assymtertic key introduction

8/12/2019 Assymtertic Key Introduction

1/34

Symmetric-KeyCryptography


2/34

Objectives

To distinguish between two cryptosystems:

symmetric-key and asymmetric-key

To introduce trapdoor one-way functions and their

use in asymmetric-key cryptosystems

To introduce the knapsack cryptosystem as one of

the first ideas in asymmetric-key cryptography

To discuss the RSA cryptosystem

To discuss the Rabin cryptosystem

To discuss the ElGamal cryptosystem

To discuss the elliptic curve cryptosystem


3/34

INTRODUCTION

Symmetr ic and asymmetr ic-key cryptography wil l exist

in parallel and continue to serve the community. We

actually believe that they are complements of each

other; the advantages of one can compensate for the

disadvantages of the other.

1 Keys2 General Idea

3 Need for Both

4 Trapdoor One-Way Function

5 Knapsack Cryptosystem


4/34

INTRODUCTION

Symmetr ic and asymmetr ic-key cryptography wil l exist

in parallel and continue to serve the community. We

actually believe that they are complements of each

other; the advantages of one can compensate for the

disadvantages of the other.

Symmetric-key cryptography is based on sharing secrecy;

asymmetric-key cryptography is based on personal secrecy.

Note


5/34

Asymmetr ic key cryptography uses two separate keys: one

private and one public.

Keys

Locking and unlocking in asymmetr ic-key cryptosystem


6/34

General I dea

General idea of asymmetr ic-key cryptosystem


7/34

Plaintext/Ciphertext

Unlike in symmetric-key cryptography, plaintext and

ciphertext are treated as integers in asymmetric-key

cryptography.

C = f (Kpublic , P) P = g(Kprivate , C)

Encryption/Decryption


8/34

There is a very important fact that is sometimesmisunderstood: The advent of asymmetric-key

cryptography does not el iminate the need for symmetr ic-

key cryptography.

Need for Both


9/34

The main idea behind asymmetr ic-key cryptography is the

concept of the trapdoor one-way function.

Trapdoor One-Way Function

Functions

A function as rule mapping a domain to a range


10/34

Trapdoor One-Way Function (TOWF)

One-Way Function (OWF)

1. f is easy to compute.

2. f 1is diff icult to compute.

3. Given y and a trapdoor, x can be

computed easi ly.


11/34

Example

Example

When nis large, n= p qis a one-way function. Given pand

q, it is always easy to calculate n; given n, it is very difficult to

compute pand q. This is the factorization problem.

When nis large, the function y= xkmod n is a trapdoor one-

way function. Given x, k, and n, it is easy to calculate y. Giveny, k, and n, it is very difficult to calculate x. This is the discrete

logarithm problem. However, if we know the trapdoor, ksuch

that k k= 1 mod f(n), we can use x = ykmod nto find x.


12/34

RSA CRYPTOSYSTEM

The most common public-key algor ithm is the RSA

cryptosystem, named for its inventors (Rivest, Shamir,

and Adleman).

1 Introduction

2 Procedure

3 Some Trivial Examples4 Attacks on RSA

5 Recommendations

6 Optimal Asymmetric Encryption Padding (OAEP)

7 Applications


13/34

Complexi ty of operations in RSA


14/34

Procedure

Encryption, decryption, and key generation in RSA


15/34

Two Algebraic Structures

Encryption/Decryption Ring: R =

Key-Generation Group: G =


16/34


17/34

Encryption


18/34

Decryption


19/34

Proof of RSA


20/34

Some Tr ivial ExamplesExample

Bob chooses 7 and 11 as pand qand calculates n= 77. The

value of f(n) = (7 1)(11 1) or 60. Now he chooses twoexponents, eand d, from Z60. If he chooses eto be 13, then d

is 37. Note that e dmod 60 = 1 (they are inverses of each

Now imagine that Alice wants to send the plaintext 5 to Bob.

She uses the public exponent 13 to encrypt 5.

Bob receives the ciphertext 26 and uses the private key 37 to

decipher the ciphertext:


21/34

Some Tr ivial ExamplesExample

Bob receives the ciphertext 28 and uses his private key 37 to

decipher the ciphertext:

Now assume that another person, John, wants to

send a message to Bob. John can use the same

public key announced by Bob (probably on his

website), 13; Johns plaintext is 63. John calculates

the following:


22/34

Example

Suppose Ted wants to send the message NO to

Jennifer. He changes each character to a number

(from 00 to 25), with each character coded as twodigits. He then concatenates the two coded

characters and gets a four-digit number. The plaintext

is 1314. Figure 10.7 shows the process.

Jennifer creates a pair of keys for herself. She

chooses p = 397 and q = 401. She calculates

n= 159197. She then calculates f(n) = 158400. She

then chooses e = 343 and d = 12007. Show how Ted

can send a message to Jennifer if he knows eand n.


23/34

Encryption and decryption

Att k RSA


24/34

Attacks on RSA

Taxonomy of potential attacks on RSA

Att k RSA


25/34

Attacks on RSA

Factorization

The security of RSA is based on the fact

that modulus is so large that it is

infeasible to factor it in reasonable time.

To be secure, RSA requires that n will be

300 decimal digits, then modulus must be

at least 1024 digits.

No factorization algorithm till date can

factorize such a large number in

reasonable amount of time.


26/34

Att k RSA


27/34

Attacks on RSAChosen-Ciphertext Attack

1. Eve intercepts c a ciphertext message fromAlice.

2. Eve chooses a random number r, r


28/34

Attacks on Encryption Component of RSA

To reduce encryption time, a low value of e

is used sometimes.

Coppersmith Theorem Attack:

In a mod n polynomial f(x) of degree e, one

can use an algorithm of complexity log n to

find the roots if one of the roots is smaller

than n^(1/e).

Att k E ti C t f RSA


29/34

Attacks on Encryption Component of RSA

To reduce encryption time, a low value of e

is used sometimes.

Broadcast attack:

If an entity sends the same message to a

group of recipients with the same low

encryption exponent.

C1 = P^3 mod n1,C2 = P^3 mod n2

C3 = P^3 mod n3

By CRT, C = P^3 mod n1 n2 n3.

Hence P^3 < n1 n2 n3, - C = P^3.

Att k D ti E t f RSA


30/34

Attacks on Decryption Exponent of RSA

Revealed decryption component attack:

If Eve knows the value of d, she can use a

probabilistic algorithm to factor n and find

the value of p and q.

If Bob changes only the compromised

decryption exponent, but keeps the same

modulus n, then Eve will be able to decryptfuture messages because she has the

factorization n.

Ti i tt k


31/34

Timing attack

Attack is based on the fast-exponential

algorithm.

The algorithm uses only squaring if the

corresponding bit in the decryption

exponent is d is 0, else it uses both squaring

and multiplication.

Timing required for each iteration is longer ifthe corresponding bit in d is 1.

The timing difference allows Eve to compute

the bits in d one by one.

Timing attack


32/34

Timing attack

Solutions:

1. Add random delays duringexponentiation.

2. Blinding:

1. Select a secret random number r

between 1 and n-1.

2. Calculate C1=C r ^e mod n

3. Calculate P1 = C1 ^d mod n4. Calculate P = P1 r -1 mod n.

Power attack


33/34

Power attack

Similar to timing attack.

Kocher showed that

If Eve can measure the power consumed

during decryption, then similar idea will be

used.

An iteration involving squaring andmultiplication requires more power.

Timing attack


34/34

Timing attack

Attack is based on the fast-exponential

algorithm.

The algorithm uses only squaring if the

corresponding bit in the decryption

exponent is d is 0, else it uses both squaring

and multiplication.

Timing required for each iteration is longer ifthe corresponding bit in d is 1.

The timing difference allows Eve to compute

the bits in d one by one

assymtertic key introduction

Documents