

OUTPUT: A public key 𝑁 = 𝑝2𝑞 and a private key pair 𝑝, 𝑞 .

• Generate two random and distinct n-bit strong primes 𝑝, 𝑞 satisfying

𝑝 ≡ 3 𝑚𝑜𝑑 4 and 2𝑛 < 𝑝 < 2𝑛 − 1, 𝑞 ≡ 3 𝑚𝑜𝑑 4 and 2𝑛 < 𝑞 < 2𝑛 − 1.

• Compute 𝑁 = 𝑝2𝑞.

Rabin-RZ Cryptosystem

Encryption

INPUT: The public key 𝑁 = 𝑝2𝑞 and the message 𝑀 ∈ ℤ𝑁.

OUTPUT: The ciphertext 𝐶.• Compute 𝐶 ≡ 𝑀2 mod 𝑁

Decryption

INPUT: The private key 𝑝, 𝑞 and the ciphertext 𝐶.

OUTPUT: The message 𝑀.• 𝑀2 ≡ 𝐶 mod 𝑝𝑞 , Compute the square roots of 𝐶 via CRT.

• Check k =𝐶−𝑚2

𝑝2𝑞, if k then m is the unique solution

Rabin-RZ Cryptosystem

• Proof of correctness PoC:𝐶 ≡ 𝑚2 mod 𝑁𝐶 = 𝑚2 + 𝑘 𝑝2𝑞

k =𝐶−𝑚

𝑖2

𝑝2𝑞, where i=1 to 4

Check for k ϵ Z, so there is one solution {(ki, mi)} to solve.

Rabin-RZ Cryptosystem

Bivariate function hard problem:

Proposition:

Let 𝐹(𝑥1, 𝑥2, . . . , 𝑥𝑛 ) be a multivariate one-way function that maps 𝐹 ∶ ℤ𝑛 →ℤ+(2𝑛 −1,2𝑛 −1). Let 𝐹1 and 𝐹2 be such functions (either identical or non-identical)such that 𝐴1 = 𝐹1 (𝑥1, 𝑥2, . . . , 𝑥𝑛) , 𝐴2=𝐹2(𝑦1, 𝑦2, . . . , 𝑦𝑛) and gcd(𝐴1,𝐴2)=1. Let 𝑢, 𝑣 ∈ ℤ+

(2𝑚 −1,2𝑚 −1).

Let 𝐺(𝑢,𝑣)=𝐴1𝑢+𝐴2𝑣

If at minimum 𝑚 − 𝑛 − 1 = 𝑘, where 2𝑘 is exponentially large for any probabilisticpolynomial time (PPT) adversary to sieve through all possible answers, it isinfeasible to determine (𝑢,𝑣) over ℤ from 𝐺(𝑢,𝑣). Furthermore, (𝑢,𝑣)is uniquefor 𝐺(𝑢,𝑣) with high probability.