Public Key Cryptography: Knapsack, RSA, Di e-Hellman

Public Key Cryptography: Knapsack, RSA,Diffie-Hellman

CS 3IS3

Ryszard Janicki

Department of Computing and Software, McMaster University, Hamilton,Ontario, Canada

Acknowledgments: Material based on Information Security by Mark Stamp (Chapters 4.1-4.4)

Ryszard Janicki Public Key Cryptography: Knapsack, RSA, DH 1/16

Public Key Cryptography: Idea I

Two keys:

PRIVITE KEY known only to individualPUBLIC KEY available to anyone

A has private key kA and public key KA, while B has privatekey kB and public key KB . A message send by A andencrypted using kA and KB practically can only be decryptedwhen B will use kB and KA. How is it possible?

The private key k and the public key K are not random.

The public key K is a function of the private key k , i.e.K = f (k) for some function f (hence KA = f (kA) andKB = f (kB)).

The function f must have the property that for any K , findingf −1(K ) is practically impossible.


Public Key Cryptography: Idea II

Conditions:1 It must be computationally easy to encipher or decipher a

message given the appropriate key.2 It must be computationally infeasible to derive the private key

from the public key.3 It must be computationally infeasible to determine the private

key from a chosen plaintext attack.


Public Key Cryptography: Idea IIITwo keys, one to encrypt, another to decrypt

Alice uses Bob’s public key to encryptOnly Bob’s private key decrypts the message

Based on “trap door, one way function”“One way” means easy to compute in one direction, but hardto compute in other directionExample: Given p and q, product N = pq easy to compute,but hard to find p and q from N (for large primes p and q)“Trap door” is used when creating key pairs (private, public).

EncryptionSuppose we encrypt M with Bob’s public keyBob’s private key can decrypt C to recover MThere must be some relationship between private and publickeys!

Digital SignatureBob signs by “encrypting” with his private keyAnyone can verify signature by “decrypting” with Bob’s publickeyBut only Bob could have signedLike a handwritten signature, but much better. . .


Knapsack Cryptosystem: Basis–Subset Sum/Knapsack

Subset Sum problem: given a set of n weights W1, . . . ,Wn

and a sum S , find a subset Wi1 , . . . ,Wik such thatWi1 + . . . + Wik = S .

Example. Weights: 62, 93, 26, 52, 166, 48, 91, 141, S = 302,solution: 62 + 26 + 166 + 48 = 302

The Subset Sum problem is NP-complete. In cryptography itis usually called (general) knapsack problem (GK, historicalreasons).

The real Knapsack problem is: given a list (repetitionsallowed) of n weights W1, . . . ,Wn and a capacity C , find asubset Wi1 , . . . ,Wik such that Wi1 + . . . + Wik is maximal andsmaller or equal than C .


Knapsack Cryptosystem: Superincreasing Knapsack (SIK)

SIK – each weight greater than the sum of all previous weights

Example: Weights (2, 3, 7, 14, 30, 57, 120, 251), S = 186,solution: 120 + 57 + 7 + 2 = 186, a simple efficient algorithmthat works from the largest to the smallest weight.

Knapsack Cryptosystem:

1 Generate superincreasing knapsack (SIK)

2 Convert SIK to “general” knapsack (GK)

3 Public Key: GK

4 Private Key: SIK and conversion factor

Goal. . .

Easy to encrypt with GK

With private key, easy to decrypt (solve SIK)

Without private key,Trudy has no choice but to try to solveGK


Modular Arithmetic: m−1 mod n

Standardly m−1 = a ⇐⇒ m · a = 1.

Suppose m mod n = a. Then

m−1 mod n = b ⇐⇒ ab mod n = 1

Example: m = 41, n = 491. Then 41 mod 491 = 41.

We have to find b that 41 · b mod 491 = 1, i.e.41 · b = 491 · i + 1 for some i .Note that b = 12 works as 41 · 12 = 492 = 491 · 1 + 1.For example an efficient ‘Extended Euclidean Algorithm’ canbe used to solve this problem.

Hence 41−1 mod 491 = 12


Knapsack Cryptosystem: Description by Example

Start with (2, 3, 7, 14, 30, 57, 120, 251) as the SIK

Choose m = 41 and n = 491 (m, n relatively prime, n exceedssum of elements in SIK)

Then m−1 mod n = 41−1 mod 491 = 12

Private Key: SIK = (2, 3, 7, 14, 30, 57, 120, 251), m = 41,n = 491 and m−1 mod n = 12.

Compute “general” knapsack 2 · 41 mod 491 = 823 · 41 mod 491 = 1237 · 41 mod 491 = 28714 · 41 mod 491 = 8330 · 41 mod 491 = 24857 · 41 mod 491 = 373120 · 41 mod 491 = 10251 · 41 mod 491 = 471

“General” knapsack: (82, 123, 287, 83, 248, 373, 10, 471)

Public Key: GN = (82, 123, 287, 83, 248, 373, 10, 471),n = 491.


Private Key: SIK = (2, 3, 7, 14, 30, 57, 120, 251), m = 41,n = 491 and m−1 mod n = 12.

Public Key: GN = (82, 123, 287, 83, 248, 373, 10, 471),n = 491.

Encryption. Plaintext M = 150 = 1001011082 123 287 83 248 373 10 4711 0 0 1 0 1 1 0

82 + 83 + 373 + 10 = 548

Decryption. Private key is used.548 · 12 = 193 mod 491The solution (easy) of SIK for S = 193 is193 = 2 + 14 + 57 + 120.

◦ Now we transform the list SIK into a binary sequence with 1for elements in sum and 0 for elements not in sum.2 3 7 14 30 57 120 2511 0 0 1 0 1 1 0

◦ The result is the paintext M = 150 = 10010110.Unfortunately this knapsack cryptosystem is insecure. It was broken in1983 with Apple II computer! But there are better knapsack cryptos.


RSA is the gold standard in public key cryptography

Invented by Clifford Cocks and, independently by Ron Rivest,Adi Shamir, and Leonard Adleman.

Let p and q be two large prime numbers

Let N = pq be the modulus

Choose e relatively prime to (p − 1)(q − 1)

Two integers are relatively prime if there is no integer greaterthan one that divides them both (that is, their greatestcommon divisor is one). For example, 12 and 13 are relativelyprime, but 12 and 14 are not.

Find d such that ed = 1 mod (p − 1)(q − 1)

Public key is (N, e)

Private key is d


RSA: Algorithm

Public Key is (N, e) and Private Key is d

Message M is treated as a number

To encrypt plaintext M we compute C = Me mod N

To decrypt ciphertext C , we compute M = Cd mod N

If an attacker can factor N = pq, she can use e to (relatively)easily find d since ed = 1 mod (p − 1)(q − 1)

So, factoring the modulus breaks RSA. However, so far noreasonably algorithm has been found for N = pq and hugeprimes p, q. There are other approaches for breaking RSA,but so far none is considered successful.

RSA works because of the following fact:

Theorem

M = (Me mod N)d mod N

A proof is in the textbook.


Simple RSA Example

Select “large” primes p = 11, q = 3Then N = pq = 33 and (p − 1)(q − 1) = 20Choose e = 3 (relatively prime to 20 = 2 · 2 · 5)Find d such that ed = 1 mod 20, in this case d = 7 worksPublic Key: (N, e) = (33, 3) and Private Key: d = 7Suppose message to encrypt is M = 8Ciphertext C is computed asC = Me mod N = 83 = 512 = 17 mod 33 = 17Decrypt C to recover the message M byM = Cd mod N = 177 = 410, 338, 673 =12, 434, 505 · 33 + 8 = 8 mod 33 = 8RSA does make sense only if N is at least 1024-bits (morethan 300 decimal digits), often 2048-bits or even more!Operations involving long integers, especially modularexponentiation of large numbers with large exponents are verytime consuming and tricky. Many special techniques havebeen invented to make it more efficient, See textbook.


Diffie-Hellman Key Exchange

Invented by Malcolm Williamson, and, independently, byWhitfield Diffie and Martin Hellman

A “key exchange” algorithm

Used to establish a shared symmetric keyNot for encrypting or signing

Based on discrete logarithm problem:Given: g , p, and gk mod p, find: exponent k

Discrete logarithms are quickly computable in a few specialcases. However, no efficient method is known for computingthem in general.


Diffie-Hellman: Algorithm

Let p be prime, let g be a generator. p and g are public.For any x ∈ {1, 2, . . . , p − 1} there is n such that x = gn mod p

Alice selects her private value aBob selects his private value bAlice sends ga mod p to BobBob sends gb mod p to AliceBoth compute shared secret, gab mod p.Shared secret can be used as symmetric key.Public: g and p. Private: Alice’s: a, Bob’s: b

Part 1 Cryptography 124

Diffie-Hellman Public: g and p Private: Alice’s exponent a, Bob’s exponent b

Alice, a Bob, b

ga mod p

gb mod p

Alice computes (gb)a = gba = gab mod p

Bob computes (ga)b = gab mod p

They can use K = gab mod p as symmetric key

Alice computes (gb)a mod p = gab mod pBob computes (ga)b mod p = gab mod pThey can use K = gab mod p as symmetric key


Diffie-Hellman: Why It Works

Suppose Bob and Alice use Diffie-Hellman to determinesymmetric key K = gab mod p

An attacker Trudy can see ga mod p and gb mod p. But ga

mod p · gb mod p = ga+b mod p 6= gab mod p.

If Trudy can find a or b, she gets K

If Trudy can solve discrete logarithm problem, she can find aor b

However, no efficient method is known for computing them ingeneral, and it looks as it is especially infeasible for hugeprimes p.


Diffie-Hellman: Man-In-the-Middle (MiM) Attack

Part 1 Cryptography 126

Diffie-Hellman

Subject to man-in-the-middle (MiM) attack

Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

gt mod p

Trudy shares secret gat mod p with Alice

Trudy shares secret gbt mod p with Bob

Alice and Bob don’t know Trudy is MiM

An attacker Trudy shares secret gat mod p with Alice

Trudy shares secret gbt mod p with Bob

Alice and Bob don’t know Trudy is MiM

How to prevent MiM attack?

Encrypt Diffe-Hellman exchange with symmetric key

Encrypt Diffie-Hellman exchange with public key

Sign Diffie-Hellman values with private key

You MUST be aware of MiM attack on Diffie-Hellman KeyExchange. We will discuss this issue later at the end of thiscourse.


Public Key Cryptography: Knapsack, RSA, Di e-Hellman

Documents

Transcript of Public Key Cryptography: Knapsack, RSA, Di e-Hellman