Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms

Sape J. Mullender

Huygens Systems Research Laboratory Universiteit Twente

Enschede

Public Key Cryptography

• Independently invented by Whitfield Diffie & Martin Hellmann and Ralph Merkle in 1976

• Only three algorithms appear to work well: RSA, ElGamal, Rabin

• Chosen plaintext attack trivial: the encryption key is public

2

Knapsack Algorithm

No longer secure, but still interesting

Given a set of weights (all different), find a subset with a given weight.

Given a set of values M₁, ..., M_n, and a sum S, find b₁, ..., b_n, (b_i ∈ {0, 1}) such that

S =

n

X

i=1

b_iM_i Solving this is NP hard.

Knapsack Algorithm

The plaintext is the string of b_i and specifies ‘which weights’

to put in the knapsack. The key is the list of weights. The ciphertext is the resulting sum.

The algorithm relies on there being two knapsacks, one solvable in linear time, the other not. The easy one is modifiable into the hard one. The public key is the hard one.

The easy one is used to decrypt.

4

Superincreasing Knapsack

If the list of weights increases so fast that each subsequent weight weighs more than all the previous ones together, we have a superincreasing knapsack. With such weights, the knapsack problem is easy to solve:

Take the total weight, compare to the largest weight. If greater, then that weight must be included, substract from total and proceed with the next weight. If the total weight becomes zero in this process, the problem is solved. If not, there is no solution.

‘Normal’ Knapsacks

If the weights are not superincreasing, the problem becomes hard, essentially only solvable by trial and error.

For n weights, there are 2ⁿ sets of weights to be tried. Add one weight and finding the solution takes twice as long.

6

Creating a Knapsack Pair

We begin by creating a superincreasing knapsack W = {W¹, ..., W_k} and construct a normal one, by defining a modulus n > Pk

1 W_i and a multiplier m that is co-prime with n (gcd(n, m) = 1). The new weights w = {w¹, ..., w_k} are calculated by w_i = Wi ∗ m mod n.

The sequence W , together with n, and m is the private key, the sequence w is the public one. Real knapsacks should contain at least 250 items.

Encryption

To encrypt a message, break it up into blocks of k bits and compute the total weight of the knapsack using weights w (a one bit indicates presence, a zero bit absence of the corresponding weight).

8

Decryption

Multiply each of the total weights by m⁻¹ mod n and solve the superincreasing knapsack problem to recover the weights (and the bits). See example on p. 464/465.

Security

The Knapsack algorithm has been broken by Shamir and Zippel (± 1982). They found ways to reconstruct the superincreasing knapsack from the original one.

Most variations on the knapsack algorithm have been broken by techniques very similar to those of Shamir and Zippel.

10

RSA

Named after Rivest, Shamir and Adleman this one is nice and simple and quite secure to boot. This is how it works:

Choose two big primes p and q and use its product n as the modulus of the algorithm.

Also choose e and d so that e · d ≡ 1(mod φ(n)). This is Euler’s totient function again. Remember that φ(p · q) = (p − 1) · (q − 1), and note that d ≡ e⁻¹(mod φ(n))

The public key is (n, e), the private key is (n, d).

Because c^d mod n = (m^e mod n)^d mod n = (m^e)^d mod n = m^e·d mod n = m^φ(n)+1 mod n = m·m^φ(n) mod n = m mod n

12

Speed

RSA is a thousand times slower than DES. Choosing a small e helps (e.g., 3, 17, or 2¹⁶ + 1 (just two one bits)).

Security

Depends on the difficulty of factoring n. Guessing φ(n) is equivalent to this.

The largest product of primes ever factored had 129 digits.

Progress in factoring is constantly made, but at a rate of a few digits per year. Choosing n to have 300 digits or more (1000 bits or more) will keep the number theorists busy for quite some years.

If p and q are probabilistic primes, and they happen not to be, encryption and decryption won’t work properly. You may or may not notice. In any case, the probabilty of p and q not being prime can easily be made small enough that you won’t have to worry about it.

14

There is much more about attacks in the book, but time is currently our enemy. Read up on it if you’re interested.

Rabin

Depends on the difficulty of finding modular square roots which is just as hard as factoring.

Choose n = p · q where p and q are large primes and p, q ≡ 3 mod 4. p and q are the private key, n is the public key.

Encryption: c = m² mod n

Decryption is more cumbersome ...

16

Decryption

Let a = q(q⁻¹ mod p) and b = p(p⁻¹ mod q)

m₁ = c^(p+1)/4 mod p m₃ = c^(q+1)/4 mod q

m₂ = (p − c^(p+1)/4) mod p m₄ = (q − c^(q+1)/4) mod q

M₁ = (am¹ + bm³) mod n M₃ = (am² + bm³) mod n M₂ = (am¹ + bm⁴) mod n M₄ = (am² + bm⁴) mod n

One of M₁, ..., M₄ is the plaintext message. Redundancy will reveal which.

Williams invented refinements that eliminate having to choose

El Gamal

ElGamal depends of the difficulty of finding logarithms in a finite field (finding x, such that x^a ≡ y(mod n)).

Choose p prime and g, x less than p. Calculate y = g^x mod p.

The public key is (y, g, p). The secret key is (x, g, p).

18

Signing with ElGamal

1. Choose random k

2. Compute a = g^k mod p

3. Use the extended Euclidean algorithm to solve for b in M = (xa + kb) mod (p − 1)

4. The signature is (a, b); k must be kept secret.

To verify, confirm that y^aa^b ≡ g^M mod p.

Note that k can be used to recover x, so it must be kept just as secret as the secret key itself. It’s best to discard k

Encrypting with ElGamal

1. Choose random k co-prime with p − 1

2. Compute a = g^k mod p and b = y^kM mod p

3. The ciphertext is (a, b) (it’s twice the size of the plaintext)

To decrypt: M = _a^bx mod p

20

Patents

All these public-key systems are patented (in the US) with the exception of ElGamal.

It has not yet been tested whether these patents stand up in court.