Public-key cryptography 1

CHAPTER 5: Public-key cryptography I. RSA

Rapidly increasing needs for flexible and secure transmission of
information require to use new cryptographic methods.

The main disadvantage of the classical (symmetric)
cryptography is the need to send a (long) key through a super
secure channel before sending the message itself.
IV054
In the classical or secret-key (symmetric) cryptography both
sender and receiver share the same secret key.
In the public-key (assymetric) cryptography there are two
different keys:

a public encryption key (at the sender side)
and
a private (secret) decryption key (at the receiver side).
2 Public-key cryptography
Basic idea: If it is infeasible from the knowledge of an encryption algorithm e
k
to
construct the corresponding description algorithm d
k
, then e
k
can be made public.

Toy example: (Telephone directory encryption)
Start: Each user U makes public a unique telephone directory td
U
to encrypt
messages for U and U is the only user to have an inverse telephone directory itd
U
.

Encryption: Each letter X of a plaintext w is replaced, using the telephone directory
td
U
of the intended receiver U, by the telephone number of a person whose name
starts with letter X.

Decryption: easy for U
k
, with the inverse telephone directory, infeasible for others.
IV054
Analogy between secret and public-key cryptography:
Secret-key cryptography 1. Put the message into a box, lock it with a padlock and
send the box. 2. Send the key by a secure channel.

Public-key cryptography Open padlocks, for each user different ones, are freely
available. Only legitimate user has key from his padlocks. Transmission: Put the
message into the box of the intended receiver, close the padlock and send the box.
Basic idea - example
3 Public-key cryptography
Public Establishment of Secret Keys
Main problem of the secret-key cryptography: a need to make a secure
distribution (establishment) of secret keys ahead of transmissions.

Diffie+Hellman solved this problem in 1976 by designing a protocol for secure key
establishment (distribution) over public channels.
IV054
Diffie-Helmann Protocol: If two parties, Alice and Bob, want to create a common
secret key, then they first agree, somehow, on a large prime p and a q<p of large
order in and then they perform, through a public channel, the following
activities.

Alice chooses, randomly, a large 1 s x < p -1 and computes
X = q
x
mod p.
Bob also chooses, again randomly, a large 1 s y < p -1 and computes
Y = q
y
mod p.
Alice and Bob exchange X and Y, through a public channel, but keep x, y secret.
Alice computes Y
x
mod p and Bob computes X
y
mod p and then each of them
has the key K = q
xy
mod p.
An eavesdropper seems to need, in order to determine x from X, q, p and y from Y,
q, p, a capability to compute discrete logarithms, or to compute q
xy
from q
x
and q
y
, what is believed to be infeasible.
*
p
Z
4 Public-key cryptography
KEY DISTRIBUTION / AGREEMENT
IV054
One should distinguish between key distribution and key
agreement.
Key distribution is a mechanism whereby one party
chooses a secret key and then transmits it to another party or
parties.
Key agreement is a protocol whereby two (or more) parties
jointly establish a secret key by communication over a public
channel.
The objective of key distribution or key agreement protocols is
that, at the end of the protocols, the two parties involved both
have possession of the same key k, and the value of k is not
known (at all) to any other party.
5 Public-key cryptography
MAN-IN-THE-MIDDLE ATTACK
The following attack, by a man-in-the-middle, is possible against the Diffie-Hellman
key establishment protocol.
IV054
1. Eve chooses an exponent z.
2. Eve intercepts q
x
and q
y
.
3. Eve sends q
z
to both Alice and Bob. (After that Alice believes she has received q
y

and Bob believes he has received q
x
.)
4. Eve computes K
A
= q
xz
(mod p) and K
B
= q
yz
(mod p) .
Alice, not realizing that Eve is in the middle, also computes K
A
and
Bob, not realizing that Eve is in the middle, also computes K
B
.
5. When Alice sends a message to Bob, encrypted with K
A
, Eve intercepts it,
decrypts it, then encrypts it with K
B
and sends it to Bob.
6. Bob decrypts the message with K
B
and obtains the message. At this point he
has no reason to think that communication was insecure.
7. Meanwhile, Eve enjoys reading Alice's message.
6 Public-key cryptography
Blom's key pre-distribution protocol
allows to a trusted authority (Trent - TA) to distributed secret keys to n (n - 1) / 2
pairs of n users.

Let a large prime p > n be publiclly known. Steps of the protocol:

1. Each user U in the network is assigned, by Trent, a unique public number r
U
< p.
IV054
2. Trent chooses three random numbers a, b and c, smaller than p.
3. For each user U, Trent calculates two numbers
a
U
= (a + br
U
) mod p, b
U
= (b + cr
U
) mod p
and sends them via his secure channel to U.
4. Each user U creates the polynomial
g
U
(x) = a
U
+ b
U
(x).
5. If Alice (A) wants to send a message to Bob (B), then Alice computes her key
K
AB
= g
A
(r
B
) and Bob computes his key K
BA
= g
B
(r
A
).
6. It is easy to see that K
AB
= K
BA
and therefore Alice and Bob can now use their
(identical) keys to communicate using some secret-key cryptosystem.
7 Public-key cryptography
Secure communication with secret-key cryptosystems
and without any need for secret key distribution
(Shamir's ``no-key algorithm)

Basic assumption: Each user X has its own
secret encryption function e
X
secret decryption function d
X

and all these functions commute (to form a commutative cryptosystem).
IV054
Communication protocol

with which Alice can send a message w to Bob.

1. Alice sends e
A
(w) to Bob
2. Bob sends e
B
(e
A
(w)) to Alice
3. Alice sends d
A
(e
B
(e
A
(w))) = e
B
(w) to Bob
4. Bob performs the decryption to get d
B
(e
B
(w)) = w.
Disadvantage: 3 communications are needed (in such a context 3 is a much too
large number) .
Advantage: A perfect protocol for distribution of secret keys.
8 Public-key cryptography
Cryptography and Computational Complexity
Modern cryptography uses such encryption methods that no ``enemy'' can have
enough computational power and time to do encryption (even those capable to use
thousands of supercomputers during tens of years for encryption).

Modern cryptography is based on negative and positive results of complexity
theory - on the fact that for some algorithm problems no efficient algorithm seem to
exists, surprisingly, and for some small'' modifications of these problems,
surprisingly, simple, fast and good (randomized) algorithms do exist. Examples:






IV054
Integer factorization: Given n (= pq), it is, in general, unfeasible, to find p, q.

There is a list of most wanted to factor integers''. Top recent successes, using
thousands of computers for months.
(*) Factorization of 2
2^9
+ 1 with 155 digits (1996)
(**) Factorization of a typical'' 155-digits integer (1999)
Primes recognition: Is a given n a prime? - fast randomized algorithms exist (1977).
The existence of polynomial deterministic algorithms has been shown only in 2002
9 Public-key cryptography
Computationaly infeasible problems IV054
Discrete logarithm problem: Given x, y, n, determine integer a such
that y x
a
(mod n) infeasible in general.
Discrete square root problem: Given integers y, n, compute an integer
x such that y x
2
(mod n) - infeasible in general, easy if factorization
of n is known
Knapsack problem: Given a ( knapsack - integer) vector X = (x
1
,,x
n
)
and a (integer capacity) c, find a binary vector (b
1
,,b
n
) such that

Problem is NP-hard in general, but easy if

=
=
n
i
i i
c x b
1
.

=
s < >
1
1
. 1 ,
i
j
j i
n i x x
10 Public-key cryptography
One-way functions
Informally, a function F:N -> N is said to be one-way function if it is easily
computable - in polynomial time - but any computation of its inverse is infeasible.
A one-way permutation is a 1-1 one-way function.

easy
x f(x)
computationaly infeasible

IV054
( ) ( ) ( ) ( ) ( ) .
1
1
c
r
n
x f f x f A P < e

A more formal approach
Definition A function f:{0,1}* {0,1}* is called a strongly one-way function if the
following conditions are satisfied:

1. f can be computed in polynomial time;
2. there are c, c > 0 such that |x|
c
s |f(x)| s |x|
c
;
3. for every randomized polynomial time algorithm A, and any constant c > 0,
there exists an n
c
such that for n > n
c
Candidates: Modular exponentiation: f(x) = a
x
mod n
Modular squaring f(x) = x
2
mod n, n - a Blum integer
Prime number multiplication f(p, q) = pq.
11 Public-key cryptography
Trapdoor One-way Functions
The key concept for design of public-key cryptosystems is that of trapdoor
one-way functions.

A function f :X Y is trapdoor one-way function
if f and its inverse can be computed efficiently,
yet even the complete knowledge of the algorithm to compute f does not
make it feasible to determine a polynomial time algorithm to compute the
inverse of f.
IV054
A candidate: modular squaring with a fixed modulus.

- computation of discrete square roots is unfeasible in general, but quite easy if the
decomposition of the modulus into primes is known.

A way to design a trapdoor one-way function is to transform an easy case of a
hard (one-way) function to a hard-looking case of such a function, that can be,
however, solved easily by those knowing how the above transformation was
performed.
12 Public-key cryptography
Example - Computer passwords
A naive solution is to keep in computer a file with entries as

login CLINTON password BUSH,

that is with logins and their passwords. This is not sufficiently safe.
IV054
A more safe method is to keep in the computer a file with entries as

login CLINTON password BUSH one-way function f
c
The idea is that BUSH is a public'' password and CLINTON is the only one
that knows a secret'' password, say MADONA, such that

f
c
(MADONA) = BUSH
13 Public-key cryptography
LAMPORTs ONE-TIME PASSWORDS
One-way functions can be used to create a sequence of passwords:

Alice chooses a random w and computes, using a one-way function
h, a sequence of passwords
w, h(w), h(h(w)),,h
n
(w)
Alice then transfers securely ``the initial secret w
0
=h
n
(w) to Bob.
The i-th authentication, 0 < i < n+1, is performed as follows:

------- Alice sends w
i
=h
n-i
(w) to Bob for I = 1, 2,.,n-1
------- Bob checks whether w
i-1
=h(w
i
).

When the number of identifications reaches n, a new w has to be
chosen.
14 Public-key cryptography
General knapsack problem - unfeasible
KNAPSACK PROBLEM: Given an integer-vector X = (x
1
,,x
n
) and an integer c.
Determine a binary vector B = (b
1
,,b
n
) (if it exists) such that XB
T
= c.
IV054
Knapsack problem with superincreasing vector easy

Problem Given a superincreasing integer-vector X = (x
1
,,x
n
) (i.e.
and an integer c,
determine a binary vector B = (b
1
,,b
n
) (if it exists) such that XB
T
= c.
Algorithm - to solve knapsack problems with superincreasing vectors:

for i n downto 2 do
if c > 2x
i
then terminate {no solution}
else if c > x
i
then b
i
1; c c x
i
;
else b
i
= 0;
if c = x
1
then b
1
1
else if c = 0 then b
1
0;
else terminate {no solution}
Example X = (1,2,4,8,16,32,64,128,256,512) c = 999
X = (1,3,5,10,20,41,94,199) c = 242
) 1 ,
1
1
> >

=
i x x
i
j
j i
15 Public-key cryptography
KNAPSACK ENCODING - BASIC IDEAS
Let a (knapsack) vector
A = (a
1
,,a
n
)
be given.

Encoding of a (binary) message B = (b
1
, b
2
,,b
n
) by A is done by the
vector/vector multiplication:
AB
T
= c
and results in the cryptotext c.
IV054
Decoding of c requires to solve the knapsack problem for the instant given by
the knapsack vector A and the cryptotext c.

The problem is that decoding seems to be infeasible.
Example
If A = (74, 82,94, 83, 39, 99, 56, 49, 73, 99) and B = (1100110101) then
AB
T
=
16 Public-key cryptography
Design of knapsack cryptosystems
1. Choose a superincreasing vector X = (x
1
,,x
n
).
2. Choose m, u such that m > 2x
n
, gcd(m, u) = 1.
3. Compute u
-1
mod m, X '= (x
1

,,x
n
'
), x
i

= ux
i
mod m.
diffusion
confusion
IV054
Cryptosystem: X' - public key
X, u, m - trapdoor information

Encryption: of a binary vector w of length n: c = X' w

Decryption: compute c = u
-1
c mod m
and solve the knapsack problem with X and c'.
Lemma Let X, m, u, X', c, c' be as defined above. Then the knapsack problem
instances (X, c') and (X', c) have at most one solution, and if one of them has a
solution, then the second one has the same solution.
Proof Let X'w = c. Then
c u
-1
c u
-1
X'w u
-1
uXw Xw (mod m).

Since X is superincreasing and m > 2x
n
we have
(X w) mod m = X w

and therefore c = Xw.

17 Public-key cryptography
Design of knapsack cryptosystems - example
Example X = (1,2,4,9,18,35,75,151,302,606)
m = 1250, u = 41
X = (41,82,164,369,738,185,575,1191,1132,1096)
In order to encrypt an English plaintext, we first encode its letters by 5-bit numbers
_ - 00000, A - 00001, B - 00010, and then divide the resulting binary strings into
blocks of length 10.

Plaintext: Encoding of AFRICA results in vectors
w
1
= (0000100110) w
2
= (1001001001) w
3
= (0001100001)
Encryption: c
1
= X'w
1
= 3061 c
2
= X'w
2
= 2081 c
3
= Xw
3
= 2203

Cryptotext: (3061,2081,2203)
IV054
Decryption of cryptotexts: (2163, 2116, 1870, 3599)

By multiplying with u
1
= 61 (mod 1250) we get new cryptotexts (several new c)
(693, 326, 320, 789)

And, in the binary form, solutions B of equations XB
T
=c have the form
(1101001001, 0110100010, 0000100010, 1011100101)

Therefor, the resulting plaintext is:
ZIMBABWE
18 Public-key cryptography
Story of the Knapsack
Invented: 1978 - Ralp C. Merkle, Martin Hellman
Patented: in 10 countries
Broken: 1982: Adi Shamir

New idea: iterated knapsack cryptosystem using hyper-reachable vectors.

Definition A knapsack vector X '= (x
1'
,,x
n'
) is obtained from a knapsack vector
X=(x
1
,,x
n
) by strong modular multiplication if
X
i
= ux
i
mod m, i = 1,,n,
where

and gcd(u, m) = 1. A knapsack vector X' is called hyper-reachable, if there is a
sequence of knapsack vectors X = x
0
, x
1
,,x
k
= X ,
where x
0
is a super-increasing vector and for i = 1,,k} and x
i
is obtained from x
i-1

by a strong modular multiplication.

Iterated knapsack cryptosystem was broken in 1985 - E. Brickell

New ideas: dense knapsack cryptosystems. Density of a knapsack vector:
X=(x
1
,,x
n
) is defined by

Remark. Density of super-increasing vectors is
IV054

=
>
n
i
i
x m
1
2
( )
{ } ( ) n i x
n
x d
i
s s
=
1 | max log
1
s
n
n
19 Public-key cryptography
KNAPSACK CRYPTOSYSTEM - COMMENTS
The term knapsack'' in the name of the cryptosystem is quite misleading.

By the Knapsack problem one usually understands the following problem:

Given n items with weights w
1
, w
2
,, w
n
and values v
1
, v
2
,, v
n
and a knapsack
limit c, the task is to find a bit vector (b
1
, b
2
,, b
n
) such that
and is as large as possible.
IV054

=
s
n
i
i i
c w b
1

=
n
i
i i
v b
1
The term subset problem is usually used for the problem used in our construction
of the knapsack cryptosystem. It is well-known that the decision version of this
problem is NP-complete.
Sometimes, for our main version of the knapsack problem the term Merkle-
Hellmman (Knapsack) Cryptosystem is used.
20 Public-key cryptography
McEliece Cryptosystem
McEliece cryptosystem is based on a similar design principle as the
Knapsack cryptosystem. McEliece cryptosystem is formed by
transforming an easy to break cryptosystem into a cryptosystem that is
hard to break because it seems to be based on a problem that is, in
general, NP-hard.

The underlying fact is that the decision version of the decryption
problem for linear codes is in general NP-complete. However, for
special types of linear codes polynomial-time decryption algorithms
exist. One such a class of linear codes, the so-called Goppa codes,
are used to design McEliece cryptosystem.

Goppa codes are [2
m
, n - mt, 2t + 1]-codes, where n = 2
m
.
(McEliece suggested to use m = 10, t = 50.)
IV054
21 Public-key cryptography
McEliece Cryptosystem - DESIGN
Goppa codes are [2
m
, n - mt, 2t + 1]-codes, where n = 2
m
.

Design of McEliece cryptosystems. Let
G be a generating matrix for an [n, k, d] Goppa code C;
S be a k k binary matrix invertible over Z
2
;
P be an n n permutation matrix;
G = SGP.

Plaintexts: P = (Z
2
)
k
; cryptotexts: C = (Z
2
)
n
, key: K = (G, S, P, G), message: w
G' is made public, G, S, P are kept secret.
IV054
Encryption: e
K
(w, e) = wG + e, where e is any binary vector of length n & weight t.

Decryption of a cryptotext c = wG+e e (Z
2
)
n
.
1. Compute c
1
= cP
1
=wSGPP
1
+ eP
1
= wSG+eP
-1
2. Decode c
1
to get w
1
= wS
,

3. Compute w = w
1
S
-1
22 Public-key cryptography
COMMENTS on McELIECE CRYPTOSYSTEM
1. Each irreducible polynomial over Z
2
m
of degree t generates a Goppa code with
distance at least 2t + 1.
IV054
2. In the design of McEliece cryptosystem the goal of matrices S and C is to modify
a generator matrix G for an easy-to-decode Goppa code to get a matrix that looks
as a general random matrix for a linear code for which decoding problem is NP-
complete.
3. An important novel and unique trick is an introduction, in the encoding process,
of a random vector e that represents an introduction of up to t errors - such a
number of errors that are correctable using the given Goppa code and this is the
basic trick of the decoding process.
4. Since P is a permutation matrix eP
-1
has the same weight as e.
5. As already mentioned, McEliece suggested to use a Goppa code with m=10 and
t=50. This provides a [1024, 524, 101]-code. Each plaintext is then a 524-bit string,
each cryptotext is a 1024-bit string. The public key is an 524 1024 matrix.
6. Observe that the number of potential matrices S and P is so large that
probability of guessing these matrices is smaller that probability of guessing correct
plaintext!!!
7. It can be shown that it is not safe to encrypt twice the same plaintext with the
same public key (and different error vectors).
23 Public-key cryptography
FINAL COMMENTS
1. Public-key cryptosystems can never provide unconditional security. This is
because an eavesdropper, on observing a cryptotext c can encrypt each possible
plaintext by the encryption algorithm e
A
until he finds an c such that e
A
(w) = c.
IV054
2. One-way functions exists if and only if P = UP, where UP is the class of
languages accepted by unambiguous polynomial time bounded
nondeterministic Turing machine.
3. There are actually two types of keys in practical use: A session key is used for
sending a particular message (or few of them). A master key is usually used to
generate several session keys.
4. Session keys are usually generated when actually required and discarded after
their use. Session keys are usually keys of a secret-key cryptosystem.
5. Master keys are usually used for longer time and need therefore be carefully
stored. Master keys are usually keys of a public-key cryptosystem.
24 Public-key cryptography
SATELLITE VERSION of ONE-TIME PAD
Suppose a satellite produces and broadcasts several random sequences of
bits at a rate fast enough that no computer can store more than a small
fraction of the output.

If Alice wants to send a message to Bob they first agree, using a public key
cryptography, on a method of sampling bits from the satellite outputs.

Alice and Bob use this method to generate a random key and they use it with
ONE-TIME PAD for encryption.

By the time Eve decrypted their public key communications, random streams
produced by the satellite and used by Alice and Bob to get the secret key
have disappeared, and therefore there is no way for Eve to make decryption.

The point is that satellites produce so large amount of date that Eve cannot
store all of them
IV054
Public-key cryptography 25
RSA cryptosystem
The most important public-key cryptosystem is the RSA cryptosystem
on which one can also illustrate a variety of important ideas of modern
public-key cryptography.





A special attention will be given in Chapter 7 to the problem of
factorization of integers that play such an important role for security of
RSA.

In doing that we will illustrate modern distributed techniques to
factorize very large integers.
IV054
For example, we will discuss various possible attacks on the RSA
cryptosystem and problems related to security of RSA.

26 Public-key cryptography
DESIGN and USE of RSA CRYPTOSYSTEM
Invented in 1978 by Rivest, Shamir, Adleman
Basic idea: prime multiplication is very easy, integer factorization seems to be
unfeasible.
IV054
( ) ( )( ) 1 1 , = = q p n pq n |
( ) ( ) 1 , gcd = n d |
( ) ( ) n d e mod
1
|

=
Design of RSA cryptosystems
1. Choose two large s-bit primes p,q, s in [512,1024], and denote

2. Choose a large d such that

and compute

Public key: n (modulus), e (encryption exponent)
Trapdoor information: p, q, d (decryption exponent)
Plaintext w
Encryption: cryptotext c = w
e
mod n
Decryption: plaintext w = c
d
mod n
Details: A plaintext is first encoded as a word over the alphabet {0, 1,,9}, then
divided into blocks of length i -1, where 10
i-1
< n < 10
i
. Each block is taken as an
integer and decrypted using modular exponentiation.
27 Public-key cryptography
Correctness of RSA
Let c = w
e
mod n be the cryptotext for a plaintext w, in the cryptosystem with

In such a case
and, if the decryption is unique, w = c
d
mod n.
IV054
( ) ( ) ( ) ( ) 1 , gcd , mod 1 , = = n d n ed pq n | |
n c w
d
mod
( ) ( ) n ed mod 1 | ( ) . 1 + = n j ed |
( )
( ) n w w w c
n j ed d
mod
1
= =
+ |
( )
( )
( )
( )
( )
( ) q w w
q w
q w q w
ed
n j
n q
mod
mod 1
mod 1 mod 1

1




|
|
( ) n c w w
d ed
mod
Proof Since , there exist a j N such that
Case 1. Neither p nor q divides w.
In such a case gcd(n, w) = 1 and by the Euler's Totien Theorem we get that
Case 2. Exactly one of p,q divides w - say p.
In such a case w
ed
w (mod p) and by Fermat's Little theorem w
q-1
1 (mod q)



Therefore:
Case 3 Both p,q divide w.
This cannot happen because, by our assumption, w < n.
28 Public-key cryptography
DESIGN and USE of RSA CRYPTOSYSTEM
Example of the design and of the use of RSA cryptosystems.
By choosing p = 41,q = 61 we get n = 2501, |(n) = 2400
By choosing d = 2087 we get e = 23
By choosing d = 2069 we get e=29
By choosing other values of d we would get other values of e.
Let us choose the first pair of encryption/decryption exponents ( e=23 and d=2087).
IV054
Plaintext: KARLSRUHE
Encoding: 100017111817200704
Since 10
3
< n < 10
4
, the numerical plaintext is divided into blocks of 3 digits 6 plaintext
integers are obtained
100, 017, 111, 817, 200, 704
Encryption:
100
23
mod 2501, 17
23
mod 2501, 111
23
mod 2501
817
23
mod 2501, 200
23
mod 2501, 704
23
mod 2501
provides cryptotexts: 2306, 1893, 621, 1380, 490, 313
Decryption:
2306
2087
mod 2501 = 100, 1893
2087
mod 2501 = 17
621
2087
mod 2501 = 111, 1380
2087
mod 2501 = 817
490
2087
mod 2501 = 200, 313
2087
mod 2501 = 704
29 Public-key cryptography
RSA challenge
One of the first description of RSA was in the paper.
Martin Gardner: Mathematical games, Scientific American, 1977
and in this paper RSA inventors presented the following challenge.

Decrypt the cryptotext:
9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874
6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055
1829 9451 5781 5154
IV054
Encrypted using the RSA cryptosystem with 129 digit number, called also RSA129
n: 114 381 625 757 888 867 669 235 779 976 146 612 010 218 296 721 242 362
562 561 842 935 706 935 245 733 897 830 597 123 513 958 705 058 989 075 147
599 290 026 879 543 541.

and with e = 9007.

The problem was solved in 1994 by first factorizing n into one 64-bit prime and one
65-bit prime, and then computing the plaintext

THE MAGIC WORDS ARE SQUEMISH OSSIFRAGE
30 Public-key cryptography
How to design a good RSA cryptosystem
1. How to choose large primes p,q?
Choose randomly a large integer p, and verify, using a randomized algorithm,
whether p is prime. If not, check p + 2, p + 4,
From the Prime Number Theorem if follows that there are approximately


d bit primes. (A probability that a 512-bit number is prime is 0.00562.)
IV054
1
1
2 log
2
2 log
2

d
d
d
d
2. What kind of relations should be between p and q?
2.1 Difference |p-q| should be neither too small not too large.
2.2 gcd(p-1, q-1) should not be large.
2.3 Both p-1 and q-1 should contain large prime factors.
2.4 Quite ideal case: q, p should be safe primes - such that also (p1)/2 and
(q-1)/2 are primes. (83,107,10
100
166517 are examples of safe primes).
3. How to choose e and d?
3.1 Neither d nor e should be small.
3.2 d should not be smaller than n
1/4
. (For d < n
1/4
a polynomial time algorithm is
known to determine d).
Public-key cryptography 31
Prime recognition and factorization
The key problems for the development of RSA cryptosystem are that of prime
recognition and integer factorization.

On August 2002, the first polynomial time algorithm was discovered that allows to
determine whether a given m bit integer is a prime. Algorithm works in time O(m
12
).

Fast randomized algorithms for prime recognition has been known since 1977. One
of the simplest one is due to Rabin and will be presented later.
IV054
For integer factorization situation is somehow different.
No polynomial time classical algorithm is known.
Simple, but not efficient factorization algorithms are known.
Several sophisticated distributed factorization algorithms are known that allowed
to factorize, using enormous computation power, surprisingly large integers.
Progress in integer factorization, due to progress in algorithms and technology,
has been recently enormous.
Polynomial time quantum algorithms for integer factorization are known since
1994 (P. Shor).

Several simple and some sophisticated factorization algorithms will be presented
and illustrated in the following.
32 Public-key cryptography
Rabin-Miller's prime recognition
Rabin-Miller's Monte Carlo prime recognition algorithm is based on the
following result from the number theory.

Lemma Let neN. Denote, for 1 s x s n, by C(x) the condition:

Either , or there is an for some i, such that
If C(x) holds for some 1 s x s n, then n is not a prime. If n is not a prime, then
C(x) holds for at least half of x between 1 and n.
IV054
( ) n x
n
mod 1
1
=

i
n
m
2
1
=
( ) . 1 1 , gcd =
m
x n
Algorithm:

Choose randomly integers x
1
,x
2
,,x
m
such that 1 s x
i
s n.
For each x
i
determine whether C(x
i
) holds.
Claim: If C(x
i
) holds for some i, then n is not a prime for sure. Otherwise n is
prime, with probability of error 2
-m
.
33 Public-key cryptography
Factorization of 512-bits and 663-bits numbers
On August 22, 1999, a team of scientifists from 6 countries found, after 7
months of computing, using 300 very fast SGI and SUN workstations and
Pentium II, factors of the so-called RSA-155 number with 512 bits (about 155
digits).
IV054
RSA-155 was a number from a Challenge list issue by the US company RSA
Data Security and represented'' 95% of 512-bit numbers used as the key to
protect electronic commerce and financinal transmissions on Internet.
Factorization of RSA-155 would require in total 37 years of computing time on
a single computer.
When in 1977 Rivest and his colleagues challenged the world to factor RSA-
129, they estimated that, using knowledge of that time, factorization of RSA-
129 would require 10
16
years.
In 2005 RSA-200, a 663-bits number, was factorized by a team of German
Federal Agency for Information Technology Security, using CPU of 80 AMD
Opterons.
34 Public-key cryptography
LARGE NUMBERS
Hindus named many large numbers - one having 153 digits.
Romans initially had no terms for numbers larger than 10
4
.
Greeks had a popular belief that no number is larger than the total count of sand
grains needed to fill the universe.

Large numbers with special names:
duotrigintillion=googol - 10
100
googolplex - 10
10^100

IV054
34
10
10
10
FACTORIZATION of very large NUMBERS

W. Keller factorized F
23471
which has 10
7000
digits.
J. Harley factorized: 10
10^1000
+1.
One factor: 316,912,650,057,350,374,175,801,344,000,001

1992 E. Crandal, Doenias proved, using a computer that F
22
, which has more than
million of digits, is composite (but no factor of F
22
is known).

Number was used to develop a theory of the distribution of prime numbers.
35 Public-key cryptography
DESIGN OF GOOD RSA CRYPTOSYSTEMS
Claim 1. Difference |p-q| should not be small.
Indeed, if |p - q| is small, and p > q, then (p + q)/2 is only slightly larger than
because

In addition is a square, say y
2
.
In order to factor n, it is then enough to test x > until x is found such that x
2
- n is
a square, say y
2
. In such a case
p + q = 2x, p q = 2y and therefore p = x + y, q = x - y.
IV054
n
( ) ( )
4 4
2 2
q p q p
n
+
=
( )
n
q p

+
4
2
n
( ). n |
n w w w c
ks ed d
mod
1
' '

+
, mod 1
'
s e d
Claim 2. gcd(p-1, q-1) should not be large.
Indeed, in the opposite case s = lcm(p-1, q-1) is much smaller than If

then, for some integer k,

since p - 1|s, q - 1|s and therefore w
k1s
1 mod p and w
ks+1
w mod q. Hence, d'
can serve as a decryption exponent.
Moreover, in such a case s can be obtained by testing.
Question Is there enough primes (to choose again and again new ones)?
No problem, the number of primes of length 512 bit or less exceeds 10
150
.
36 Public-key cryptography
How important is factorization for breaking RSA?
1. If integer factorization is feasible, then RSA is breakable.
IV054
2. There is no proof that factorization is indeed needed to break RSA.
3. If a method of breaking RSA would provide an effective way to get a trapdoor
information, then factorization could be done effectively.

Theorem Any algorithm to compute |(n) can be used to factor integers with the
same complexity.

Theorem Any algorithm for computing d can be converted into a break randomized
algorithm for factoring integers with the same complexity.
4. There are setups in which RSA can be broken without factoring modulus n.

Example An agency chooses p, q and computes a modulus n = pq that is
publicized and common to all users U
1
, U
2
and also encryption exponents e
1
, e
2
,
are publicized. Each user U
i
gets his decryption exponent d
i
.

In such a setting any user is able to find in deterministic quadratic time another
user's decryption exponent.
37 Public-key cryptography
We show two important properties of the functions half and parity.
1. Polynomial time computational equivalence of the functions half and parity
follows from the following identities


and the multiplicative rule e
k
(w
1
)e
k
(w
2
) = e
k
(w
1
w
2
).
Security of RSA
None of the numerous attempts to develop attacks on RSA has turned out to be
successful.
There are various results showing that it is impossible to obtain even only partial
information about the plaintext from the cryptotext produced by the RSA
cryptosystem.
We will show that were the following two functions, that are computationally
polynomially equivalent, be efficiently computable, then the RSA cryptosystem
with the encryption (decryption) exponents e
k
(d
k
) would be breakable.
parity
ek
(c) = the least significant bit of such an w that e
k
(w) = c;
IV054
( ) ( ) . 1
2
if 1 and
2
n
w 0 if 0 s s = < s = n w
n
c half c half
ek ek
( ) ( ) ( )
( ) ( ) ( ) n e c half c parity
n e c parity c half
k ek ek
k ek ek
mod ) (
mod ) 2 (
2
1
=
=
2. There is an efficient algorithm to determine plaintexts w from the cryptotexts c
obtained by RSA-decryption provided efficiently computable function half can be
used as the oracle:
38 Public-key cryptography
Security of RSA
BREAKING RSA USING AN ORACLE
Algorithm:
for i = 0 to [lg n] do
c
i
half(c); c (c e
k
(2)) mod n
l 0; u n
for i = 0 to [lg n] do
m (i+ u) / 2;
if c
i
= 1 then i m else u m;
output [u]

Indeed, in the first cycle

is computed for 0 s i s lg n.
IV054
( ) ( ) ( ) ( ) ( ), 2 2 w e half e c half c
i
k
i
k i
= =
( ) ( ) ) |
( ) ( ) ) ) | |
( ) ( ) e =
e =
e =
w w e half
w w e half
w w e half
k
n n n
k
n
k
0 4
, , 0 0 2
, 0 0
4
3
2 4
2
In the second part of the algorithm binary search is used to determine interval in
which w lies. For example, we have that
39 Public-key cryptography
Security of RSA
There are many results for RSA showing that certain parts are as hard as whole.
For example any feasible algorithm to determine the last bit of the plaintext can be
converted into a feasible algorithm to determine the whole plaintext.

Example Assume that we have an algorithm H to determine whether a plaintext x
designed in RSA with public key e, n is smaller than n / 2 if the cryptotext y is
given.

We construct an algorithm A to determine in which of the intervals (jn/8, (j +1)n/8),
0 s j s 7 the plaintext lies.

Basic idea H can be used to decide whether the plaintexts for cryptotexts x
e
mod n,
2
e
x
e
mod n, 4
e
x
e
mod n are smaller than n / 2 .

Answers
yes, yes, yes 0 < x < n/8 no, yes, yes n/2 < x < 5n/8
yes, yes, no n/8 < x < n/4 no, yes, no 5n/8 < x < 3n/4
yes, no, yes n/4 < x < 3n/8 no, no, yes 3n/4 < x < 7n/8
yes, no, no 3n/8 < x < n/2 no, no, no 7n/8 < x < n
IV054
40 Public-key cryptography
RSA with a composite to be a prime''
Let us explore what happens if some integer p used, as a prime, to design a RSA
is actually not a prime.

Let n = pq where q be a prime, but p = p
1
p
2
, where p
1
, p
2
are primes. In such a
case

but assume that the RSA-designer works with
Let u = lcm(p
1
- 1, p
2
- 1, q -1) and let gcd(w, n) = 1. In such a case

and as a consequence

In such a case u divides and let us assume that also u divides
Then


So if e
d
1 mod |
1
(n), then encryption and decryption work as if p were prime.
IV054
( ) ( )( )( ) 1 1 1
2 1
= q p p n |
( ) ( )( ) 1 1
1
= q p n |
( ) ( ) ( ) q w p w p w
q p p
mod 1 , mod 1 , mod 1
1
2
1
1
1
2 1


( ) n w
u
mod 1
( ) n | ( ).
1
n |
( )
( ). mod
1
1
n w w
n

+ |
Example p = 91 = 7 13, q = 41, n = 3731, |
1
(n) = 3600, |(n) = 2880, lcm(6, 12, 40)
= 120, 120||
1
(n).
If gcd(d, |
1
(n)) = 1, then gcd(d, |(n)) = 1 one can compute e using |
1
(n).
However, if u does not divide |
1
(n), then the cryptosystem does not work properly.
41 Public-key cryptography
Two users should not use the same modulus
Otherwise, users, say A and B, would be able to decrypt messages of each other using the
following method.
Decryption: B computes

Since

it holds:

and therefore

m and e
A
have no common divisor and therefore there exist integers u, v such that
um + ve
A
= 1
Since m is a multiple of |(n) we have

and since e
A
d
A
1 mod |(n) we have

and therefore

is a decryption exponent of A. Indeed, for a cryptotext c:

IV054
( )
f
d e
A B B
B B
m e d e f
1
, , 1 gcd

= =
( ) k k d e
B B
some for n 1 | =
( ) ( ) ( ) ( ) 1 , gcd 1 , gcd = = n f n e
A
| |
( ). of multiple a is n m |
( ) n um ve
A
mod 1 1 | =
( ) ( ) n e d v
A A
mod 0 |
( ) n d v
A
mod|
( )
. modn w w w c
n c d e v e v
A A A

+ |
42 Public-key cryptography
Private-key versus public-key cryptography
The prime advantage of public-key cryptography is increased security - the
private keys do not ever need to be transmitted or revealed to anyone.
IV054
Public key cryptography is not meant to replace secret-key cryptography, but
rather to supplement it, to make it more secure.
Example RSA and DES (AES) are usually combined as follows
1. The message is encrypted with a random DES key
2. DES-key is encrypted with RSA
3. DES-encrypted message and RSA-encrypted DES-key are sent.

This protocol is called RSA digital envelope.
In software (hardware) DES is generally about 100 (1000) times faster than RSA.

If n users communicate with secrete-key cryptography, they need n (n - 1) / 2 keys.
If n users communicate with public-key cryptography 2n keys are sufficient.

Public-key cryptography allows spontaneous communication.
43 Public-key cryptography
KERBEROS
IV054
We describe a very popular key distribution protocol with trusted
authority TA with which each user A shares a secrete key K
A
.

To communicate with user B the user A asks TA a session key (K)
TA chooses a random session key K, a time-stamp T, and a lifetime
limit L.
TA computes

and sends m
1
, m
2
to A.

A decrypts m
1
, recovers K, T, L, ID(B), computes m
3
=e
K
(ID(B), T)
and sends m
2
and m
3
to B.
B decrypts m
2
and m
3
, checks whether two values of T and of ID(B)
are the same. If so, B computes m
4
=e
K
(T+1) and sends it to A.
A decrypts m
4
and verifies that she got T+1.
); , ), ( , ( ); , ), ( , (
2 1
L T B ID K e m L T B ID K e m
B A
K K
= =