Cryptography

and Network
Security
Sixth Edition
by William Stallings
 Chapter 9
Public Key Cryptography and RSA
“Every Egyptian received two names, which
were known respectively as the true name
and the good name, or the great name and
the little name; and while the good or little
name was made public, the true or great
name appears to have been carefully
concealed.”
—The Golden Bough,
Sir James George Frazer
3
 Misconceptions Concerning
Public-Key Encryption
• Public-key encryption is more secure from
cryptanalysis than symmetric encryption
• Public-key encryption is a general-purpose
technique that has made symmetric encryption
obsolete
• There is a feeling that key distribution is trivial
when using public-key encryption, compared to
the cumbersome handshaking involved with key
distribution centers for symmetric encryption
4
 Table 9.1
Terminology Related to Asymmetric Encryption

5
Source: Glossary of Key Information Security Terms, NIST IR 7298 [KISS06]
 Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography evolved from an
attempt to attack two of the most difficult problems
associated with symmetric encryption:
Key distribution
• How to have secure communications in general without having to
trust a KDC with your key

Digital signatures
• How to verify that a message comes intact from the claimed sender

• Whitfield Diffie and Martin Hellman from Stanford

University achieved a breakthrough in 1976 by coming up
with a method that addressed both problems and was
radically different from all previous approaches to
cryptography
6
 Public-Key Cryptosystems
• A public-key encryption scheme has six ingredients:

Encryptio Decryptio
Private Ciphertex
Plaintext n Public key n
key t
algorithm algorithm

Accepts
The the
readable Performs ciphertext
Used for Used for The
message various and the
encryptio encryptio scrambled
or data transform matching
n or n or message
that is fed -ations on key and
decryptio decryptio produced
into the the produces
n n as output
algorithm plaintext the
as input original
plaintext

7
 Public-Key
Cryptography

8
 Table 9.2
Conventional and Public-Key Encryption

9
Public-Key Cryptosystem: Secrecy

10
Public-Key Cryptosystem: Authentication

11
 Public-Key Cryptosystem:
Authentication and Secrecy

12
Applications for Public-Key
Cryptosystems
• Public-key cryptosystems can be classified into three
categories:
• The sender encrypts a message
Encryption/decryption with the recipient’s public key

• The sender “signs” a message

Digital signature with its private key

• Two sides cooperate to

Key exchange exchange a session key

• Some algorithms are suitable for all three

applications, whereas others can be used only for
one or two 13
 Table 9.3
Applications for Public-Key Cryptosystems

Table 9.3 Applications for Public-Key Cryptosystems

14
Public-Key Requirements
• Conditions that these algorithms must fulfill:
• It is computationally easy for a party B to generate a pair
(public-key PUb, private key PRb)
• It is computationally easy for a sender A, knowing the public
key and the message to be encrypted, to generate the
corresponding ciphertext
• It is computationally easy for the receiver B to decrypt the
resulting ciphertext using the private key to recover the
original message
• It is computationally infeasible for an adversary, knowing the
public key, to determine the private key
• It is computationally infeasible for an adversary, knowing the
public key and a ciphertext, to recover the original message
• (optional) The two keys can be applied in either order
15
 Public-Key Requirements
• Need a trap-door one-way function
• A one-way function is one that maps a domain into a range such that
every function value has a unique inverse, with the condition that
the calculation of the function is easy, whereas the calculation of the
inverse is infeasible
• Y = f(X) easy
• X = f–1(Y) infeasible

• A trap-door one-way function is a family of invertible functions f k,

such that
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known

• A practical public-key scheme depends on a suitable trap-door

one-way function
16
 Public-Key Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and decryption
• Key sizes that have been proposed result in encryption/decryption
speeds that are too slow for general-purpose use
• Public-key encryption is currently confined (‫ ) يقتصر‬to key management
and signature applications

• Another form of attack is to find some way to compute the private

key given the public key
• To date it has not been mathematically proven that this form of attack is
infeasible for a particular public-key algorithm

• Finally, there is a probable-message attack

• This attack can be thwarted by appending some random bits
to simple messages 17
 Rivest-Shamir-Adleman
(RSA) Scheme
• Developed in 1977 at MIT by Ron Rivest,
Adi Shamir & Len Adleman
• Invented by Clifford Cocks (GCHQ)

• Most widely used general-purpose

approach to public-key encryption
 •
Is a cipher in which the plaintext and ciphertext are
integers between and () for some
• Current recommended size for is bits

18
 RSA Algorithm
•
• Let
  and be two large prime numbers
• Let be the modulus
• Choose relatively prime to (
• Find such that
• Public key is
• Private key is
• Encryption and decryption are of the following form, for
some plaintext block and ciphertext block
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n

19
 RSA Algorithm
•
•RSA
  makes use of an expression with exponentials
• Plaintext is encrypted in blocks with each block having a binary value
less than some number
• Encryption and decryption are of the following form, for some plaintext
block and ciphertext block
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
• Both sender and receiver must know the value of

• The sender knows the value of , and only the receiver knows the value
of
• This is a public-key encryption algorithm with a public key of PU={e,n}
and a private key of PR={d,n}
20
Algorithm Requirements
•
•  For this algorithm to be satisfactory for public-key
encryption, the following requirements must be
met:
1. It is possible to find values of such that
2. It is relatively easy to calculate and for all values of
3. It is infeasible to determine givenand

21
 Does RSA Really Work?
•
• Given
  we want to show that
• We’ll need Euler’s Theorem:
If is relatively prime to then
• Facts:

1. By definition of “mod”,

•Then
•So,

22
23
 Simple RSA Example
•  Example of textbook RSA
• This is “textbook” RSA because it would not be
secure in practice. Why is that the case?
• Select “large” primes
• Then and
• Choose (relatively prime to )
• Find such that
• We find that works
• Public key:
• Private key:
24
 Simple RSA Example
• Public
  key:
• Private key:
• Suppose message to encrypt is
• Ciphertext is computed as

• Decrypt to recover the message by

25
 Example of RSA Algorithm
•
•Select
  two large primes: p, q, p ≠ q

•
•Calculate
•Select e, such that , say,
•Calculate d such that de mod
• Use Euclid’s algorithm to find

26
Example of RSA Algorithm

27
28
Exponentiation in Modular
Arithmetic
• Both
  encryption and decryption in RSA involve
raising an integer to an integer power,
• Can make use of a property of modular
arithmetic:

• With RSA you are dealing with potentially large

exponents so efficiency of exponentiation is a
consideration
29
 More Efficient RSA
• Modular exponentiation example
• 520 = 95367431640625 = 25 mod 35
• A better way: repeated squaring
• 20 = 10100 base 2
• (1, 10, 101, 1010, 10100) = (1, 2, 5, 10, 20)
• Note that 2 = 1 2, 5 = 2  2 + 1, 10 = 2  5, 20 = 2  10
• 51= 5 mod 35
• 52= (51)2 = 52 = 25 mod 35
• 55= (52)2  51 = 252  5 = 3125 = 10 mod 35
• 510 = (55)2 = 102 = 100 = 30 mod 35
• 520 = (510)2 = 302 = 900 = 25 mod 35
• No huge numbers and it’s efficient!
30
31
Table 9.4

32
 Efficient Operation Using
the Public Key
• To
  speed up the operation of the RSA algorithm
using the public key, a specific choice of is usually
made
• The most common choice is
• Two other popular choices are and
• Each of these choices has only two bits, so the
number of multiplications required to perform
exponentiation is minimized
• With a very small public key, such as , RSA becomes
vulnerable to a simple attack
33
 RSA vulnerable to a
 
attack with a very small
•
• Suppose
  three users who all use the value but have unique
values of, namely ().
• If user A sends the same encrypted message to all three
users, then the three ciphertexts are
, , and
• It is likely that , and are pairwise relatively prime.
• Using the CRT to compute
• . Accordingly, the attacker need only compute the cube root
of . (cube root attack)
• This attack can be countered by adding a unique
pseudorandom bit string as padding to each instance of
34
 Efficient Operation Using
the Private Key
•
• Decryption
  uses exponentiation to power
• A small value of is vulnerable to a brute-force attack and to other
forms of cryptanalysis
• Can use the (CRT) to speed up computation of

• ,

• )
• ,

• The quantities and can be precalculated

• End result is that the calculation is approximately four times as fast
as evaluating directly
35
 Key Generation
• Before
  the application of • Because
  the value of will be
the public-key known to any potential
cryptosystem each adversary, primes must be
participant must generate chosen from a sufficiently large
a pair of keys: set
1. Determine two prime • The method used for finding
numbersand large primes must be reasonably
2. Select either or and efficient.
calculate the other • e.g. Miller-Rabin algorithm

36
 Procedure for Picking a
Prime Number
•   The Procedure for Picking a Prime Number
1. Pick an odd integer at random
2. Pick an integer at random
3. Perform the probabilistic primality test with as a
parameter. If fails the test, reject the value and go
to step 1
4. If n has passed a sufficient number of tests, accept ;
otherwise, go to step 2
• On average, one would have to test on the order
of
37
 The Security of RSA
Brute force
• Involves
Chosen ciphertext trying all Mathematical attacks
attacks possible • There are several
• This type of attack private keys approaches, all
exploits properties equivalent in effort to
of the RSA factoring the product
algorithm of two primes
Five
possible
approaches
to
Hardware fault-based attacking
attack RSA are: Timing attacks
• This involves inducing
hardware faults in the • These depend on the
processor that is running time of the
generating digital decryption algorithm
signatures
38
 Factoring Problem
• We
  can identify three approaches to attacking RSA
mathematically:
1. Factor into its two prime factors. This enables
calculation of which in turn enables determination of
2. Determine directly without first determining and .
Again this enables determination of
3. Determine directly without first determining

39
 Tabl
e
9.5

Table 9.5 Progress in RSA Factorization

40
 Other Constrains
•
•To  speed up RSA decryption use small private key ()

•Wiener’87: if then RSA is insecure.

•Boneh &Durfee’98: if then RSA is insecure
Insecure: private key can be found from ()
• Suggested constraints on and .
• and should differ in length by only a few digits.
• For -bit key, both and should be to
1. Both () and () should contain a large prime factor
2. should be small
42
 Timing Attacks
•  Paul Kocher 96 demonstrated that
• The time it takes to compute decipher messages
Ccan expose

• Are applicable not just to RSA but to other public-

key cryptography systems
• Are alarming for two reasons:
• It comes from a completely unexpected direction
• It is a ciphertext-only attack

43
 Countermeasures

Constant exponentiation Random delay Blinding

time • Better performance could be • Multiply the ciphertext by a
• Ensure that all exponentiations achieved by adding a random random number before
take the same amount of time delay to the exponentiation performing exponentiation;
before returning a result; this algorithm to confuse the this process prevents the
is a simple fix but does degrade timing attack attacker from knowing what
performance ciphertext bits are being
processed inside the computer
and therefore prevents the bit-
by-bit analysis essential to the
timing attack

44
 Fault-Based Attack
• An attack on a processor that is generating RSA digital signatures
• Induces faults in the signature computation by reducing the power
to the processor
• The faults cause the software to produce invalid signatures which
can then be analyzed by the attacker to recover the private key

• The attack algorithm involves inducing single-bit errors and

observing the results
• While worthy of consideration, this attack does not appear to be a
serious threat to RSA
• It requires that the attacker have physical access to the target
machine and is able to directly control the input power to the
processor
45
 Chosen Ciphertext Attack
(CCA)
• The adversary chooses a number of ciphertexts and
is then given the corresponding plaintexts,
decrypted with the target’s private key
• Thus the adversary could select a plaintext, encrypt it
with the target’s public key, and then be able to get
the plaintext back by having it decrypted with the
private key
• The adversary exploits properties of RSA and selects
blocks of data that, when processed using the
target’s private key, yield information needed for
cryptanalysis
46
 A simple example of a
CCA against RSA
• E(PU, M1) x E(PU, M2) = E(PU, [M1 x M2])
• We can dcrypt C = Me mod n using a CCA as follows.
1. Compute X = (C x 2e ) mod n.
2. Submit X as a chosen ciphertext and receive back Y = Xd mod n.
But now note that
X = (C mod n) x (2e mod n)
= (Me mod n) x (2e mod n)
e
= (2M) mod n
• Therefore, Y = (2M) mod n. From this, we can deduce M.

47
 Optimal Asymmetric
Encryption Padding (OAEP)
• To counter such attacks, RSA Security Inc.
recommends modifying the plaintext using a
procedure known as optimal asymmetric
encryption padding (OAEP)

48
 Optimal
Asymmetric
Encryption
Padding (OAEP)

PKCS1 v2.0: OAEP

49
 Summary
• Public-key
• The RSA algorithm
cryptosystems
• Description of the
• Applications for public- algorithm
key cryptosystems • Computational
aspects
• Requirements for • Security of RSA
public-key
cryptography

• Public-key cryptanalysis

50