Session 4

Asymmetric ciphers

Contents

• Definition of asymmetric (public key) ciphers

• Applications of asymmetric ciphers• The public key encipherment

procedure• The RSA public key cipher system

2/61

Asymmetric cipher definition

• The general cryptographic procedure:

3/61

A

Plaintext

KEY

decipher

decrypt

Cryptanalysis

Ciphertextencipher

Plaintext

KEY

B

Asymmetric cipher definition

• In a symmetric cipher system, the same key is delivered to both participants in advance, via a secure channel.

• If there are n participants, the keys have to be distributed pairwise, i.e.– Each participant is given n -1 different keys– The total number of keys is n (n -1)/2.

• Consequence: problems with distribution, storage and updating of keys.

4/61

Asymmetric cipher definition

• An alternative key distribution system is needed, or a different cipher system.– There is not much flexibility left within a

symmetric cipher system to distribute the keys in a better way.

– Then we need a cipher system that would NOT use the secure channel to distribute the keys.

5/61

Asymmetric cipher definition

• How can we define such a system?• Does such a system exist?• If such a system exists in theory, can

we realize it in practice?• What is the security of such a

system?

6/61

Asymmetric cipher definition

• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (1):– Let {K } be a finite key space and let {M

} be a finite message space.– A public key cipher system is a pair of

families of transformations and representing irreversible transformations:

7/61

KKKE KKKD

MMEK :

MMDK :

Asymmetric cipher definition

• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (2):– In such a system, the following holds:

1. For every K{K }, EK is the inverse of DK

2. For every K{K } and M{M }, the algorithms EK and DK are easy to compute

3. For almost every K{K }, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK

4. For every K{K }, it is feasible to compute inverse pairs EK and DK from K.

8/61

Asymmetric cipher definition

• From the property 3, EK can be made public, without compromising DK

• From the property 4, there is a guarantee that there is a feasible way of computing corresponding pairs of inverse transformations EK and DK.

9/61

Asymmetric cipher definition

• Given a system of this kind, the problem of key distribution is vastly simplified:– Each participant generates a pair of

inverse transformations, E and D.– The deciphering transformation D must be

kept secret but need not be transmitted by any channel – we do not need a secure channel.

– The enciphering transformation E can be made public – placed in a public directory.

10/61

Asymmetric cipher definition

• But we still do not know whether such a cipher system is (theoretically) possible.

• One of the possibilities to theoretically well define such a system is through so called one-way functions.

11/61

Asymmetric cipher definition

• A function y =f (x ) is a one-way

function if

– For any x, it is feasible to compute f (x )

– For almost all y in the range of f, it is

computationally infeasible to solve the

equation x =f -1(y ), for any x in the

domain.

12/61

Asymmetric cipher definition

• The function f is not invertible from

the computational point of view.

• A special class of one-way functions

is of interest in the public key context

– trap-door one-way functions.

13/61

Asymmetric cipher definition

• A trap-door one-way function

– A simply computed inverse exists

– But given f, it is conditionally

computationally infeasible to find a

simply computed inverse

– Only through knowledge of certain trap-

door information can easily computed

inverse be found. 14/61

Asymmetric cipher definition

• The problem

– Strictly mathematically speaking, the

existence of (trap-door) one-way

functions has not been proved yet.

• There are functions that have

properties similar to these functions –

we believe that they are candidates

for (trap-door) one-way functions.15/61

Asymmetric cipher definition

• Rivest-Shamir-Adleman’s (RSA’s)

definition of an asymmetric (public

key) cipher system (1977) (1):

– Let E be an encipherment

transformation and let D be the

corresponding decipherment

transformation.

16/61

Asymmetric cipher definition

• RSA’s definition of an asymmetric

(public key) cipher system (1977)

(2):

– The properties of E and D

1. D (E (M ))=M

2. Both E and D are feasible to compute

3. Publicly revealing E does not reveal a

feasible way to compute D

4. E (D (M ))=M 17/61

Asymmetric cipher definition

• A function E satisfying the properties

1-3 is a trap-door one-way function.

• A function E satisfying the properties

1-4 is a trap-door one-way

permutation (one-one and onto).

18/61

Applications of asymmetric ciphers

• Confidentiality

• Integrity – digital signatures

• Authentication – hash functions

• Key exchange

19/61

The public key encipherment procedure

• The participants in the

communication are usually given

names, such as Alice and Bob.

• Alice uses the transformation EA for

encipherment and DA for

decipherment

• Bob uses the transformation EB for

encipherment and DB for

decipherment.

20/61

The public key encipherment procedure

• Illustration-confidentiality: Alice

sends an enciphered message to Bob

21/61

The public key encipherment procedure

• Alice takes EB from a public directory

• DB is kept secret by Bob. It is not

transmitted by any means – no

secure channel is needed.

22/61

The public key encipherment procedure

• The confidentiality protocol

23/61

The RSA public key cipher system

• The prerequisites: each participant

does the following (1):

– Generates two large distinct random

primes p and q, approximately of the

same size (if encoded in bits)

– Computes n =pq and (n )=(p -1)(q -1)

– Selects a random integer e, 1<e < (n ),

such that (e, (n ))=124/61

The RSA public key cipher system

• The prerequisites: each participant

does the following (2):

– Computes the unique integer d, 1<d < (n ) such that ed 1 (mod (n )). This can

be done by means of the extended

Euclidean algorithm.

– The public key is (n,e ) and the private

key is d.25/61

The RSA public key cipher system

• Encipherment: Alice enciphers a

message for Bob

– Obtains Bob’s authentic public key

(nB,eB)

– Represents the message in a form of an

integer m on the segment [0,nB -1]

– Computes

– Sends c to Bob. 26/61

Be nmc B mod

The RSA public key cipher system

• Decipherment: Bob deciphers the

message enciphered by Alice

– Bob uses his private key dB to compute

–m is converted to a meaningful text.

27/61

Bd ncm B mod

The RSA public key cipher system

• The security of the RSA cipher

system lies in the hope that the

encipherment function is

a one-way function.

• The trap-door is the knowledge of the

factorization of n. This knowledge

allows Bob to decipher.

28/61

nmc e mod

The RSA public key cipher system

• To realize RSA in practice we need (1)

– Random primes

• Generating random numbers

• Primality testing

– Euler’s function (n )

29/61

The RSA public key cipher system

• To realize RSA in practice we need (2)

– Extended Euclidean algorithm

–Multiplicative inverse

–Modular exponentiation – to compute

powers with large exponents

30/61

Random primes

• Random primes generation

1. Generate a random integer m

2. If m is even, replace m by m +1

3. Test if m is prime

4. If m is not prime, test if m +2 is prime,

etc.

31/61

Random primes

• Theorem (the prime number

theorem)

– If m is chosen at random, the probability

that m is prime is approximately 1/ln m.

• Consequence: we can expect to test

ln m numbers for primality.

32/61

Random primes

• Example: if m can be represented

with 512 bits, (i.e. the maximum

representable integer is 2256-1) then

ln m 177, which means that we have

to test approximately 177 integers

before we find a prime of that size.

33/61

Random primes

• Primality testing

– In practice, probabilistic (Monte Carlo)

algorithms for testing primality are

used, e.g.

• Solovay-Strassen

• Miller-Rabin

– These algorithms are fast, but they may

give an integer that is not a prime at

output, but the probability of this is

small.

34/61

The Euler’s function (n )

• Let n be a positive integer.

• The Euler’s function (n ) is defined

to be the number of positive integers

b less than or equal to n, which are

relatively prime to n, i.e.

35/61

11 n,b,nbbn

The Euler’s function (n )

• Theorem - computing (n )

– Given a positive integer n with the

factorization

– Then

36/61

r

rpppn 21

21

np

r

iii p

nppn ii1

11

1

• Example – RSA

– n =pq, where p and q are primes

– Then (n ) = (p1-p 0)(q1-q 0)=(p -1)(q -

1)

The Euler’s function (n )

37/61

• Euclidean algorithm - computes (a,b),

given integers a and b

Extended Euclidean algorithm

38/61

• Example: find (1180,482)

1. 1180= 2482 + 216

2. 482 = 2216 + 50

3. 216 = 450 + 16

4. 50 = 316 + 2

5. 16 = 82 + 0

• So, (1180,482)=2

Extended Euclidean algorithm

39/61

• Theorem – extended Euclidean

algorithm

– Let d =(a,b), where a >b.

– Then there exist integers u and v such

that d =ua +vb.

Extended Euclidean algorithm

40/61

• Example

1180=2482+216

482=2216+50

216=450+16

50=316+2

16=82+0

Extended Euclidean algorithm

41/61

2=50-316=

=50-3(216-450)=

=1350-3216=

=13(482-2216)-3216=

=13482-29216=

=13482-29(1180-

2482)=

=71482-291180So, u =-29, v =71

• Arithmetic modulo m

– Zm is defined to be the set G = {0,...,m -

1}, equipped with two operations, + and

, i.e. Zm is a structure (G,+,)

– The results of addition and multiplication

are reduced modulo m

Multiplicative inverse

42/61

• The structure (G,+) satisfies the

axioms of the group – additive group:

1. Closure:

2. Associativity:

3. Existence of the identity (neutral)

element

4. Existence of the inverse elements

Multiplicative inverse

43/61

GY*XGY,X

z*y*xz*y*xGz,y,x

xx*ee*xGxGe

ex*xx*xGxGx 111

• The structure (G,) satisfies closure,

associativity and the existence of the

neutral element, but does not satisfy

the existence of inverse element for

each element of G (in general).

• Such a structure (G,+,) is called a

ring.

Multiplicative inverse

44/61

• Multiplicative inverse – inverse of an

element of the structure (G,) of the

ring Zm

• Theorem

– An element a of Zm has a multiplicative

inverse if and only if (a,m )=1

Multiplicative inverse

45/61

• Let a be an element of Zm and let

(a,m )=1 (i.e. a and m are

mutually prime). This can be

shown by Euclidean algorithm.

• Then by extended Euclidean

algorithm we get

1=ua +vm

Multiplicative inverse

46/61

Multiplicative inverse

• Taking modulo m of the both sides of the expression 1=ua +vm we get

1ua (mod m )

• This means that u is the multiplicative inverse of a modulo m.

47/61

• Example

– Find the multiplicative inverse of 2 in Z17.

• The Euclidean algorithm gives

1. 17=82+1

2. 2=21+0

• The extended Euclidean algorithm gives

1. 1=17-82

• Taking modulo 17 of both sides gives

1-82 (mod 17), or equivalently 192 (mod 17), i.e.

9=2-1

Multiplicative inverse

48/61

• Modular exponentiation is computing

bn (mod m )

• Let (n0,n1,...,nk-1) be the binary

representation of n, i.e.

n =n0+2n1+22n2+...+2k-1nk-1

• The binary representation of n is

obtained by means of the “arrow

algorithm”

Modular exponentiation

49/61

• The “arrow algorithm” – convert

from base 10 to any base B

1. Get the last digit of the

converted number by dividing n

by B and taking the remainder

2. Replace n by the quotient

3. Repeat until the quotient is 0.

Modular exponentiation

50/61

• The modular exponentiation

algorithm

Modular exponentiation

51/61

• Example: compute 3875 (mod 103)

–We first convert the exponent 75 to base

2

– Thus 7510=(1001011)2

– Then we run 7 iterations of the

algorithm, using b =38, n =75 and m

=103.

Modular exponentiation

52/61

• The algorithm flow

Modular exponentiation

53/61

• So at the output the algorithm gives

that 3875 (mod 103)=79

• Alternatively, we can pre-compute

the values

• Each such value is obtained by

squaring the previous one and taking

modulo m.

Modular exponentiation

54/61

i238

Modular exponentiation

55/61

• What the algorithm actually does is

to compute 3875 as

• Then we have

63 222138

79631623838383838103mod386310 222275

• Bob does the following (1):

1. Chooses p =11 and q =13

2. Computes n =1113=143 and

(n )=1012=120

3. Sets e =7 and checks with EA

that (e, (n ))=1, i.e. (7,120)=1.

Indeed, 120=177+1

Example – RSA encipher and decipher

56/61

• Bob does the following (2):

4. Applies EEA to find that 7-1-

17103 (mod 120), so d =103

5. Posts his public key (143,7) in a

public repository and keeps the

private key d =103 secret.

Example – RSA encipher and decipher

57/61

• Alice wants to encipher the message

5 and to send the ciphertext to Bob

(1)

1. Obtains Bob’s public key (143,7)

2. Computes c =57 (mod 143)

• As 7=(111)2, Alice carries out

the pre-computations 51=5,

52=25, 54=252=53 (all mod

143)

Example – RSA encipher and decipher

58/61

• Alice wants to encipher the message

5 and to send the ciphertext to Bob

(2)

3. c=57=52553=47 (mod 143)

4. c=47 is sent to Bob

Example – RSA encipher and decipher

59/61

• Bob receives c =47 and deciphers

(1)

1. Computes m =47103 mod 143

• As 103=(1100111)2, Bob

carries out the pre-

computations 471=47, 472=64,

474=92, 478=27, 4716=14,

4732=53 and 4764=92 (all mod

143)

Example – RSA encipher and decipher

60/61

• Bob receives c =47 and deciphers (2)

2. m =47103=4764925392=5

(mod 143)

Example – RSA encipher and decipher

61/61