130 likes | 318 Views
Symmetric-key Cryptosystems. In the classical model of cryptosystems we have been studying, Bob and Alice secretly choose the key K K determines the encryption rule e K and decryption rule d K In the systems we have studied, d K is either the same as e K or can be easily derived from it
E N D
Symmetric-key Cryptosystems • In the classical model of cryptosystems we have been studying, Bob and Alice secretly choose the key K • K determines the encryption rule eK and decryption rule dK • In the systems we have studied, dK is either the same as eK or can be easily derived from it • Such a system is called a symmetric-key cryptosystem, since exposure of either eK or dK renders the system insecure • Drawback: requires communication of key between Bob and Alice • Need a secure channel and this is not always possible • Public key cryptosystems: if it is computationally infeasible to compute the decryption key from the encryption key, Bob could publish his encryption key (in a directory, say) • Anyone wanting to send Bob a secure message would use his public encryption function • Bob would then use his secret decryption function to read the message
Symmetric-key Cryptosystems • In public key cryptosystems, the encryption key K and decryption key K are different • If it is computationally infeasible to compute the decryption key from the encryption key, Bob could publish his encryption key K (in a directory, say) • Thus the encryption key K is a public key and the decryption key K is a private key • Anyone wanting to send Bob a secure message would use his public encryption function eK • Bob would then use his private decryption function dK to read the message • Analogy: Alice places an object (message) in a metal box, then locks it with a combination lock left there by Bob • Bob is the only one who can open the box since he is the only one who knows the combination
Public-key Cryptosystems • 1976: idea put forward by Diffie and Hellman, but they did not have a specific method at that time • 1977: Rivest, Shamir and Adleman invented the (now) well-known RSA Cryptosystem • Several publc-key cryptosystems have been proposed • Security rests on different computational problems • RSA: based on the difficulty of factoring large integers • ElGamal: based on the discrete logarithm problem (later) • History: • 1970: public-key cryptosystems proposed by James Ellis in a classified British government journal • 1973: method essentially equivalent to RSA proposed by Clifford Cocks in a similar classified journal
Mathematical Basis of RSA • Theorem Assume p and q are distinct primes and let m = pq. Let e be an integer such that e (m) and set d = e-1 mod (m). Then for each integer x in the range 1 ≤ x < m, we have (xe)d mod m = x • Proof Write ed = 1 + k(m) and let x be such that 1 ≤ x < m. • Case 1: x m • (xe)d mod m = xed mod m = x1+k(m) mod m = x1(x(m))k mod m = x1(1)k mod m (Euler’s Theorem) = x mod m
Mathematical Basis of RSA • Theorem Assume p and q are distinct primes and let m = pq. Let e be an integer such that e (m) and set d = e-1 mod (m). Then for each integer x in the range 1 ≤ x < m, we have (xe)d mod m = x • Proof (continued) Recall ed = 1 + k(m) and x is such that 1 ≤ x < m. • Case 2: x is not relatively prime to m = pq • Clearly gcd(x,m) is one of p or q. Without loss of generality, we may assume gcd(x,m) = p. Then x p0 p xed • (m) = (pq) = (p)(q) = (p-1)(q-1) and hence • (xe)d mod q = xed mod q = x1+k(m) mod q = x1+(p-1)(q-1)k mod q = x1(xq-1)k(p-1) mod q = x1(1)k(p-1) mod q = x mod q By the Chinese Remainder Theorem: (xe)d = x mod pq, i.e., (xe)d m x
RSA Scheme • Step 1: Generate keys • Public Key (published in a directory): integers m and e • Private Key (Known only to Bob): primes p and q with m = pq(m) = (p-1)(q-1) d = e-1 mod (m) • Step 2: Agree on a protocol Anyone who wished to communicate with Bob must agree on a protocol to convert text into a string of integers < m • Step 3: Alice sends a message to Bob • Converts message to a string x1x2…xt of integers less than m • Computes yi = xie for each i and sends y1y2…yt to Bob • Step 4: Bob decrypts the message • For each yi, computes xi = yid • Converts each xi to text using the text-to-integer protocol
Example • Bob chooses p = 2847 893 757 848 938 511 q = 92 734928626327511 e = 1009 • Bob computes m = pq = 264 099 224 369 484 956 639 974 579 586 676 121 = (p-1)(q-1) = 264 099 224 369 484 953 699 345 893 111 410 100 d = e-1 mod = 5758 357 716 678 561 924 068 988 749 703 689 • Bob publishes e and pq
Example • Alice decides to send Bob the message x = 33 333 333 333 333 333 333 333 333 333 333 333 < m • Alice computes the ciphertext element y = xe mod m to get the string y = 54 423 731 721 403 481 610 392 517 373097 210 • Alice sends the integer y to Bob • Bob calculates x = yd mod m and gets (of course) x = 33 333 333 333 333 333 333 333 333 333 333 333 • Bob wonders about Alice’s sanity for sending such a message
Security of RSA • It is theoretically possible to deduce (d,m) from (e,m) • The computation of (m) is equivalent to factoring m = pq • Once you have the factors p and q, then = (p-1)(q-1) • The security of the RSA algorithm rests on the fact that factoring large integers is a difficult computational problem. • However, if you somehow obtain the value of (m), you can easily compute p and q using the public key (m,e): • If we assume q < p we can find p+q and p-q: • = (p+1)(q-1) = pq - (p+q) +1 and hence p+q = m - + 1 • (p+q)2 = p2 + 2pq + q2 = (p-q)2 + 4pq = (p-q)2 + 4m and thus p-q = ( (p+q)2- 4m )½ • Now p = ( p+q) + (p-q) )/2 and q = ( p+q) - (p-q) )/2
Attacks on RSA • Theorem Let m = pq, where p and q are primes with q < p < 2q. Suppose d < (1/3)m1/4. Given e such that de (m) 1, there is an efficient procedure for calculating d • One moral: for security, make d fairly large • Disadvantage: makes decryption slower • TheoremLet m = pq have n digits. If we know the first n/4 or the last n/4 of the digits of p, we can efficiently factor m. • TheoremSuppose (m,e) is an RSA public key and m has n digits. Let d be the decryption exponent. If we have at least the last n/4 digits of d, we can efficiently find d in time that is linear in elog2e.
Timing Attacks • 1995: Paul Kocher, a Stanford undergraduate, discovered another kind of attack on RSA and similar systems • Kocher showed that it is possible to discover the decryption exponent by carefully timing the computation times for a series of decryptions • An unsettling result, showing that a system could still have unexpected weaknesses • The timing information could be obtained in a situation where Bob’s computer automatically decrypts and responds to messages
Homework Problems • The ciphertext 5859 was obtained from the RSA algorithm using m = 11413 and e = 7457. Using the factorization 11413 = 101113, find the plaintext. • Let p be a prime and n and x be integers. Prove by induction on n thatif s = pn, then xsp x. • Let p be a large prime. Suppose you encrypt a message x by computing y = xe mod p for some exponent e. • Explain why you would never choose e to be a power of p. • Assuming e is not a power of p, how do you find a decryption exponent d such that yd = x? • Naïve Nelson uses RSA to decrypt a single ciphertext c, corresponding to message n. His public modulus is m and his public encryption exponent is e. Since he feels guilty about using his system only once, he agrees to decrypt any message that anyone sends him, as long as it is not c, and return the decrypted message to the sender. Evil Eve sends him the ciphertext 2ec. Explain how this allows Eve to find n.