Chapter 5 Cryptography

CSE 825

Michigan State University Computer Science and Engineering

Cryptography, as covered in the text, seems worth spending some class time on

Michigan State University Computer Science and Engineering

Egyptians used cryptography 4000 years ago.

Michigan State University Computer Science and Engineering

Monoalphabetic Substitution Cipher

Julius Caesar (50 BC) used it. abcdefghijklmnopqrstuvwxyz SECURITYABDFGHJKLMNOPQVWXZ What is?
YRFFJ VJMFU

Computers can determine key in 150 words. Humans do better.

Michigan State University Computer Science and Engineering

Given a sufficiently large encoded message, it can readily be "cracked" by comparing the frequency of letter occurrences in the coded message with the frequency of letter occurrences in the language used for the message. Graph of letter frequencies the English language
0.140 0.120
0.082 0.127 0.091

0.100 0.080 0.060 0.040 0.020 0.000

0.075

0.070

0.067

0.063

0.061

0.060 0.043 0.040

0.028

0.028

0.024

0.023

0.022

0.020

0.020

0.019

0.015

0.010

0.008

0.002

0.001

0.001

E T A O I NMichigan StateU MW F G Y P B V K J Q X Z S H R D L C University

Computer Science and Engineering

0.001

Improvements
Stream cipher:
encryption rule depends on the plaintext symbols position in the stream of plaintext symbols

Block cipher:
encrypt several plaintext symbols at once in a block

Michigan State University Computer Science and Engineering

Stream
As the name implies, you generate a long stream of ciphertext from a shorter key.

Michigan State University Computer Science and Engineering

Vigenre: Stream Cipher

16th-century polyalphabetic cipher based on using successively shifted alphabet.

Michigan State University Computer Science and Engineering

Method 1 Using key LUCKY to encode first two letters CO 1. Select rows LU 2. Select cols CO 3. Result is NI

Michigan State University Computer Science and Engineering

Method 2 Use key LUCKY to select rows in order Then use only those rows for the table (next slide)

Michigan State University Computer Science and Engineering

Method 2 (cont) Key LUCKY is in the repeated rows Use plaintext for column and then use rows one at a time (next slide)
Michigan State University Computer Science and Engineering

To encode the first letter C we use the row of the code indicated by the arrow and the column indicated by the arrow; Hence the letter N is substituted for C.

The next letter to be encoded is O. We now use the second shifted alphabet from the code table and the column headed by the letter O.

Michigan State University Computer Science and Engineering

Note that the letter I in the message corresponds to four different letters in the encoded message (i.e. a stream cipher). Also in the encoded message the letter E was substituted for two different letters of the original message. Such many-to-one substitutions make letter frequency counting much more difficult.

Michigan State University Computer Science and Engineering

The text describes the same process mathematically and much more simply:
C = P + K mod 26

Where
P = alphabetic position of plaintext character K = alphabetic position of key character C = alphabetic position of cipher character

Michigan State University Computer Science and Engineering

Cracking the Vigenere Cipher

For 300 years the Vigenere cipher was considered to be practically unbreakable. Then in 1863 a Prussian military officer noticed that given a long enough piece of ciphertext, repeated patterns appear at multiples of the keyword length. A letter frequency analysis could be then be applied (see text for example).
Michigan State University Computer Science and Engineering

One-Time Pad
Since repetition is a weakness, one solution is for the key sequence to be as long as the plaintext and to never repeat. The one-time pad (WWI) can provide that. Encryption/Decryption is simply an XOR of the plaintext stream with the keystream.

Michigan State University Computer Science and Engineering

Perfect Secrecy
A cipher has perfect secrecy if and only if there are as many possible keys as possible plaintexts, and if every key is equally likely. The one-time pad is the only one which provides perfect secrecy (Shannon).
Michigan State University Computer Science and Engineering

Expansion
Key distribution is expensive for one-time pads so it is more common for stream ciphers to use a suitable pseudorandom number generator to expand a short key into a long keystream.
Michigan State University Computer Science and Engineering

Text Themes
Repetition is bad: any repetition provides sufficient clues for cracking. Also, how you use a cipher is as important as the quality of the cipher itself, e.g. if you use it in a way that allows repetition, you lose.
Michigan State University Computer Science and Engineering

Block vs. stream ciphers

Block cipher: encrypts and decrypts one block at a time Stream cipher: encrypts and decrypts one character (or even a bit) at a time.

Michigan State University Computer Science and Engineering

Block Cipher
Divide input bit stream into n-bit sections, encrypt only that section, no dependency/history between sections

Courtesy: Andreas Steffen

In a good block cipher, each output bit is a function of all n input bits and all k key bits
Michigan State University Computer Science and Engineering

Stream Cipher

Stream ciphers

Rather than divide bit stream into discrete blocks, as block ciphers do, XOR each bit of your plaintext continuous stream with a bit from a pseudo-random sequence At receiver, use same symmetric key, XOR again to extract plaintext Michigan State University
Computer Science and Engineering

Diffusion and confusion

(Claude Shannon) Diffusion:: change a character of the plaintext, and several characters of the ciphertext should change. The statistical characteristics of letters in the plaintext are diffused over many letters in the ciphertext. Result: much more ciphertext is needed to do a meaningful statistical attack. Confusion:: the key does not relate in a simple way to the ciphertext. Each character of the ciphertext should depend on many parts of the key. The key cannot be solved piece by piece.
Michigan State University Computer Science and Engineering

 Vigenres allowed letter frequency analysis Block ciphers flatten that distribution

Michigan State University Computer Science and Engineering

Playfair
(simple block cipher) Block: 5x5 grid of letters without J Algorithm If two letters are in the same row or column, replace by succeeding letters. Otherwise, the two letters stand at two of the corners of a rectangle; replace with letters at other two corners

Michigan State University Computer Science and Engineering

Playfair
Invented around 1854 by Sir Charles Wheatstone Keyword: playfair Plaintext: meet at the schoolhouse Plaintext1: me et at th es ch ox ol ho us ex Ciphertext: eg mn fq qm kn bk sv vr gq xn ku P I E N U L R G O V A B H Q W Y C K S X F D M T Z

Michigan State University Computer Science and Engineering

Analysis
Playfair allows one character change in input to change one character in output. We want small changes in input to diffuse completely through the output. Playfair has a block length of two. DES, a modern block cipher, has a block length of 64; DESs replacement, AES, has a block length of 128.

Michigan State University Computer Science and Engineering

Random Function Desirable Characteristics

1. One-way functions: Trivial example is sum: the sum of two numbers tells you nothing about the two numbers. 2. Output will not provide any information about any part of the input. 3. Hard to find collisions: M1 M2 with h(M1) = h(M2)
Michigan State University Computer Science and Engineering

Birthday Theorem
How many people do you invite to your party so that two will have the same birthday (with high probability)? 365 You need N to have a high probability of a collision.

Michigan State University Computer Science and Engineering

Birthday Attack
A birthday attack is a name used to refer to a class of brute-force attacks.
birthday paradox : the probability that two or more people in a group of 23 share the same birthday is greater than

General formulation
function f() whose output is uniformly distributed over domain On repeated random inputs n = { n1, n2, , .., nk }
Pr(ni = nj) = 1.2k1/2, for some 1 <= i, j <= k, 1 <= j < k, i != j E.g., 1.2(3651/2) = 23
Michigan State University Computer Science and Engineering

Q: Why is resilience to birthday attacks important?

Feistel Cipher
1950s IBM On team that developed DES He used multiple rounds of permutation blocks which were reversible. Notation: (f1 , f2 , f3 ) represents three Feistel cipher rounds

Michigan State University Computer Science and Engineering

Luby-Rackoff
(proof of Felstel Ciphers)

If fi were random functions, then (f1 , f2 , f3 ) was indistinguishable from a random permutation under chosen plain text attack.
(chosen plain text attack: opponent chooses some number of plain text inputs and sees the corresponding ciphertext outputs.)
Michigan State University Computer Science and Engineering

Luby-Rackoff
(proof of Felstel Ciphers)

If fi were random functions, (f1 , f2 , f3 , f4 ) was indistinguishable under chosen plaintext/ciphertext attack, i.e. it was a pseudorandom permutation That is, four rounds of Feistel are enough
(chosen plaintext/ciphertext attack: can choose either plaintext or ciphertext and see corresponding result.)
Michigan State University Computer Science and Engineering

How Feistel Cipher Scheme works

1. 2. 3. 4. All conventional encryption schemes have the same structure The input to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves: Li and Ri The two halves pass through n rounds of processing and then combine to produce the ciphertext block

Michigan State University Computer Science and Engineering

How Feistel Cipher Scheme works

5. Each Round i has inputs Li-1 and Ri-1, derived from the previous round, as well as a unique subkey Ki generated by a sub-key generation algorithm 6. All rounds have the same structure which involves substitution (mapping) and transposition (rearrangement of data) using a round function F and subkey Ki

Michigan State University Computer Science and Engineering

Michigan State University Computer Science and Engineering

Decryption with the Feistel Cipher Structure

Decryption with Feistel cipher is the same as the encryption process The rule is to use the ciphertext as input to the same encryption algorithm but use the subkeys Ki in reverse order. That is, use kn in R1, Kn-1 in R2 and so on until k1 is used in Rn. The output will be the plaintext. The advantage of this scheme is that we use the same algorithm for both encryption and decryption
Michigan State University Computer Science and Engineering

Feistel Cipher Structure

Virtually all conventional block encryption algorithms, including data encryption standard (DES) have the same structure, first described by Horst Feistel of IBM in 1973 The realization or development of a Fesitel encryption scheme depends on the choice of the following parameters and design features (see next slide):

Michigan State University Computer Science and Engineering

Feistel Cipher Structure

Block size: larger block sizes mean greater security but slower processing Key Size: larger key size means greater security but slower processing Number of rounds: multiple rounds offer increasing security but slower processing Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis. Round Function: greater complexity will lead to greater difficulty of cryptanalysis.

Michigan State University Computer Science and Engineering

A Brief History of DES

In 1974, IBM proposed "Lucifer", an encryption algorithm using 64-bit keys. Two years later (1977), NBS (now NIST) in consultation with NSA made a modified version of that algorithm into a standard.

Michigan State University Computer Science and Engineering

A Brief History of DES

Michigan State University Computer Science and Engineering

DES was the most widely-used block cipher in the 80s and 90s. (e.g. Funds transfer security in banks)

Michigan State University Computer Science and Engineering

DES
Consists of several phases
An initial permutation (IP) Key transformation 16 rounds of:
Expansion permutation of input(Avalanche Effect) Expands 32 bits to 48 bits, thus a single bit affects 2 substitutions. Dependency of output bits on input bits spread faster S-box substitution (confusion) P-box permutation (diffusion)
Michigan State University Computer Science and Engineering

A final permutation (IP-1)

DES Algorithm

Michigan State University Computer Science and Engineering

PeDEStrian attacks
56 keys Obvious attack: guess the key. 2 Complementation Property: 255 keys 1 million per second: 1100 years Store EK(P1) for all K: 512 petabytes

Michigan State University Computer Science and Engineering

DEStroying Security
Differential Cryptanalysis (1990) (in text): Say you know plaintext, ciphertext pairs Difference dP = P1 P2, dC = C1 C2 Distribution of dCs given dP may reveal key Need lots of pairs to get lots of good dPs Look at pairs, build up key in pieces Could find some bits, brute-force for rest Michigan State University
Computer Science and Engineering

DEServing of Praise
Against 8-round DES, attack requires:
214 = 16,384 chosen plaintexts, or 238 known plaintext-ciphertext pairs

Against 16-round DES, attack requires:

247 chosen plaintexts, or Roughly 255.1 known plaintext-ciphertext pairs

Differential cryptanalysis not effective Designers knew about it

Michigan State University Computer Science and Engineering

DESperate measures
Linear cryptanalysis (in text):
Look at algorithm structure: find places where, if you XOR plaintext and ciphertext bits together, you get key bits S-boxes not linear, but can approximate

43 known pairs; best known attack Need 2 DES apparently not optimized against this Still, not an easy-to-mount attack
Michigan State University Computer Science and Engineering

Characteristics of DES
Dependence: All output bits depend on all input bits. Avalanche effect: a small alternation of the plaintext results in a large change of the ciphertext. A small change in the key results in a large change in the ciphertext. Small space (4) of weak keys. A pair of keys is weak if after two subsequent encipherments with the keys, we get the original plaintext. 12 semi-weak keys (the inverse of the key is another key). Complimentarity: DESk(P)=C DESco(k)(co(P))=co(C)

Michigan State University Computer Science and Engineering

Cracking DES
In the summer of 1998, the Electronic Frontier Foundation (EFF) built a DES cracker machine at a cost of $250,000 It had 1536 chips, worked at a rate of 88 billion keys per second, and was able to break a DES encrypted message in 56 hours One year later, with the cracker working in tandem with 100,000 PCs over the Internet, a DES encrypted message was cracked in only 22 hours. They were testing 245 billion keys per second.

Michigan State University Computer Science and Engineering

DES Problem
Key is too short (56 bits). 42 known texts A linear attack requiring 2 exists, but from a practical standpoint even 240 known texts is impractical.

Michigan State University Computer Science and Engineering

3DES
One common way to make DES more secure today is to encrypt three times using DES.
triple-DES (3DES). 3DES is extremely slow, so a better algorithm was needed. Provides us with a key space of 2112 keys

Michigan State University Computer Science and Engineering

Triple DES (3-DES)

The keyspace of DES is too small
3-DES was designed to use the widely installed base of DES Why not just use DES twice?
Subject to meet-in-the-middle attack A known plaintext attack is one order of magnitude harder in double DES than single DES

Alright, how about using 3 keys?

Key space unwieldy? Backwards compatibility with DES
Michigan State University Computer Science and Engineering

The Advanced Encryption Standard (AES)

Although Triple DES can solve the key length problem, it has a slow operation and a short block length (64 bit) NIST worked with the cryptographic community to develop the Advanced Encryption Standard (AES) AES has a block length of 128 bits supporting key sizes of 128, 192 and 256 bits Rijndael developed by Daemen and Rijmen from Belgium, was selected to be the AES The effect date of AES was May 26, 2002 NIST anticipates that AES will be in use for 20-30 years NIST plans to formally reevaluate AES every 5 years and make the needed maintenance
Michigan State University Computer Science and Engineering

AES Requirements
Motivation To replace DES with a single block encryption algorithm with a strength equal to or better than 3DES and with significantly improved efficiency Minimum Acceptability Requirements implement symmetric (private) key cryptography be a block cipher work on 128-bit blocks with three key sizes : 128, 192, 256 bits
Michigan State University Computer Science and Engineering

AES Evaluation Criteria

Security
Actual security compared to other submitted algos Extent to which output is indistinguishable from a random permutation on the input block Soundness of the mathematical basis for the algo s security Other security factors raised by the public, including demonstrations of cryptanalytic attacks

Cost
Licensing Requirements available on a worldwide, nonexclusive, royalty-free basis Computational Efficiency applicable to both hardware & software implementations; speed of algos under specified platforms Memory Requirements applicable to both hardware and software implementations; factors e.g. gate counts, code size, RAM requirements

Algo & Implementation Characteristics

Flexibility can accommodate additional key- and block-sizes (64-bit blocks, keys between 128 and 256 that are multiples of 32); can be implemented securely and efficiently in wide variety of platforms and applications e.g. 8-bit processors, ATM networks, voice & satellite comms, HDTV; can be implemented as a stream cipher, MAC generator, pseudorandom number generator, hashing algo, Hardware & Software Suitability Simplicity of Design

Michigan State University Computer Science and Engineering

Block Cipher Design

General Design Principles Confusion obscure relationship among key, plaintext and ciphertext Diffusion every bit of plaintext influences each bit of ciphertext Iteration thorough mixing of bits
Related : balance, non-linearity, correlation-immunity
Michigan State University Computer Science and Engineering

Rijndael Encryption Algo

Rijndael(State, Key) { KeyExpansion( Key, ExpandedKey ); AddRoundKey( State, ExpandedKey ); for (i=1; i<10; i++) Round(State, ExpandedKey+4); FinalRound(State,ExpandedKey+4X10); } State No. of Rounds KeyExpansion AddRoundKey FinalRound Round(State, RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State, RoundKey); }

-- array of 4 words(each 32 bits) of a block -- 10 rounds for key-block combination of 128-128 bits -- consists of XOR of keywords(each 3bits), S-box lookups, intra-word byte rotation -- bitwise-XOR with keywords for whitening -- similar to Round except without MixColumn
Michigan State University Computer Science and Engineering

Rijndael : Key and State Bytes

Key and State bytes are arranged in rectangular arrays.
k 0,0 k 1,0 k 2,0 k 3,0 k 0,1 k 1,1 k 2,1 k 3,1 k 0,2 k 1,2 k 2,2 k 3,2 k 0,3 k 1,3 k 2,3 k 3,3 k 0,4 k 1,4 k 2,4 k 3,4 k 0,5 k 1,5 k 2,5 k 3,5 k 0,6 k 1,6 k 2,6 k 3,6 k 0,7 k 1,7 k 2,7 k 3,7 a 0,0 a a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 a 0,4 a 1,4 a 2,4 a 3,4 a 0,5 a 1,5 a 2,5 a 3,5 a 0,6 a 1,6 a 2,6 a 3,6 a 0,7 a 1,7 a 2,7 a 3,7

Variable Key size : 16, 24 or 32 bytes

Variable State size : 16, 24 or 32 bytes

1,0 a 2,0 a 3,0

Michigan State University Computer Science and Engineering

Round Function : ByteSub

a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 a i,j

S-box
b i,j

b 0,0 b 1,0 b 2,0 b 3,0

b 0,1 b 1,1 b 2,1 b 3,1

b 0,2 b 1,2 b 2,2 b 3,2

b 0,3 b 1,3 b 2,3 b 3,3

ByteSub acts on individual bytes of the State. Purpose (high) non-linearity Note : only 1 S-box (8 bits x 8 bits) ByteSub is a non-linear byte substitution constructed by the composition of two transformations : Take multiplicative inverse in GF(28) (00 mapped to itself) Apply an affine ( over GF(2) ) transformation: 8F a i,j A6
Michigan State University Computer Science and Engineering

Round Function : ShiftRow

b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 2,1 b 3,1 b 0,2 b 1,2 b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3

no shift cyclic shift by 3 cyclic shift by 2 cyclic shift by 1

b 0,0 b 1,1 b 2,2 b 3,3

b 0,1 b 1,2 b 2,3 b 3,0

b 0,2 b 1,3 b 2,0 b 3,1

b 0,3 b 1,0 b 2,1 b 3,2

ShiftRow operates on the rows of the State. Purpose inter-column diffusion

Michigan State University Computer Science and Engineering

Round Function : MixColumn

b 0,0 b 1,1 b 2,2 b 3,3 b 0,1 b 1,2 b 2,3 b 3,0 b 0,2 b 1,3 b 2,0 b 3,1 b 0,3 b 1,0 b 2,1 b 3,2 b 0, m b 1,n b 2,p b 3,q

c(x)

d 0, m d 1,n d 2,p d 3,q

d 0,0 d 1,0 d 2,0 d 3,0

d 0,1 d 1,1 d 2,1 d 3,1

d 0,2 d 1,2 d 2,2 d 3,2

d 0,3 d 1,3 d 2,3 d 3,3

MixColumn operates on the columns of the State.

The columns of the State are considered as polynomials over GF(28) and multiplied module x4+1 with a fixed polynomial c(x) : c(x) = 03x3 + 01x2 + 01x + 02 MixColumn is implemented using operations of XOR, conditional bitshifts. Purpose inter-byte diffusion within columns (based on ECC theory) Together with ShiftRow, it ensures that after a few rounds,all output bits depend on all input bits. Coefficients of the matrix were also chosen for efficient implementation. Michigan State University
Computer Science and Engineering

Round Function : AddRoundKey

d 0,0 d 1,0 d 2,0 d 3,0 d 0,1 d 1,1 d 2,1 d 3,1 d 0,2 d 1,2 d 2,2 d 3,2 d 0,3 d 1,3 d 2,3 d 3,3 k 0,0 k k 0,1 k 1,1 k 2,1 k 3,1 k 0,2 k 1,2 k 2,2 k 3,2 k 0,3 k 1,3 k 2,3 k 3,3 e 0,0 e e 0,1 e 1,1 e 2,1 e 3,1 e 0,2 e 1,2 e 2,2 e 3,2 e0, 3 e 1,3 e 2,3 e 3,3

1,0 k 2,0 k 3,0

1,0 e 2,0 e 3,0

In AddRoundKey, the Round Key is bitwise XORed to the State. Purpose makes round function key-dependent Key-XORing with plaintext or ciphertext is sometimes called whitening. This is a cheap way of adding to the security of the cipher by preventing the collection of plaintext-ciphertext pairs.
Michigan State University Computer Science and Engineering

Play animation here

Michigan State University Computer Science and Engineering

Why Rijndael was selected

When considered together, Rijndaels combination of security, performance, efficiency, ease of implementation , and flexibility makes it an appropriate selection for the AES. Specifically, Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing environments regardless of its use in feedback or non-feedback modes. NIST fact sheet It was my favourite of the algorithms : a clean and succinct description, good reasons for its design parameters, efficient implementations . S. Landau, senior staff engineer, Sun Microsystems Symmetric and parallel structure
affords flexibility in implementation not allowed effective cryptanalytic attacks

Well adapted to modern processors

Pentium RISC and parallel processors

Suitable for smart cards Flexible in dedicated hardware -- Daemen & Rijmen Michigan State University
Computer Science and Engineering

After the selection

AES FIPS(Federal Information Processing Standards) by NIST became official in November 2001. Cryptanalytic attacks on AES?
mid-2002 Coutois and Peiprzyk claimed XSL technique using one or two known plaintext for a 2^100-ish attack against AES and 2^200-ish attack against Serpent attack based on the complexity of the non-linear components 2002 Fuller and Millan, showed AESs 8x8-bit S-box is really 8x1 bit S-box 2002 Filiol claimed some biases in Boolean functions of AES Crypto2002 Murply and Robshaw showed all of AES can be expressed in a single field allowed a representation with nice properties which make it easier to cryptanalyze (Basically, these are theoretical attacks, but worrisome if they are improved.)

IETF protocols
most that use encryption are naturally AES ready AES phased in over next 2 or 3 years from year 2000 DES will remain for backwards compatibility till ~ 2003
Michigan State University Computer Science and Engineering

Finally
a standard for cryptographic algorithms to protect international commerce and communications Everything in the cipher world from now on will be measured, quantified, and compared to AES. Be it speed, strength, block size, key size, number of rounds, and so on it will be relative to the AES. It is the yardstick! --Raif S. Naffah, senior software engineer, Forge Research openness about the design strong endorsement of the public-sector cryptographic expertise

Michigan State University Computer Science and Engineering

Levels of security
An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext. An encryption scheme is computationally secure if the cost of breaking the cipher exceeds the value of the encrypted information or the time requited to break the cipher exceeds the lifetime of the information.
Michigan State University Computer Science and Engineering

Average time needed to break a secret key cryptosystem

Key length 40 40 40 Keys searched per second 1000 1 million 1 billion Key searching technology Typical desktop Small network Medium-sized network Medium-sized network Large-scale internet project Quantum computer Approximate time to search all keys 35 years 13 days 18 minutes

128 128 128

1 billion 1018 1023

1022 years 1013 years 108 years

Michigan State University Computer Science and Engineering

Public Key Cryptography

Public Key cryptography
Each key pair consists of a public and private component: k+ (public key), k- (private key) D( E(p, k+), k- ) = p D( E(p, k-), k+ ) = p

Public keys are distributed (typically) through public key certificates

Anyone can communicate secretly with you, if they have your certificate E.g., SSL-base web commerce
Michigan State University Computer Science and Engineering

RSA (Rivest, Shamir, Adelman)

A dominant public key algorithm
The algorithm itself is conceptually simple Why it is secure is very deep (number thoery) Use properties of exponentiation modulo a product of large primes
"A method for obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM, Feb., 1978 21 (2) pages 120-126.
Michigan State University Computer Science and Engineering

RSA Key Generation

1. Pick two large primes p and q 2. Calculate n = pq 3. Pick e such that it is relatively prime to phi(n) = (q-1)(p-1) Eulers Totient Function 4. d ~= e-1 mod phi(n) or d*e mod phi(n) = 1 1. p=3, q=11 2. n = 3*11 = 33 3. phi(n) = (2*10) = 20 e = 7 | GCD(20,7) = 1 Euclids Algorithm 4. d = 7-1 mod 20 d*7 mod 20 = 1 d=3

To Crack: Michigan State University q factor n into p &

Computer Science and Engineering

RSA Encryption/Decryption
Public key k+ is {e,n} and private key k- is {d, n} Encryption and Decryption +,P) : ciphertext = plaintexte mod n E(k D(k-,C) : plaintext = ciphertextd mod n Example
Public key (7,33), Private Key (3,33) Data 4 (encoding of actual data) E({7,33},4) = 47 mod 33 = 16384 mod 33 = 16 D({3,33},16) = Michiganmod 33 = 4096 mod 33 = 4 163 State University
Computer Science and Engineering

Encryption using private key Encryption and Decryption

-,P) : ciphertext = plaintextd mod n E(k D(k+,C) : plaintext = ciphertexte mod n

E.g.,
E({3,45},4) = 43 mod 33 = 64 mod 33 = 31 D({7,45},19) = 317 mod 33 = 27,512,614,111 mod 33 = 4

Q: Why encrypt with private key?

Michigan State University Computer Science and Engineering

The symmetric/asymmetric key tradeoff

Symmetric (shared) key systems
Efficient (Many MB/sec throughput) Difficult key management
Kerberos Key agreement protocols

Asymmetric (public) key systems

Slow algorithms (so far ) Easy key management
PKI - public key infrastructures Webs of trust (PGP)
Michigan State University Computer Science and Engineering