3. Introduction to Cryptography and Security Mechanisms 2005 3
Quiz 1
From a security perspective, rather than an efficiency
perspective, which of the following statements about the
block size of a block cipher is most accurate?
A The bigger the block size the better
B The block size should neither be too small nor too
large
C The block size should neither be too small nor too
large, and should be a multiple of 8
D The block size is unimportant
4. Introduction to Cryptography and Security Mechanisms 2005 4
Quiz 2
The main reason for using different modes of operation
of a block cipher is to:
A Increase the strength of the block cipher
B Increase the efficiency of the block cipher
C Protect against error propagation
D Change the properties of the block cipher
5. Introduction to Cryptography and Security Mechanisms 2005 5
Quiz 3
Which of the following is most accurate?
A Key management for stream ciphers is easier than for
block ciphers, because the plaintext is not actually encrypted
directly with the key
B Key management for block ciphers is less critical when
using CBC mode, since the security of the ciphertext depends
on the preceding ciphertext as well as the key
C Key management for stream ciphers is more difficult than
for block ciphers because the key needs to kept
synchronised at each end of the communication link
D Key management is roughly of the same level of difficulty
for stream ciphers and block ciphers
6. Introduction to Cryptography and Security Mechanisms:
Unit 7
Public Key Algorithms
Dr Keith Martin
McCrea 349 01784 443099
keith.martin@rhul.ac.uk
7. Introduction to Cryptography and Security Mechanisms 2005 7
Learning Outcomes
• Explain the basic principles behind public key
cryptography
• Recognise the fundamental problems that need to be
solved before public key cryptography can be used
effectively
• Explain the concept of a one-way function
• Describe the RSA encryption system
• Describe the ElGamal encryption system
• Calculate very simple numerical examples of RSA and
ElGamal
• Compare the basic properties of RSA and ElGamal
• Describe the Diffie-Hellman key exchange mechanism
8. Introduction to Cryptography and Security Mechanisms 2005 8
Sections
1. Public key cryptography
2. RSA
3. ElGamal
4. Diffie-Hellman
10. Introduction to Cryptography and Security Mechanisms 2005 10
Symmetric assumptions
Consider the relationship between
two entities who are communicating
using a symmetric cipher.
What assumptions are being made
about the relationship between them?
12. Introduction to Cryptography and Security Mechanisms 2005 12
The briefcase example
Properties:
1. There is only one key for each padlock
2. The padlocks are so strong that they cannot be
removed by force
Problems:
3. You have no way of being sure that it is the correct
person who finally gets your message
4. The briefcase has to be sent back and forward three
times, which seems pretty inefficient.
13. Introduction to Cryptography and Security Mechanisms 2005 13
Desirable properties
Use the properties and problems for the briefcase
example to come up with a specification of four
properties that are desirable for any cipher
system that is to be used between two entities
who do not already share a symmetric key.
14. Introduction to Cryptography and Security Mechanisms 2005 14
Public key blueprint
• The keys used to encrypt and decrypt are different.
• Anyone who wants to be a receiver needs to
“publish” an encryption key, which is known as the
public key.
• Anyone who wants to be a receiver needs a unique
decryption key, which is known as the private key.
• It should not be possible to deduce the plaintext from
knowledge of the ciphertext and the public key.
• Some guarantee needs to be offered of the
authenticity of a public key.
15. Introduction to Cryptography and Security Mechanisms 2005 15
Important question
Do public key cipher systems solve all
the problems of symmetric key cipher
systems?
16. Introduction to Cryptography and Security Mechanisms 2005 16
Design of a public key algorithm
In a public key system, if everyone knows
everything necessary:
• the encryption algorithm and
• the encryption key
to determine the ciphertext then how is it
possible that they cannot then work out
what the plaintext (decryption key) is from
this information?
17. Introduction to Cryptography and Security Mechanisms 2005 17
One way functions
A one-way function is a function that is “easy” to
compute and “difficult” to reverse.
How might we express this notion of a one
way function informally in complexity
theoretic terms?
18. Introduction to Cryptography and Security Mechanisms 2005 18
OWF: Multiplying two primes
It is easy to take two prime numbers and multiply them
together.
If they are fairly small we can do this in our heads, on a
piece of paper, or on a calculator.
As they get bigger and bigger it is fairly easy to write
a computer program to compute the product.
Multiplication runs in polynomial time.
Multiplication of two primes is easy.
19. Introduction to Cryptography and Security Mechanisms 2005 19
OWF: Multiplying two primes
To factor: Comments
15
143
6887
31897
600 digit number
600 digit even
number
20. Introduction to Cryptography and Security Mechanisms 2005 20
OWF: Multiplying two primes
Multiplication of two prime numbers is believed to be a
one-way function.
We say believed because nobody has been able to
prove that it is hard to factorise.
Maybe one day someone will find a way of factorising
efficiently.
What will happen if someone does find an
efficient way of factorising ?
21. Introduction to Cryptography and Security Mechanisms 2005 21
OWF: Modular exponentiation
The process of exponentiation just means raising
numbers to a power.
Raising a to the power b, normally denoted ab
just means
multiplying a by itself b times. In other words:
ab
= a x a x a x … x a
Modular exponentiation means computing ab
modulo
some other number n. We tend to write this as
ab
mod n.
Modular exponentiation is “easy”.
22. Introduction to Cryptography and Security Mechanisms 2005 22
OWF: Modular exponentiation
However, given a, b, and ab
mod n (when n is prime),
calculating b is regarded by mathematicians as a hard
problem.
This difficult problem is often referred to as the discrete
logarithm problem.
In other words, given a number a and a prime number n,
the function
f(b) = ab
mod n
is believed to be a one-way function.
23. Introduction to Cryptography and Security Mechanisms 2005 23
OWF: Modular square roots
What is the square root of 1369?
Propose a technique for finding the square root
of 1369 that will generalise to any integer.
24. Introduction to Cryptography and Security Mechanisms 2005 24
OWF: Modular square roots
What is the square root of 56 module 101?
Let’s try 40…
Let’s try 30…
25. Introduction to Cryptography and Security Mechanisms 2005 25
Suitable OWFs
We have seen that the encryption process of a public
key cipher system requires a one way function.
Is every one way function suitable for
implementation as the encryption process
of a public key cipher system?
27. Introduction to Cryptography and Security Mechanisms 2005 27
RSA
The RSA public key encryption algorithm was the first
practical implementation of public key encryption
discovered.
It remains the most used public key encryption algorithm
today.
It is named after the three researchers Ron Rivest, Adi
Shamir and Len Adleman who first published it.
Make sure you are familiar with the concepts of
modular arithmetic, prime numbers, the Euclidean
Algorithm and the method of Repeated Squares.
28. Introduction to Cryptography and Security Mechanisms 2005 28
Setting up RSA
• Let n be the product of two large primes p
and q
– By “large” we typically mean at least 512 bits.
• Select a special number e
– greater than 1 and less than (p-1)(q-1). The precise
mathematical property that e must have is that there
must be no numbers that divide neatly into e and into
(p-1)(q-1), except for 1.
• Publish the pair of numbers (n,e)
• Compute the private key d from p, q and e
29. Introduction to Cryptography and Security Mechanisms 2005 29
Computing the private key
The private key d is computed to be the unique inverse of
e modulo (p-1)(q-1).
In other words, d is the unique number less than (p-1)(q-1)
that when multiplied by e gives you 1 modulo (p-1)(q-1).
Written mathematically:
ed = 1 mod (p-1)(q-1)
The Euclidean Algorithm is the process that you need to
follow in order to compute d.
30. Introduction to Cryptography and Security Mechanisms 2005 30
Computing the private key
1. Who is capable of running the Euclidean
Algorithm to find the private key?
2. How efficient is this process?
31. Introduction to Cryptography and Security Mechanisms 2005 31
Choosing e
Let’s consider p=3 and q=7. What choices of e are acceptable?
In this case (p-1)(q-1) = 2 x 6 = 12. Any suitable choice of e must
have the property that there are no numbers that neatly divide into e
and 12 except for 1. Let’s just try them all out:
e=2: this is no good, since 2 divides both e and 12. In fact this will be
true for all multiples of 2 as well, so e=4, e=6, e=8 and e=10 are also
not possible.
e=3: this is no good, since 3 divides both e and 12. In fact this will be
true for all multiples of 3 as well, so e=6 and e=9 are also not
possible.
The remaining choices are e=5, e=7 and e=11. Since in each case
there is no number that divides into them and 12 other than 1, all
these choices of e are possible.
32. Introduction to Cryptography and Security Mechanisms 2005 32
Setting up RSA: example
Step 1: Let p = 47 and q = 59. Thus n = 47 x 59 = 2773
Step 2: Select e = 17
Step 3: Publish (n,e) = (2773, 17)
Step 4: (p-1) x (q-1) = 46 x 58 = 2668
Use the Euclidean Algorithm to compute the modular
inverse of 17 modulo 2668. The result is d = 157
<< Check: 17 x 157 = 2669 = 1(mod 2668) >>
Public key is (2773,17)
Private key is 157
33. Introduction to Cryptography and Security Mechanisms 2005 33
Encryption and decryption
The first job is to represent the plaintext as a series of
numbers modulo n.
The encryption process to obtain the ciphertext C from
plaintext M is very simple:
C = Me
mod n
The decryption process is also simple:
M = Cd
mod n
34. Introduction to Cryptography and Security Mechanisms 2005 34
Encryption and decryption: example
Public key is (2773,17)
Private key is 157
Plaintext block represented as a number: M = 31
Encryption using Public Key: C = 3117
(mod 2773)
= 587
Decryption using Private Key: M = 587157
(mod 2773)
= 31
35. Introduction to Cryptography and Security Mechanisms 2005 35
Security of RSA
1. Trying to decrypt a ciphertext without
knowledge of the private key
2. Trying to determine the private key
We will look at two different strategies for
trying to “break” RSA:
36. Introduction to Cryptography and Security Mechanisms 2005 36
Decrypting ciphertext without the key
The encryption process in RSA involves computing the
function C = Me
mod n, which is regarded as being easy.
An attacker who observes this ciphertext, and has
knowledge of e and n, needs to try to work out what M is.
Computing M from C, e and n is regarded as a hard
problem.
Have we seen this one way function before?
37. Introduction to Cryptography and Security Mechanisms 2005 37
Determining the private key
Assuming that you know the public key of a
user, what would you need to do in order to
obtain the corresponding private key?
38. Introduction to Cryptography and Security Mechanisms 2005 38
RSA security summary
One-way function Description
Encryption
function
The encryption function is a trapdoor one-way
function, whose trapdoor is the private key.
The difficulty of reversing this function without
the trapdoor knowledge is believed (but not
known) to be as difficult as factoring.
Multiplication of
two primes
The difficulty of determining an RSA private
key from an RSA public key is known to be
equivalent to factoring n. An attacker thus
cannot use knowledge of an RSA public key
to determine an RSA private key unless they
can factor n. Because multiplication of two
primes is believed to be a one-way function,
determining an RSA private key from an RSA
public key is believed to be very difficult.
There are two one-way functions involved in the security of RSA.
39. Introduction to Cryptography and Security Mechanisms 2005 39
Length of an RSA modulus
What length of RSA modulus do you think is
roughly equivalent to:
1. An 80 bit symmetric key?
2. A 112 bit symmetric key?
3. A 128 bit symmetric key?
It is hard to compare the equivalent security parameters
for symmetric key cipher systems and RSA, however it is
roughly believed that factorising a 512 bit number is about
as hard as searching for a 56 bit symmetric key.
41. Introduction to Cryptography and Security Mechanisms 2005 41
ElGamal
• To show that RSA is not the only public key
system
• To exhibit a public key system based on a
different one way function
• ElGamal is the basis for several well-known
cryptographic primitives
We will also take a look at the ElGamal public key
cipher system for a number of reasons:
42. Introduction to Cryptography and Security Mechanisms 2005 42
Setting up ElGamal
• Let p be a large prime
– By “large” we mean here a prime rather typical in length to
that of an RSA modulus
• Select a special number g
– The number g must be a primitive element modulo p.
• Choose a private key x
– This can be any number bigger than 1 and smaller than p-1
• Compute public key y from x, p and g
– The public key y is g raised to the power of the private key x
modulo p. In other words:
y = gx
mod p
43. Introduction to Cryptography and Security Mechanisms 2005 43
Setting up ElGamal: example
Step 1: Let p = 23
Step 2: Select a primitive element g = 11
Step 3: Choose a private key x = 6
Step 4: Compute y = 116
(mod 23)
= 9
Public key is 9
Private key is 6
44. Introduction to Cryptography and Security Mechanisms 2005 44
ElGamal encryption
The first job is to represent the plaintext as a series
of numbers modulo p. Then:
1. Generate a random number k
2. Compute two values C1
and C2
, where
C1
= gk
mod p and C2
= Myk
mod p
3. Send the ciphertext C, which consists of the two
separate values C1
and C2
.
45. Introduction to Cryptography and Security Mechanisms 2005 45
ElGamal encryption: example
To encrypt M = 10 using Public key 9
1 - Generate a random number k = 3
2 - Compute C1= 113
mod 23 = 20
C2= 10 x 93
mod 23
= 10 x 16 = 160 mod 23 = 22
3 - Ciphertext C = (20 , 22 )
46. Introduction to Cryptography and Security Mechanisms 2005 46
ElGamal decryption
C1
= gk
mod p C2
= Myk
mod p
1 - The receiver begins by using their private key x to
transform C1
into something more useful:
C1
x
= (gk
)x
mod p
NOTE: C1
x
= (gk
)x
= (gx
)k
= (y)k
= yk
mod p
2 - This is a very useful quantity because if you divide
C2
by it you get M. In other words:
C2
/ yk
= (Myk
) / yk
= M mod p
47. Introduction to Cryptography and Security Mechanisms 2005 47
ElGamal decryption: example
To decrypt C = (20 , 22 )
1 - Compute 206
= 16 mod 23
2 - Compute 22 / 16 = 10 mod 23
3 - Plaintext = 10
48. Introduction to Cryptography and Security Mechanisms 2005 48
Security of ElGamal
1. Trying to decrypt a ciphertext without
knowledge of the private key
2. Trying to determine the private key
Recall the two different strategies for trying
to “break” RSA:
What hard problems do you come across if
you try to follow these two different strategies
to break ElGamal?
49. Introduction to Cryptography and Security Mechanisms 2005 49
ElGamal v RSA
PROS of ElGamal
• Does not rely on
factorisation being
hard
CONS of ElGamal
• Requires a random
number generator
• Message expansion
While regarded as similar from a security
perspective, are there any differences
between ElGamal and RSA from an efficiency
perspective?
50. Introduction to Cryptography and Security Mechanisms 2005 50
Public key systems in practice
• Public key cipher systems led to mini revolution in
cryptography in the mid 1970’s, with a further boom in
interest since the development of the Internet in the
1990’s.
• Public key cipher systems are only likely to grow in
importance in the coming years.
– In Unit 8 we discuss cryptographic services, some of which
involve public key techniques.
– One of the major applications of public key cipher systems is for
digital signatures, a topic that we explore in Unit 9
– We devote much of Unit 12 to considering the big problem of
authenticating public keys.
– We will discover in Unit 10 that a second major application of
public key cipher systems is to distribute and transfer symmetric
keys around a network, thus presenting public key cipher
systems as a useful enabler for faster symmetric cipher systems.
52. Introduction to Cryptography and Security Mechanisms 2005 52
Diffie-Hellman
The Diffie–Hellman (DH) key exchange technique was first defined
in their seminal paper in 1976.
DH key exchange is a method of exchanging public (i.e. non-secret)
information to obtain a shared secret.
DH is not an encryption algorithm.
DH key exchange has the following important properties:
1. The resulting shared secret cannot be computed by either of the
parties without the cooperation of the other.
2. A third party observing all the messages transmitted during DH
key exchange cannot deduce the resulting shared secret at the
end of the protocol.
53. Introduction to Cryptography and Security Mechanisms 2005 53
Principle behind DH
DH key exchange assumes first that there exists:
1. A public key cipher system that has a special property (we come to
this shortly).
2. A carefully chosen, publicly known function F that takes two
numbers x and y as input, and outputs a third number F(x,y) (for
example, multiplication is such a function).
DH key exchange was first proposed before there were any known
public key algorithms, but the idea behind it motivated the hunt for
practical public key algorithms.
DH key exchange is not only a useful and practical key
establishment technique, but also a significant milestone in the
history of modern cryptography.
54. Introduction to Cryptography and Security Mechanisms 2005 54
Principle behind DH
1. Alice and Bob exchange their public keys PA and PB.
2. Alice computes F(SA , PB)
3. Bob computes F(SB, PA)
4. The special property of the public key cipher system, and the choice
of the function F, are such that F(SA , PB) = F(SB, PA). If this is the
case then Alice and Bob now share a secret.
5. This shared secret can easily be converted by some public means
into a bitstring suitable for use as, for example, a DES key.
Assume that Alice and Bob are the parties who wish to establish a
shared secret, and let their public and private keys in the public key
cipher system be denoted by (PA , SA) and (PB , SB) respectively.
The basic principle behind Diffie–Hellman key exchange is as follows:
55. Introduction to Cryptography and Security Mechanisms 2005 55
Diffie-Hellman key exchange
The most commonly described implementation of DH key exchange uses
the keys of the ElGamal cipher system and a very simple function F.
The system parameters (which are public) are:
• a large prime number p – typically 1024 bits in length
• a primitive element g
1. Alice generates a private random value a, calculates ga
(mod p)
and sends it to Bob. Meanwhile Bob generates a private random
value b, calculates gb
(mod p) and sends it to Alice.
2. Alice takes gb
and her private random value a to compute
(gb
)a
= gab
(mod p).
3. Bob takes ga
and his private random value b to compute
(ga
)b
= gab
(mod p).
4. Alice and Bob adopt gab
(mod p) as the shared secret.
56. Introduction to Cryptography and Security Mechanisms 2005 56
DH questions
1. What is the hard problem on which the DH key
exchange algorithm is based?
2. Suppose that DH key exchange is used to
generate a symmetric key. Why might that key
be derived (but different from) the DH shared
secret?
3. The example of DH key exchange that we
described is based on ElGamal keys. Can you
use the public and private keys of any
established public key encryption algorithm to
implement DH key exchange?
57. Introduction to Cryptography and Security Mechanisms 2005 57
Man-in-the-middle attack
1. What will happen when Alice tries to send a message to
Bob, encrypted with a key based on her DH shared
secret?
2. Can Fred obtain the correct DH shared secret that
would have been established had he not interfered?
Alice BobFred
ga
(mod p) gf
(mod p)
gf
(mod p) gb
(mod p)
58. Introduction to Cryptography and Security Mechanisms 2005 58
Summary
• Public key systems replace the problem of distributing
symmetric keys with one of authenticating public keys
• Public key encryption algorithms need to be trapdoor one-way
functions
• RSA is a public key encryption algorithm whose security is
believed to be based on the problem of factoring large numbers
• ElGamal is a public key encryption algorithm whose security is
believed to be based on the discrete logarithm problem
• RSA is generally favoured over ElGamal for practical rather than
security reasons
• RSA and ElGamal are less efficient and fast to operate than
most symmetric encryption algorithms because they involve
modular exponentiation
• DH key exchange is an important protocol on which many real
key exchange protocols are based