Complexity and Cryptography

Complexity and Cryptography

Thomas Zeugmann Hokkaido University Laboratory for Algorithmics https://www-alg.ist.hokudai.ac.jp/∼thomas/COCRB/

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation I

Question

Why do we need public key cryptography?

So far, we mainly considered two-way cryptosystems. In such cryptosystems the security of the communication has been mainly established by aprivate key.

This classical key management requires theexchange of the secret keywhich may be well imaginable if the number of participants is small.

Imagine a bank with tens of thousands customers all over the word who like to access their accounts via their computers at home. It seems absolutely hopeless to exchange frequently secret keys with all customers.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation I

Question

Why do we need public key cryptography?

So far, we mainly considered two-way cryptosystems. In such cryptosystems the security of the communication has been mainly established by aprivate key.

This classical key management requires theexchange of the secret keywhich may be well imaginable if the number of participants is small.

word who like to access their accounts via their computers at home. It seems absolutely hopeless to exchange frequently secret keys with all customers.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation I

Question

Why do we need public key cryptography?

So far, we mainly considered two-way cryptosystems. In such cryptosystems the security of the communication has been mainly established by aprivate key.

This classical key management requires theexchange of the secret keywhich may be well imaginable if the number of participants is small.

Imagine a bank with tens of thousands customers all over the word who like to access their accounts via their computers at

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation II

Most customers have a much larger range of applications than simply accessing their bank accounts over the internet, e.g.; shopping over the net using a credit card, frequently exchange of email with varying addressees, or using different computers over a net.

addressed here is to ensure that a message received indeed originates from the source it pretends to have been sent out. In classical communication via letters, this problem has been solved by using hand written signatures (in the western hemisphere) or a “hanko,” i.e., a personal seal (e.g., in China, Japan). Thus, we need something equivalent, i.e., anelectronic signature.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation II

Most customers have a much larger range of applications than simply accessing their bank accounts over the internet, e.g.; shopping over the net using a credit card, frequently exchange of email with varying addressees, or using different computers over a net.

Another important problem isauthentication. The main problem addressed here is to ensure that a message received indeed originates from the source it pretends to have been sent out. In classical communication via letters, this problem has been solved by using hand written signatures (in the western hemisphere) or a “hanko,” i.e., a personal seal (e.g., in China, Japan). Thus, we need something equivalent, i.e., anelectronic

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation III

All those real and potential applications stimulated a huge amount of research during the last three decades.

The key observation to be made is that a key in classical two-way cryptosystems has actually two separate tasks, i.e., enciphering and deciphering.

Diffie and Hellman (1976) proposed a new approach, i.e.,public key cryptography.

They proposed to replace the secrete key by two keys. One key is used for encryption, and one key for decryption. The

revolutionary idea, however, was to make the key for encryptionpublicly available. The key for decryption is kept secretby the receiver.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Motivation III

All those real and potential applications stimulated a huge amount of research during the last three decades.

The key observation to be made is that a key in classical two-way cryptosystems has actually two separate tasks, i.e., enciphering and deciphering.

Diffie and Hellman (1976) proposed a new approach, i.e.,public key cryptography.

They proposed to replace the secrete key by two keys. One key is used for encryption, and one key for decryption. The

revolutionary idea, however, was to make the key for encryptionpublicly available. The key for decryption is kept

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography I

The general scenario can be described as follows: Assume` communicating partiesP<sub>1</sub>, . . . ,P`. Each partyP_ichooses and publishes itspublic keyki, and keeps itssecret keyek_iprivate. Suppose, partyP_iwishes to send a message to partyP_j. ThenP_ilooks forP_j’s public key in the list of all public keys. Next,Pienciphers its message usingkjand sends it out. The

receiverP_j exploits her private keyek_jand deciphers the

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography I

The general scenario can be described as follows: Assume` communicating partiesP<sub>1</sub>, . . . ,P`. Each partyP_ichooses and publishes itspublic keyki, and keeps itssecret keyek_iprivate. Suppose, partyP_iwishes to send a message to partyP_j. ThenP_ilooks forP_j’s public key in the list of all public keys. Next,Pienciphers its message usingkjand sends it out. The

receiverP_j exploits her private keyek_jand deciphers the

message received fromPi.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography II

There must be some connection between the public and the private key, since otherwise it is very hard to imagine how the deciphering can be performed. This leads to the following

Given the public key, it must be extremely hard to compute the private one.

Computing the cipher must be easy, while deciphering has to remain extremely hard, too, without knowing the private key.

These requirements directly lead to the idea ofone-way functions.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography II

There must be some connection between the public and the private key, since otherwise it is very hard to imagine how the deciphering can be performed. This leads to the following Requirements:

Given the public key, it must be extremely hard to compute the private one.

Computing the cipher must be easy, while deciphering has to remain extremely hard, too, without knowing the private key.

These requirements directly lead to the idea ofone-way functions.

The General Scheme of Public Key Cryptography II

There must be some connection between the public and the private key, since otherwise it is very hard to imagine how the deciphering can be performed. This leads to the following Requirements:

Given the public key, it must be extremely hard to compute the private one.

Computing the cipher must be easy, while deciphering has to remain extremely hard, too, without knowing the private key.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

One-Way Functions

Definition 1 (One-Way Functions)

LetX,Y be non-empty sets. Aone-way functionfis an injective functionf:X→Ysuch thatf(x)can be computed in time polynomial in the length|x|ofxfor allx∈Xbut there is no algorithm computingf−1(y)efficiently for any interesting fraction of argumentsy∈range(f).

Unfortunately, no one has yet proved the existence of one-way functions. Complexity theory is still not ready to handle this extremely difficult problem. Moreover, classical complexity theory mainly deals withworst-casecomplexity what is by no means ideal from the viewpoint of cryptology. The reasons for this are as follows:

One-Way Functions

Definition 1 (One-Way Functions)

LetX,Y be non-empty sets. Aone-way functionfis an injective functionf:X→Ysuch thatf(x)can be computed in time polynomial in the length|x|ofxfor allx∈Xbut there is no algorithm computingf−1(y)efficiently for any interesting fraction of argumentsy∈range(f).

Unfortunately, no one has yet proved the existence of one-way functions. Complexity theory is still not ready to handle this extremely difficult problem. Moreover, classical complexity theory mainly deals withworst-casecomplexity what is by no means ideal from the viewpoint of cryptology. The reasons for

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Points of Concern I

(1) A problem having high worst-case complexity may be anyway easily solvable for most of its instances. Andno non-linear lower boundfor a particular problem is known. (2) For all practical purposes it is sufficient to possess an

efficientprobabilisticalgorithm computingf−1. That means, even if we would know that no deterministic algorithm computesf−1for almost all inputs in polynomial time, we cannot conclude the relevant cryptosystem to be secure. (3) Even worse, having a proof that no probabilistic algorithm

computesf−1_{for almost all inputs in polynomial time is} not sufficient to derive reasonable conclusions concerning the security of the relevant cryptosystem. Still, it may be possible to invertffor almost all inputs ofpracticallength; e.g., given a proved tight lower bound ofnlog logn, then for

Points of Concern I

(1) A problem having high worst-case complexity may be anyway easily solvable for most of its instances. Andno non-linear lower boundfor a particular problem is known. (2) For all practical purposes it is sufficient to possess an

efficientprobabilisticalgorithm computingf−1. That means, even if we would know that no deterministic algorithm computesf−1for almost all inputs in polynomial time, we cannot conclude the relevant cryptosystem to be secure. (3) Even worse, having a proof that no probabilistic algorithm

computesf−1_{for almost all inputs in polynomial time is} not sufficient to derive reasonable conclusions concerning the security of the relevant cryptosystem. Still, it may be possible to invertffor almost all inputs ofpracticallength; e.g., given a proved tight lower bound ofnlog logn, then for

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Points of Concern I

(1) A problem having high worst-case complexity may be anyway easily solvable for most of its instances. Andno non-linear lower boundfor a particular problem is known. (2) For all practical purposes it is sufficient to possess an

efficientprobabilisticalgorithm computingf−1. That means, even if we would know that no deterministic algorithm computesf−1for almost all inputs in polynomial time, we cannot conclude the relevant cryptosystem to be secure. (3) Even worse, having a proof that no probabilistic algorithm

computesf−1_{for almost all inputs in polynomial time is}

not sufficient to derive reasonable conclusions concerning the security of the relevant cryptosystem. Still, it may be possible to invertffor almost all inputs ofpracticallength; e.g., given a proved tight lower bound ofnlog logn, then for

Points of Concern II

(4) Since all practically appearing inputs are below some length, evennon-uniformfamilies of different algorithms invertingfmay be interesting for a cryptanalyst.

There are, however some functionsfwhich are widely considered to be good candidates for one-way functions, e.g.; modular exponentiation (the inverse is computing the discrete logarithm), computing the product of prime numbers (the inverse is factoring a given number into its prime factors), and computingM=Pm_i=0x_ia_i, where(a₀, . . . ,a_m)∈_Nm+1_and (x₀, . . . ,xm)∈{0, 1}m+1(the inverse is the general subset-sum

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Points of Concern II

(4) Since all practically appearing inputs are below some length, evennon-uniformfamilies of different algorithms invertingfmay be interesting for a cryptanalyst.

There are, however some functionsfwhich are widely considered to be good candidates for one-way functions, e.g.; modular exponentiation (the inverse is computing the discrete logarithm), computing the product of prime numbers (the inverse is factoring a given number into its prime factors), and computingM=Pm_i=0x_ia_i, where(a₀, . . . ,a_m)∈_Nm+1_and (x₀, . . . ,xm)∈{0, 1}m+1(the inverse is the general subset-sum

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography III

Next we describe how to apply one-way functions to the solution of public key cryptography.

Clearly, we cannot directly apply one-way functionsffor enciphering messages. Additionally, we have to incorporate an idea how the receiver can circumvent the difficulty of

invertingf. As outlined above, solely the receiver possesses the additional information provided by her secret key. This

additional informationshould enable her to decrypt the ciphertext.

useKpandKsto denote the set of public keys and private

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography III

Next we describe how to apply one-way functions to the solution of public key cryptography.

Clearly, we cannot directly apply one-way functionsffor enciphering messages. Additionally, we have to incorporate an idea how the receiver can circumvent the difficulty of

invertingf. As outlined above, solely the receiver possesses the additional information provided by her secret key. This

additional informationshould enable her to decrypt the ciphertext.

The following definition formalizes this idea: Furthermore, we useKpandKsto denote the set of public keys and private

The General Scheme of Public Key Cryptography IV

Definition 2 (Trap-Door Function)

Atrap-door functionf:Pt×K_p→Ct is a function satisfying the following requirements:

(i) h_kp=f(·,k_p)is a one-way function for everyk_p∈K_p; (ii) there exists a polynomialqsuch that the time to compute

hkp(x)is uniformly bounded byq(|x|)for allkp∈Kp; (iii) there exist a one-way functiond:K_s→K_pand a

polynomial time computable functiong:Ks×Ct→Pt such thaty=f(x,k_p)impliesx=g(d−1(k_p),y)for all x∈Pt,k_p∈K_p, andy∈Ct.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography V

The informationd−1(kp)constitutes thetrap-doorenabling the

receiver to decipher the message obtained. Thus, the general scenario for public key cryptography outlined above can be realized as follows:

Each partyP₁, . . . ,P`is equipped with algorithms for

computingf,g, andd. Furthermore, we assume|Ks|_>`. Now, partyP<sub>i</sub>chooses its private keyek<sub>i</sub>∈K<sub>s</sub>such thatek<sub>i,</sub>ek<sub>j</sub>for i,j, wherei,j∈{1, . . . ,`}. How to realize this requirement is

The General Scheme of Public Key Cryptography V

The informationd−1(kp)constitutes thetrap-doorenabling the

receiver to decipher the message obtained. Thus, the general scenario for public key cryptography outlined above can be realized as follows:

Each partyP₁, . . . ,P`is equipped with algorithms for

computingf,g, andd. Furthermore, we assume|Ks|_>`. Now, partyP<sub>i</sub>chooses its private keyek<sub>i</sub>∈K<sub>s</sub>such thatek<sub>i,</sub>ek<sub>j</sub>for i,j, wherei,j∈{1, . . . ,`}. How to realize this requirement is

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The General Scheme of Public Key Cryptography VI

The message exchange is performed using the following protocol: SupposePiwishes to send a messagextoPj.

(1) P_icomputesy=f(x,k_j)usingPj’s public keykj, and sendsyover a public channel toPj.

(2) Pjreceivesyand uses her private keyek_jto compute x=g(ekj,y).

We proceed by providing an example for a concrete public key cryptosystem.

The General Scheme of Public Key Cryptography VI

The message exchange is performed using the following protocol: SupposePiwishes to send a messagextoPj.

(1) P_icomputesy=f(x,k_j)usingPj’s public keykj, and sendsyover a public channel toPj.

(2) Pjreceivesyand uses her private keyek_jto compute x=g(ekj,y).

We proceed by providing an example for a concrete public key cryptosystem.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem I

Within theMerkleandHellman’spublic key cryptosystem plaintext is encoded into bit-vectors of lengthn, i.e., b= (b₀, . . . ,b_n−1),b_i∈{0, 1}.

For example, we may encode the 26 letters of the Latin alphabet by using 00000 forA, 00001 forB, . . . , and 11001 forZ. Thus, each letter comprises 5 bits. For error detecting, it may be recommendable to add some check bits using, for example, a Hamming code. For keeping our examples small, we neglect the issue of error detecting here and use the bit strings given above.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem II

The public key is a knapsack vectora= (a₀, . . . ,a_n−1),a_i∈N. How to chooseais described below. The encipheringcof a plaintextbis computed by

c=ab>= n−1_X

j=0

a_jb_j (1)

(*b>denotes the transpose ofb*).

The result is a numbercbetween 0 andPn_j=−₀1a_j. This number cis represented as a bit string of length`=dlog(1+P_jn₌−₀1a_j)e

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem II

The public key is a knapsack vectora= (a₀, . . . ,a_n−1),a_i∈N. How to chooseais described below. The encipheringcof a plaintextbis computed by

c=ab>= n−1_X

j=0

a_jb_j (1)

(*b>denotes the transpose ofb*).

The result is a numbercbetween 0 andPn_j=−₀1aj. This number

cis represented as a bit string of length`=dlog(1+P_jn₌−₀1a_j)e

Merkle and Hellman’s Public Key Cryptosystem III

We describe the trap-door information and how to choosea. The trap-door is a pair(w,m)∈N×Nwhich should be large and has to

satisfy

w < m and gcd(w,m) =1 , (2)

Next, we choosenvalues ˆa= (aˆ0, . . . , ˆan−1)such that

m > n−1 X i=0 ˆ ai and aˆj> j−1 X i=0 ˆ ai for allj=1, . . . ,n−1 . (3)

So, partyPchoosesw,m, and ˆasuch that Conditions (2) and (3) are satisfied. ThenPcomputesa= (a0, . . . ,an−1), where

ai= (aˆiw)mod mfor alli=0, . . . ,n−1. The vectoraisP’s public key and the pair(w,m)and the vector ˆaisP’s private key.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem IV

Letcbe a ciphertext received. The deciphering is done using the following proceduredec:

(1) Compute ˆc= (w−1c)modm,

(2) Computeb= (b₀, . . . ,b_n−1)as follows:

If ˆc_>aˆn−1then setbn−1=1 else setbn−1=0

Forj=n−2,n−3, . . . , 0, if ˆ c− nP−1 i=j+1 ˆ

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem V

Example 3

PartyPchoosesn=5,(w,m) = (2550, 8443), and ˆ

a= (171, 196, 457, 1191, 2410). So Conditions (2) and (3) are satisfied. The modular inverse of 2550 inZ8443is 3950. SoP’s

public key isa= (5457, 1663, 216, 6013, 7439). Letx=L;

thenb= (0, 1, 0, 1, 1); thusc=1663+6013+7439=15115, and the message sent iscin binary, i.e.,11101100001011.

SupposePhas receivedc. So,Pcomputes successively

ˆ 3950 15115 3797 mod 8443. (2) Since 3797>2410 we setb₄=1.

(3) Next, we compute 3797−2410=1387>1191. So,b₃=1. Now, 3797− (2410+1191) =196<457, sob₂=0.

Since 3797− (2410+1191) =196 we setb₁=1.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem V

Example 3

PartyPchoosesn=5,(w,m) = (2550, 8443), and ˆ

a= (171, 196, 457, 1191, 2410). So Conditions (2) and (3) are satisfied. The modular inverse of 2550 inZ8443is 3950. SoP’s

public key isa= (5457, 1663, 216, 6013, 7439). Letx=L;

thenb= (0, 1, 0, 1, 1); thusc=1663+6013+7439=15115, and the message sent iscin binary, i.e.,11101100001011.

SupposePhas receivedc. So,Pcomputes successively (1) cˆ = (w−1c)≡3950·15115≡3797 mod 8443.

(2) Since 3797>2410 we setb₄=1.

(3) Next, we compute 3797−2410=1387>1191. So,b₃=1. Now, 3797− (2410+1191) =196<457, sob₂=0.

Since 3797− (2410+1191) =196 we setb₁=1.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem V

Example 3

PartyPchoosesn=5,(w,m) = (2550, 8443), and ˆ

a= (171, 196, 457, 1191, 2410). So Conditions (2) and (3) are satisfied. The modular inverse of 2550 inZ8443is 3950. SoP’s

public key isa= (5457, 1663, 216, 6013, 7439). Letx=L;

thenb= (0, 1, 0, 1, 1); thusc=1663+6013+7439=15115, and the message sent iscin binary, i.e.,11101100001011.

SupposePhas receivedc. So,Pcomputes successively (1) cˆ = (w−1c)≡3950·15115≡3797 mod 8443. (2) Since 3797>2410 we setb₄=1.

Now, 3797− (2410+1191) =196<457, sob₂=0. Since 3797− (2410+1191) =196 we setb₁=1.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem V

Example 3

PartyPchoosesn=5,(w,m) = (2550, 8443), and ˆ

a= (171, 196, 457, 1191, 2410). So Conditions (2) and (3) are satisfied. The modular inverse of 2550 inZ8443is 3950. SoP’s

public key isa= (5457, 1663, 216, 6013, 7439). Letx=L;

thenb= (0, 1, 0, 1, 1); thusc=1663+6013+7439=15115, and the message sent iscin binary, i.e.,11101100001011.

SupposePhas receivedc. So,Pcomputes successively (1) cˆ = (w−1c)≡3950·15115≡3797 mod 8443. (2) Since 3797>2410 we setb₄=1.

(3) Next, we compute 3797−2410=1387>1191. So,b₃ =1. Now, 3797− (2410+1191) =196<457, sob₂=0.

Merkle and Hellman’s Public Key Cryptosystem VI

We continue with some remarks concerning the complexity of the problems involved. The difficult problem used in the design of the trap-door functionfis the knapsack or subset-sum problem which is known to beNP-complete. However, several subclasses of this problem are known for which it is easy to solve the decision problem. For example, if

a_i< a_i+1for alli=0, . . . ,n−2, then the knapsack problem can be solved by using at mostnsubtractions as outlined in our deciphering procedure. Another subclass consists of all vectors

(a₀, . . . ,a_n−1)∈_Nn_{for which alla}

iare powers of 2. In the latter case, one has simply to compute the binary representation ofM. A more sophisticated subclass has been described in Lagarias and Odlyzko (1983).

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem VI

We continue with some remarks concerning the complexity of the problems involved. The difficult problem used in the design of the trap-door functionfis the knapsack or subset-sum problem which is known to beNP-complete.

However, several subclasses of this problem are known for which it is easy to solve the decision problem. For example, if

a_i< a_i+1for alli=0, . . . ,n−2, then the knapsack problem can be solved by using at mostnsubtractions as outlined in our deciphering procedure. Another subclass consists of all vectors

(a₀, . . . ,a_n−1)∈_Nn_{for which alla}

iare powers of 2. In the

latter case, one has simply to compute the binary representation ofM. A more sophisticated subclass has been described in

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem VII

Thus, special care has to be taken. In particular, Merkle and Hellman (1978) hoped that the modular transformation of the trap-door knapsack ˆawill result in almost all cases in a hard one. But A. Shamir (1982) proposed a polynomial time method for breaking the Merkle and Hellman (1978) public key

cryptosystem.

design public key cryptosystem that are based on the difficulty of the subset-sum problem. Since all proposed systems are not very satisfying we continue by looking at the most widely used public key cryptosystems that are based on the difficulty of number theoretic problems.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Merkle and Hellman’s Public Key Cryptosystem VII

Thus, special care has to be taken. In particular, Merkle and Hellman (1978) hoped that the modular transformation of the trap-door knapsack ˆawill result in almost all cases in a hard one. But A. Shamir (1982) proposed a polynomial time method for breaking the Merkle and Hellman (1978) public key

cryptosystem.

Since then, more sophisticated methods have been proposed to design public key cryptosystem that are based on the difficulty of the subset-sum problem. Since all proposed systems are not very satisfying we continue by looking at the most widely used public key cryptosystems that are based on the difficulty of number theoretic problems.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem I

This system is based on the difficulty of factoring and/or taking discrete roots modulo a composite modulus. It has been

invented by byR. Rivest, A. Shamir and L. Adlemanin 1977. LetA(=Alice) be anybody wishing to participate at the RSA cryptosystem. Then, Alice has to do the following:

1000 bits each, and the bigger prime should preferably have some more digits than the smaller one).

(2) Computen_A =p_Aq_Aand calculateϕ(n_A) =

ϕ(pA)ϕ(qA) = (pA−1)(qA−1) =nA−pA−qA+1. (3) Choose randomly any numbere_A∈{1, . . . ,ϕ(n_A)}such

that gcd(eA,ϕ(nA)) =1.

(4) Computed_A =e−1_A modϕ(n_A). PublishK_A= (n_A,e_A) andkeeppA, qA, anddAsecret.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem I

This system is based on the difficulty of factoring and/or taking discrete roots modulo a composite modulus. It has been

invented by byR. Rivest, A. Shamir and L. Adlemanin 1977. LetA(=Alice) be anybody wishing to participate at the RSA cryptosystem. Then, Alice has to do the following:

(1) Choose randomly two huge primespAandqA(at least 1000 bits each, and the bigger prime should preferably have some more digits than the smaller one).

(2) Computen_A =p_Aq_Aand calculateϕ(n_A) =

ϕ(pA)ϕ(qA) = (pA−1)(qA−1) =nA−pA−qA+1. (3) Choose randomly any numbere_A∈{1, . . . ,ϕ(n_A)}such

that gcd(eA,ϕ(nA)) =1.

(4) Computed_A =e−1_A modϕ(n_A). PublishK_A= (n_A,e_A) andkeeppA, qA, anddAsecret.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem I

This system is based on the difficulty of factoring and/or taking discrete roots modulo a composite modulus. It has been

invented by byR. Rivest, A. Shamir and L. Adlemanin 1977. LetA(=Alice) be anybody wishing to participate at the RSA cryptosystem. Then, Alice has to do the following:

(1) Choose randomly two huge primespAandqA(at least 1000 bits each, and the bigger prime should preferably have some more digits than the smaller one).

(2) Computen_A=p_Aq_Aand calculateϕ(n_A) =

ϕ(pA)ϕ(qA) = (pA−1)(qA−1) =nA−pA−qA+1.

(3) Choose randomly any number A {1, . . . , A }such that gcd(eA,ϕ(nA)) =1.

(4) Computed_A =e−1_A modϕ(n_A). PublishK_A= (n_A,e_A) andkeeppA, qA, anddAsecret.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem I

This system is based on the difficulty of factoring and/or taking discrete roots modulo a composite modulus. It has been

invented by byR. Rivest, A. Shamir and L. Adlemanin 1977. LetA(=Alice) be anybody wishing to participate at the RSA cryptosystem. Then, Alice has to do the following:

(1) Choose randomly two huge primespAandqA(at least 1000 bits each, and the bigger prime should preferably have some more digits than the smaller one).

(2) Computen_A=p_Aq_Aand calculateϕ(n_A) =

ϕ(pA)ϕ(qA) = (pA−1)(qA−1) =nA−pA−qA+1. (3) Choose randomly any numbere_A∈{1, . . . ,ϕ(n_A)}such

that gcd(eA,ϕ(nA)) =1.

(4) Computed_A =e−1_A modϕ(n_A). PublishK_A= (n_A,e_A) andkeeppA, qA, anddAsecret.

The RSA Public Key Cryptosystem I

This system is based on the difficulty of factoring and/or taking discrete roots modulo a composite modulus. It has been

invented by byR. Rivest, A. Shamir and L. Adlemanin 1977. LetA(=Alice) be anybody wishing to participate at the RSA cryptosystem. Then, Alice has to do the following:

(1) Choose randomly two huge primespAandqA(at least 1000 bits each, and the bigger prime should preferably have some more digits than the smaller one).

(2) Computen_A=p_Aq_Aand calculateϕ(n_A) =

ϕ(pA)ϕ(qA) = (pA−1)(qA−1) =nA−pA−qA+1. (3) Choose randomly any numbere_A∈{1, . . . ,ϕ(n_A)}such

that gcd(eA,ϕ(nA)) =1.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem II

Now, assume any other participantB(=Bob) wishing to communicate secretly with Alice.

Then, Bob codes his plaintext into a binary numberw. Using Alice’s public keyK_A = (nA,e_A)Bob calculates the cipherc=weA modnAand sendscto Alice.

Alice decipherscby computingcdA modnA.

The correctness of this protocol ist established by the following theorem:

Theorem 1 w=cdA _modn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem II

Now, assume any other participantB(=Bob) wishing to communicate secretly with Alice.

Then, Bob codes his plaintext into a binary numberw.

cipherc=weA modnAand sendscto Alice. Alice decipherscby computingcdA modnA.

The correctness of this protocol ist established by the following theorem:

Theorem 1 w=cdA _modn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem II

Now, assume any other participantB(=Bob) wishing to communicate secretly with Alice.

Then, Bob codes his plaintext into a binary numberw. Using Alice’s public keyK_A = (nA,e_A)Bob calculates the cipherc=weA modnAand sendscto Alice.

Alice decipherscby computingcdA modnA.

The correctness of this protocol ist established by the following theorem:

Theorem 1 w=cdA _modn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem II

Now, assume any other participantB(=Bob) wishing to communicate secretly with Alice.

Then, Bob codes his plaintext into a binary numberw. Using Alice’s public keyK_A = (nA,e_A)Bob calculates the cipherc=weA modnAand sendscto Alice.

Alice decipherscby computingcdA modnA.

theorem: Theorem 1 w=cdA _modn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem II

Now, assume any other participantB(=Bob) wishing to communicate secretly with Alice.

Then, Bob codes his plaintext into a binary numberw. Using Alice’s public keyK_A = (nA,e_A)Bob calculates the cipherc=weA modnAand sendscto Alice.

Alice decipherscby computingcdA modnA.

The correctness of this protocol ist established by the following theorem:

Theorem 1 w=cdA _modn

The RSA Public Key Cryptosystem II

Now, assume any other participantB(=Bob) wishing to communicate secretly with Alice.

Then, Bob codes his plaintext into a binary numberw. Using Alice’s public keyK_A = (nA,e_A)Bob calculates the cipherc=weA modnAand sendscto Alice.

Alice decipherscby computingcdA modnA.

The correctness of this protocol ist established by the following theorem:

Theorem 1 w=cdA _modn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Proof

Proof.By assumption,c=weA _modn

A. First, assume

gcd(w,nA) =1; then applying the Theorem of Euler

cdA _≡(weA₎dA _≡weAdA _≡w(eAdA)modϕ(nA)_≡wmodn

A,

sinceeAdA≡1 modϕ(nA).

What can be said if gcd(w,n_A)_,1?

Suppose that exactly one of the two primesp_Aandq_Adoes dividew, saypA. The Little Theorem of Fermat is telling us

wqA−1 ≡1 modqA.

Sinceϕ(n_A) = (p_A−1)(q_A−1), we can conclude wϕ(nA)≡(wqA−1₎pA−1 _≡1pA−1 _{≡1 modq}

A.

Moreover,eAdA ≡1 modϕ(nA), and thuseAdA=jϕ(nA) +1

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Proof

Proof.By assumption,c=weA _modn

A. First, assume

gcd(w,nA) =1; then applying the Theorem of Euler

cdA _≡(weA₎dA _≡weAdA _≡w(eAdA)modϕ(nA)_≡wmodn

A,

sinceeAdA≡1 modϕ(nA).

What can be said if gcd(w,nA),1?

dividew, saypA. The Little Theorem of Fermat is telling us

wqA−1 ≡1 modqA.

Sinceϕ(n_A) = (p_A−1)(q_A−1), we can conclude wϕ(nA)≡(wqA−1₎pA−1 _≡1pA−1 _{≡1 modq}

A.

Moreover,eAdA ≡1 modϕ(nA), and thuseAdA=jϕ(nA) +1

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Proof

Proof.By assumption,c=weA _modn

A. First, assume

gcd(w,nA) =1; then applying the Theorem of Euler

cdA _≡(weA₎dA _≡weAdA _≡w(eAdA)modϕ(nA)_≡wmodn

A,

sinceeAdA≡1 modϕ(nA).

What can be said if gcd(w,nA),1?

Suppose that exactly one of the two primespAandqAdoes

dividew, saypA. The Little Theorem of Fermat is telling us

wqA−1 ≡1 modqA.

Sinceϕ(n_A) = (p_A−1)(q_A−1), we can conclude wϕ(nA)_≡(wqA−1₎pA−1 _≡1pA−1 _{≡1 modq}

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Proof – continued

Consequently,

weAdA _≡wmodq

A.

But the last congruence is also true modulop_A, since, by assumption,p_Adividesw, and thusweAdA_−w≡_{0 modp}

A.

Hence, we can concludeweAdA _≡wmodn

A.

weAdA _{−w≡0 modp}

Aas well asweAdA −w≡0 modqA,

and thusweAdA _≡wmodn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Proof – continued

Consequently,

weAdA _≡wmodq

A.

But the last congruence is also true modulop_A, since, by assumption,p_Adividesw, and thusweAdA_−w≡_{0 modp}

A.

Hence, we can concludeweAdA _≡wmodn

A.

Finally, if bothpAandqAdividew, then we trivially have

weAdA _{−w≡0 modp}

Aas well asweAdA −w≡0 modqA,

and thusweAdA ≡_wmodn

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem III

Question

What can be said concerning the security of the RSA cryptosystem?

as finding discrete roots modulo the composite numbern_A. Computing discrete roots must be judged as feasible if the prime factorization ofn_Ais known. Therefore, the

cryptanalysis of the RSA cryptosystem is as most as hard as factoring. However, there is no known efficient algorithm for factoring a large composite number except for quantum computers which are currently not available.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem III

Question

What can be said concerning the security of the RSA cryptosystem?

By its construction, breaking the RSA cipher is as most as hard as finding discrete roots modulo the composite numbern_A. Computing discrete roots must be judged as feasible if the prime factorization ofn_Ais known. Therefore, the

cryptanalysis of the RSA cryptosystem is as most as hard as factoring. However, there is no known efficient algorithm for factoring a large composite number except for quantum

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem IV

However, some care must be taken be choosing the primesp andq. Obviously, the chosen primes should be nowhere listed. Thus, testing primality is such an important problem.

p=2e_±1.

As mentioned above, the difference betweenpandqshould be large.For seeing this, we prove the following theorem:

Theorem 2

Letpandqbe primes such thatp > qandp−q=O((logp)c)for a “moderate” constantc∈_N. Then, there exists an efficient algorithm for factoringn=pq.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem IV

However, some care must be taken be choosing the primesp andq. Obviously, the chosen primes should be nowhere listed. Thus, testing primality is such an important problem.

Moreover, one has to avoid primes of special form, e.g., p=2e_±1.

As mentioned above, the difference betweenpandqshould be large.For seeing this, we prove the following theorem:

Theorem 2

Letpandqbe primes such thatp > qandp−q=O((logp)c)for a “moderate” constantc∈_N. Then, there exists an efficient algorithm for factoringn=pq.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem IV

However, some care must be taken be choosing the primesp andq. Obviously, the chosen primes should be nowhere listed. Thus, testing primality is such an important problem.

Moreover, one has to avoid primes of special form, e.g., p=2e_±1.

As mentioned above, the difference betweenpandqshould be large.For seeing this, we prove the following theorem:

Letpandqbe primes such thatp > qandp−q=O((logp)c)for a “moderate” constantc∈_N. Then, there exists an efficient algorithm for factoringn=pq.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem IV

However, some care must be taken be choosing the primesp andq. Obviously, the chosen primes should be nowhere listed. Thus, testing primality is such an important problem.

Moreover, one has to avoid primes of special form, e.g., p=2e_±1.

As mentioned above, the difference betweenpandqshould be large.For seeing this, we prove the following theorem:

Theorem 2

Letpandqbe primes such thatp > qandp−q=O((logp)c)for a “moderate” constantc∈_N. Then, there exists an efficient algorithm

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem V

Proof.Consider (p+q)2 4 −n= p2+2pq+q2−4pq 4 = (p−q)2 4 (4)

Thus, the left side is aperfect square. Then the following method may be applied for factoringn:

(1) Compute nwithin a precision ofb(logn+2)/2cbits. (2) Check forx=b√nc+1, b√nc+2, . . . whether or not

x2−nis a perfect square.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem V

Proof.Consider (p+q)2 4 −n= p2+2pq+q2−4pq 4 = (p−q)2 4 (4)

Thus, the left side is aperfect square. Then the following method may be applied for factoringn:

(1) Compute √nwithin a precision ofb(logn+2)/2cbits.

(2) Check forx=b√nc+1, b√nc+2, . . . whether or not x2−nis a perfect square.

The RSA Public Key Cryptosystem V

Proof.Consider (p+q)2 4 −n= p2+2pq+q2−4pq 4 = (p−q)2 4 (4)

Thus, the left side is aperfect square. Then the following method may be applied for factoringn:

(1) Compute √nwithin a precision ofb(logn+2)/2cbits. (2) Check forx=b√nc+1, b√nc+2, . . . whether or not

x2−nis a perfect square.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem VI

The correctness of the above algorithm can be shown as follows: First, assume that √nhas been computed within a precision ofb(logn+2)/2cbits. Then we haveb√nc. (Exercise). Next, observe that

p+q

2 >

√

pq= √n (5)

by applying the well-known inequality between arithmetic and geometric mean. Consequently,b√nc<(p+q)/2 (* note that (p+q)/2 is always an integer *). Thus, the algorithm must terminate by finding a perfect square and the firstxfound must fulfillx2₆ (p+q)2 by (4) and (5). Thus,x₆ p+q.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem VII

Case1. x = p+q 2 .

Letz2 =x2−n. By (4) we directly obtainz= p−₂q. Hence, x+z=pandx−z=q.

Case2. x <

2 .

Sincez2 =x2−nwe obtainn=x2−z2= (x+z)(x−z). Thus,

p=x+zandq=x−z, and therefore,(p+q)/2=x,a contradiction.

This proves the correctness.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem VII

Case1. x = p+q 2 .

Letz2 =x2−n. By (4) we directly obtainz= p−₂q. Hence, x+z=pandx−z=q.

Case2. x < p+q 2 .

Sincez2 =x2−nwe obtainn=x2−z2= (x+z)(x−z). Thus,

p=x+zandq=x−z, and therefore,(p+q)/2=x,a contradiction.

This proves the correctness.

The RSA Public Key Cryptosystem VII

Case1. x = p+q 2 .

Letz2 =x2−n. By (4) we directly obtainz= p−₂q. Hence, x+z=pandx−z=q.

Case2. x < p+q 2 .

Sincez2 =x2−nwe obtainn=x2−z2= (x+z)(x−z). Thus,

p=x+zandq=x−z, and therefore,(p+q)/2=x,a contradiction.

This proves the correctness.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The RSA Public Key Cryptosystem VIII

The computation of √nup to the desired precision can be easily performed using the Newton method, i.e.,

x<sub>`+1</sub>:=x`−

x2<sub>`</sub>−n 2x`

for`=0, . . . ,b(logn+2)/2c

withx₀ =n.

Taking into account that √

n > q=p− (p−q)≈p− (logp)cwe see by (4) that p+q 2 =p− p−q 2 ≈p− (logp)c 2 > √ n. (6) Hence,(p+q)/2 is only “a bit” greater than √n. Consequently, the algorithm has to try at most(logp)c/2 many candidates until its search terminates. But this is a polynomial in the length of the input, and hence we are done.

The RSA Public Key Cryptosystem VIII

The computation of √nup to the desired precision can be easily performed using the Newton method, i.e.,

x<sub>`+1</sub>:=x`−

x2<sub>`</sub>−n 2x`

for`=0, . . . ,b(logn+2)/2c

withx₀ =n. Taking into account that √

n > q=p− (p−q)≈p− (logp)cwe see by (4) that p+q 2 =p− p−q 2 ≈p− (logp)c 2 > √ n. (6) Hence,(p+q)/2 is only “a bit” greater than √n. Consequently, the algorithm has to try at most(logp)c/2 many candidates until its search terminates. But this is a polynomial in the

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem I

Finally, we take a look at theDiffie–HellmanPublic Key Cryptosystem. It is based on discrete logarithms. Problem: Discrete Logarithms

Input: Prime numberp∈N,b∈Z∗p, and a generatorgforZ∗p.

Problem: Compute the indexxsuch thatx=dlog_gb.

So far, there is no known algorithm efficiently computing discrete logarithms for any standard model of sequential or parallel computation. On the other hand, a quantum computer would be able to compute discrete logarithms in polynomial time.

The Diffie–Hellman Public Key Cryptosystem I

Finally, we take a look at theDiffie–HellmanPublic Key Cryptosystem. It is based on discrete logarithms. Problem: Discrete Logarithms

Input: Prime numberp∈N,b∈Z∗p, and a generatorgforZ∗p.

Problem: Compute the indexxsuch thatx=dlog_gb.

So far, there is no known algorithm efficiently computing discrete logarithms for any standard model of sequential or parallel computation. On the other hand, a quantum computer would be able to compute discrete logarithms in polynomial time.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem II

The Diffie–Hellman Public Key Cryptosystem requires a system designer.The system designer chooses a huge primeq (preferably more than 4000 bits) and a generatorgforZ∗q. The primeqand the generatorgare global information, and thus known to everybody participating in this public key cryptosystem.

Next, we describe how the public and the secret key,

respectively, are chosen by any participant. Subsequently, we provide the protocol used.

The Diffie–Hellman Public Key Cryptosystem II

The Diffie–Hellman Public Key Cryptosystem requires a system designer.The system designer chooses a huge primeq (preferably more than 4000 bits) and a generatorgforZ∗q. The primeqand the generatorgare global information, and thus known to everybody participating in this public key cryptosystem.

Next, we describe how the public and the secret key,

respectively, are chosen by any participant. Subsequently, we provide the protocol used.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem III

LetAbe any participant.

Achooses randomly a numberx_A ∈{2, . . . ,q−1}and computesy_A=gxA _{modq. That is,x}

A=dlog_gyA.

ParticipantApublishesyAas her public keyandkeepsxA

secret.

Now, letAandBbe any two participants who wish to communicate. Assume,Blikes to send a message toA. Then the following key is used:

Bcomputes the keyK_AB=yxB_A modq.

Assume,Alikes to send a message toB. Then,Acomputes K_BA=yxA_B modq.

The Diffie–Hellman Public Key Cryptosystem III

LetAbe any participant.

Achooses randomly a numberx_A ∈{2, . . . ,q−1}and computesy_A=gxA _{modq. That is,x}

A=dlog_gyA.

ParticipantApublishesyAas her public keyandkeepsxA

secret.

Now, letAandBbe any two participants who wish to communicate. Assume,Blikes to send a message toA. Then the following key is used:

Bcomputes the keyK_AB=yxB_A modq.

Assume,Alikes to send a message toB. Then,Acomputes K_BA=yxA

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem IV

The followingtheoremshows the usefulness of these keys: Theorem 3 K_AB=K_BA Proof. KAB = yx_AB ≡(gxA)xB ≡gxAxB ≡ (gxB₎xA _≡yxA B ≡KBAmodq.

The Diffie–Hellman Public Key Cryptosystem IV

The followingtheoremshows the usefulness of these keys: Theorem 3 K_AB=K_BA Proof. KAB = yx_AB ≡(gxA)xB ≡gxAxB ≡ (gxB₎xA _≡yxA B ≡KBAmodq.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Remarks

Note, however, thatAandBcomputeK_BAandK_AB,

respectively, usingdifferentinformation. That is,Acomputes K_BAusing her own secret keyx_Aand the public keyy_B

published byBwhile Bob calculatesK_BAfrom his secret keyx_B and Alice’s public keyyA.

On the other hand, any cryptanalyst does neither possessxA

norx_B, hence she must computeK_BAsolely fromy_Aandy_B. SinceKAB=y

dloggyB

A modqthis is at most as hard as

computing discrete logarithms. Moreover, so far no easier method is known for computingK_BAfromy_Aandy_B. Therefore, it is widely believed that computingKBAfromyA

Remarks

Note, however, thatAandBcomputeK_BAandK_AB,

respectively, usingdifferentinformation. That is,Acomputes K_BAusing her own secret keyx_Aand the public keyy_B

published byBwhile Bob calculatesK_BAfrom his secret keyx_B and Alice’s public keyyA.

On the other hand, any cryptanalyst does neither possessxA

norx_B, hence she must computeK_BAsolely fromy_Aandy_B. SinceKAB=y

dloggyB

A modqthis is at most as hard as

computing discrete logarithms. Moreover, so far no easier method is known for computingK_BAfromy_Aandy_B. Therefore, it is widely believed that computingKBAfromyA

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem V

Next, we describe how the partiesAandBcan communicate. Taking Theorem3into account, two possibilities are

imaginable. First, the system designer additionally provides any sufficiently advanced classical two-way cryptosystem, for example the AES. Then, any pair of users wishing to secretly communicate may use the keyK_BA. Thus,no key exchangeis required inadvance.

Note that public key cryptosystems are relatively slow compared to classical cryptosystems (at least to our present stage of technology and theoretical knowledge). Thus, it is sometimes more realistic to use them in the limited role in conjunction with a classical cryptosystem in which the actual messages are transmitted as described above.

The Diffie–Hellman Public Key Cryptosystem V

Next, we describe how the partiesAandBcan communicate. Taking Theorem3into account, two possibilities are

imaginable. First, the system designer additionally provides any sufficiently advanced classical two-way cryptosystem, for example the AES. Then, any pair of users wishing to secretly communicate may use the keyK_BA. Thus,no key exchangeis required inadvance.

Note that public key cryptosystems are relatively slow compared to classical cryptosystems (at least to our present stage of technology and theoretical knowledge). Thus, it is sometimes more realistic to use them in the limited role in conjunction with a classical cryptosystem in which the actual messages are transmitted as described above.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem VI

Second, the communication is performed by using directly the Diffie–Hellman system. The underlying idea is best explained using a bag having two locks.

Each partner possesses exclusivelyone keyfor one of the two locks. Initially, both locks are unlocked. Now,Aputs the messagewinto the bag and locksher lockwithher key. The bag is taken by a messenger who delivers the bag toB. Obviously,B isnotable tounlockthe bag right now, since he possesses only the key for the other lock. Therefore,Blockshislock usinghis key, and returns the bag to the messenger who is returning it to A. Now,Amayunlockher lock, but the bag remains anyway locked. Finally, the messenger delivers the bag again toB. Now, Bmayunlockthe bag usinghiskey, and thus, he finally has access to the secret messagew.

The Diffie–Hellman Public Key Cryptosystem VI

Second, the communication is performed by using directly the Diffie–Hellman system. The underlying idea is best explained using a bag having two locks.

Each partner possesses exclusivelyone keyfor one of the two locks. Initially, both locks are unlocked. Now,Aputs the messagewinto the bag and locksher lockwithher key. The bag is taken by a messenger who delivers the bag toB. Obviously,B isnotable tounlockthe bag right now, since he possesses only the key for the other lock. Therefore,Blockshislock usinghis key, and returns the bag to the messenger who is returning it to A. Now,Amayunlockher lock, but the bag remains anyway locked. Finally, the messenger delivers the bag again toB. Now, Bmayunlockthe bag usinghiskey, and thus, he finally has

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem VII

The protocol described above has the following advantage: The public messenger always delivered a locked bag. On the other hand,AandBcould exchange a secret message without exchanginganykey.

The impact of this method can be hardly overestimated. Looking back into the history of cryptography, we see that the cryptography community unanimously agreed, for thousands of years, that the only way for two parties to establish secure communications was to first exchange a secret key. This was so much common wisdom that nobody questioned it. If the recipient did not have a secret key giving her the information needed to decrypt the message efficiently, how could she be in a better position than an eavesdropper?

The Diffie–Hellman Public Key Cryptosystem VII

The protocol described above has the following advantage: The public messenger always delivered a locked bag. On the other hand,AandBcould exchange a secret message without exchanginganykey.

The impact of this method can be hardly overestimated. Looking back into the history of cryptography, we see that the cryptography community unanimously agreed, for thousands of years, that the only way for two parties to establish secure communications was to first exchange a secret key. This was so much common wisdom that nobody questioned it. If the recipient did not have a secret key giving her the information needed to decrypt the message efficiently, how could she be in a better position than an eavesdropper?

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem VIII

Now, we outline the formal realization of the idea described above to use a bag with two locks. For that purpose, a small modification of the choices forx_Aandx_B, respectively, has to be made. Again,AandBrandomly choose a numberxA andx_Bbetween 2 andq−1.

Additionally, they must ensure thatgcd(xA,q−1) =1 and gcd(xB,q−1) =1, respectively. This can be easily done by using the Euclidean algorithm, i.e., if the randomly chosen number does not fulfill this requirement a new number is randomly chosen until one is found that is relatively prime toq−1. Moreover, as shown previously the Euclidean algorithm can be also used for computing

The Diffie–Hellman Public Key Cryptosystem VIII

Now, we outline the formal realization of the idea described above to use a bag with two locks. For that purpose, a small modification of the choices forx_Aandx_B, respectively, has to be made. Again,AandBrandomly choose a numberxA andx_Bbetween 2 andq−1. Additionally, they must ensure thatgcd(xA,q−1) =1 and gcd(xB,q−1) =1, respectively. This can be easily done by using the Euclidean algorithm, i.e., if the randomly chosen number does not fulfill this requirement a new number is randomly chosen until one is found that is relatively prime toq−1. Moreover, as shown previously the Euclidean algorithm can be also used for computing

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

The Diffie–Hellman Public Key Cryptosystem IX

Suppose,Awishes to sendBa message, and letwbeA’s plaintext.

(i) AsendswxA _modqtoB, (ii) BreturnswxAxB _modqtoA,

(iii) Acomputes ˆw≡(wxAxB₎x−1A modqand sends the result ˆw toB,

(iv) Bdeciphers ˆwby calculating ˆwx−1B modq.

The correctness of the above algorithm is an immediate consequence of the Theorem of Euler.

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End

Intro General Scheme M–H PKCS The RSA PKCS The D–H PKCS End