Lecture 8. Public-key Cryptography

• two different keys for each user
  • public key for encryption
  • private key for decryption

• based on hard computational problems such as integer factorization, discrete logarithm, knapsack, ...

• doesn't require secure distribution of keys

• used for
  • exchanging keys for conventional encryption algorithms
  • digital signatures (data integrity, sender authentication, sender nonrepudiation)

• not suitable for data encryption because of low speed (100-1000 times slower than conventional encryption)

1. Diffie-Hellman Key Exchange Protocol

• the first published public-key algorithm in 1976

• developed by W. Diffie and M. Hellman

• based on the difficulty of discrete logarithm problem (DLP)

• useful only for key exchange

    Discrete Logarithm Problem

• p: a large prime number
  a: a primitive root of p (or a generator of the group Z_p^*), meaning
  
  { a¹ mod p, a² mod p, ..., a^p-1 mod p}   =   {1, 2, ..., p-1}   =   Z_p^*

• It is easy to compute a^x mod p,   given a, x, and p.

• (DLP) It is hard to compute x,   given a, p, and a^x mod p.

• Best known algorithm for DLP: number field sieve with an expected running time O(exp((1.923 + o(1))(log p)^1/3 (log log p)^2/3)).

• p and a are globally known.

• User i selects private X_i < p,
  and computes public Y_i   =   a^X_i mod p.

• User j selects private X_j < p,
  and computes public Y_j   =   a^X_j mod p.

• User i generates the shared key K   =   Y_j^X_i mod p   =   a^X_iX_j mod p.

• User j generates the shared key K   =   Y_i^X_j mod p   =   a^X_iX_j mod p.

• developed by Rivest, Shamir, and Adleman in 1977

• based on the difficulty of integer factorization problem (IFP);
  best known algorithm for IFP (for numbers having more than 120 digits):
  general number field sieve with an expected running time
                      O(exp((1.923 + o(1))(log p)^1/3 (log log p)^2/3));
  broke RSA-130 using 500 MIPS-years (1.58*10¹⁶) in 1996

  Factoring the 512-bit key (RSA-155) took an international team of researchers a total elapsed time of 5.2 months, not including nine weeks needed for preliminary computations, and was accomplished using 292 individual computers. (See http://www.rsa.com/pressbox/html/990826.html)

  p                               exp(1.923*(log p)^1/3 (log log p)^2/3)
  ---------------------------------------------------------------------
  10¹⁰⁰                                                   6.8*10¹⁵
  10¹³⁰                                                   6.8*10¹⁷
  10¹⁵⁰                                                   1.0*10¹⁹
  10²⁰⁰                                                   4.0*10²¹
  10³⁰⁰                                                   6.5*10²⁵
  10⁴⁰⁰                                                   1.7*10²⁹
  

• the most widely used public-key algorithm

• useful for key exchange and digital signatures

    Related Number Theoretic Results

(1) gcd(a,n) = 1  and  ab = ac mod n   =>   b = c mod n

      proof:  ab - ac = a(b - c) is a multiple of n, but gcd(a,n) = 1,
                  and hence b - c must be a multiple of n

(2) (Fermat's theorem) a^n-1 = 1 mod n  if n is prime and gcd(a,n) = 1

      proof: {a mod n, 2a mod n, ..., (n-1)a mod n} = {1, 2, ..., n-1}
                  a(2a)(3a)...((n-1)a) = (n-1)! mod n
                  (n-1)!a^n-1 = (n-1)! mod n
                  a^n-1 = 1 mod n (we can remove (n-1)! by (1))

(3) a = b mod p  and  a = b mod q  and  gcd(p,q) = 1   =>   a = b mod pq

      proof: a - b is a multiple of p and q simultaneously,
                 and hence it is a multiple of pq

(4) M^{k(p-1)(q-1)+1} = M mod pq  if p, q are two distinct prime numbers

      proof: M^{k(p-1)(q-1)+1} = M mod p
                         if M = 0 mod p, then it is obvious;
                         if not M = 0 mod p, then
                                   gcd(M,p) = 1 and by (2) M^p-1 = 1 mod p
                                   M^{k(p-1)(q-1)+1} = M(M^(p-1))^k(q-1)
                                                           = M(1)^k(q-1)  = M mod p

                  M^{k(p-1)(q-1)+1} = M mod q, similarly.

                   By (3) we have the theorem.

    RSA algorithm

• Each user selects two large prime numbers p and q.
• Let n = pq.
• Select a random e which is relatively prime to (p-1)(q-1).
• Compute d such that de = 1 mod (p-1)(q-1).

• K_e = (e,n) becomes the public key.
• K_d = (d,n) becomes the private key.

• (encryption) C = P^e mod n.
  P is the plaintext, and C is the ciphertext.

• (decryption) C^d  =  P^de  =  P^{k(p-1)(q-1)+1}  =  P mod n

• d can be easily computed from e and (p-1)(q-1), but not from e and n.
• p and q cannot be easily computed from n.

• In RSA, the public keys are used for encryption and the private keys are for decryption, but these roles are interchangeable:
  
  Messages encrypted with a private key can be decrypted with the corresponding public key.

• RSA digital signature
  for message M by the user with K_d as the private key:
  E_Kd(Hash(M)).
  Note that anyone can verify the signature.

• (hybrid data encryption using RSA and a block cipher, say DES)
  • Generate a random key K_s for the block cipher,
    which is often called a session key.

  • Send the RSA-encrypted session key using the recipient's public key K_e, and the DES-encrypted data using K_s:
    E_Ke(K_s) + E_Ks(data)
    The recipient first recovers the session key and then the data.

3. Other public-key Algorithms

• Knapsack Algorithms
  • developed by Merkle and Hellman in 1978
  • based on the difficulty of Knapsack Problem
  • insecure

• Rabin's Algorithms
  • developed by M. O. Rabin in 1979
  • based on the difficulty of Integer Factorization

• ElGamal Algorithms
  • developed by T. ElGamal in 1985
  • based on the difficulty of DLP

• Digital Signature Algorithm (DSA)
  • proposed by NIST in 1991
  • a variation of ElGamal
  • for digital signatures only, not for encryption