Symmetric-Key

Cryptography
Objectives
To distinguish between two cryptosystems:
symmetric-key and asymmetric-key
To introduce trapdoor one-way functions and their
use in asymmetric-key cryptosystems
To introduce the knapsack cryptosystem as one of
the first ideas in asymmetric-key cryptography
To discuss the RSA cryptosystem
To discuss the Rabin cryptosystem
To discuss the ElGamal cryptosystem
To discuss the elliptic curve cryptosystem
INTRODUCTION
Symmetric and asymmetric-key cryptography will exist
in parallel and continue to serve the community. We
actually believe that they are complements of each
other; the advantages of one can compensate for the
disadvantages of the other.
1 Keys
2 General Idea
3 Need for Both
4 Trapdoor One-Way Function
5 Knapsack Cryptosystem
INTRODUCTION
Symmetric and asymmetric-key cryptography will exist
in parallel and continue to serve the community. We
actually believe that they are complements of each
other; the advantages of one can compensate for the
disadvantages of the other.
Symmetric-key cryptography is based on sharing secrecy;
asymmetric-key cryptography is based on personal secrecy.
Note
Asymmetric key cryptography uses two separate keys: one
private and one public.
Keys
Locking and unlocking in asymmetric-key cryptosystem
General I dea
General idea of asymmetric-key cryptosystem
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and
ciphertext are treated as integers in asymmetric-key
cryptography.
C = f (K
public
, P) P = g(K
private
, C)
Encryption/Decryption
There is a very important fact that is sometimes
misunderstood: The advent of asymmetric-key
cryptography does not eliminate the need for symmetric-
key cryptography.
Need for Both
The main idea behind asymmetric-key cryptography is the
concept of the trapdoor one-way function.
Trapdoor One-Way Function
Functions
A function as rule mapping a domain to a range
Trapdoor One-Way Function (TOWF)
One-Way Function (OWF)
1. f is easy to compute.
2. f
1
is difficult to compute.
3. Given y and a trapdoor, x can be
computed easily.
Example
Example
When n is large, n = p q is a one-way function. Given p and
q , it is always easy to calculate n ; given n, it is very difficult to
compute p and q. This is the factorization problem.
When n is large, the function y = x
k
mod n is a trapdoor one-
way function. Given x, k, and n, it is easy to calculate y. Given
y, k, and n, it is very difficult to calculate x. This is the discrete
logarithm problem. However, if we know the trapdoor, k such
that k k = 1 mod f(n), we can use x = y
k
mod n to find x.
RSA CRYPTOSYSTEM
The most common public-key algorithm is the RSA
cryptosystem, named for its inventors (Rivest, Shamir,
and Adleman).
1 Introduction
2 Procedure
3 Some Trivial Examples
4 Attacks on RSA
5 Recommendations
6 Optimal Asymmetric Encryption Padding (OAEP)
7 Applications
Complexity of operations in RSA
Procedure
Encryption, decryption, and key generation in RSA
Two Algebraic Structures
Encryption/Decryption Ring:
R = <Z
n
, +, >
Key-Generation Group:
G = <Z
f(n)
, >
Encryption
Decryption
Proof of RSA
Some Trivial Examples
Example
Bob chooses 7 and 11 as p and q and calculates n = 77. The
value of f(n) = (7 1)(11 1) or 60. Now he chooses two
exponents, e and d, from Z
60
. If he chooses e to be 13, then d
is 37. Note that e d mod 60 = 1 (they are inverses of each
Now imagine that Alice wants to send the plaintext 5 to Bob.
She uses the public exponent 13 to encrypt 5.
Bob receives the ciphertext 26 and uses the private key 37 to
decipher the ciphertext:
Some Trivial Examples
Example
Bob receives the ciphertext 28 and uses his private key 37 to
decipher the ciphertext:
Now assume that another person, John, wants to
send a message to Bob. John can use the same
public key announced by Bob (probably on his
website), 13; Johns plaintext is 63. John calculates
the following:
Example
Suppose Ted wants to send the message NO to
Jennifer. He changes each character to a number
(from 00 to 25), with each character coded as two
digits. He then concatenates the two coded
characters and gets a four-digit number. The plaintext
is 1314. Figure 10.7 shows the process.
Jennifer creates a pair of keys for herself. She
chooses p = 397 and q = 401. She calculates
n = 159197. She then calculates f(n) = 158400. She
then chooses e = 343 and d = 12007. Show how Ted
can send a message to Jennifer if he knows e and n.
Encryption and decryption
Attacks on RSA
Taxonomy of potential attacks on RSA
Attacks on RSA
Factorization

The security of RSA is based on the fact
that modulus is so large that it is
infeasible to factor it in reasonable time.

To be secure, RSA requires that n will be
300 decimal digits, then modulus must be
at least 1024 digits.

No factorization algorithm till date can
factorize such a large number in
reasonable amount of time.
Attacks on RSA
Chosen-Ciphertext Attack

1. Eve intercepts c a ciphertext message from
Alice.
2. Eve chooses a random number r, r<n;
3. Eve finds Alices public key e.
4. Eve: x= r^e mod n
5. Eve: y = x c mod n
6. Eve: t = r^-1 mod n
7. If x = r^e mod n, then r = x^d mod n
8. Eve requests Alice to sign y with her private
key d.
9. Alices sends Eve, u = y^d mod n
10.Eve: t u mod n = r^-1 y^d mod n = r^-1 x^d
c^d mod n = c^d mod n = m.
Attacks on Encryption Component of RSA
To reduce encryption time, a low value of e
is used sometimes.

Coppersmith Theorem Attack:
In a mod n polynomial f(x) of degree e, one
can use an algorithm of complexity log n to
find the roots if one of the roots is smaller
than n^(1/e).

Attacks on Encryption Component of RSA
To reduce encryption time, a low value of e
is used sometimes.

Broadcast attack:

If an entity sends the same message to a
group of recipients with the same low
encryption exponent.
C1 = P^3 mod n1,
C2 = P^3 mod n2
C3 = P^3 mod n3
By CRT, C = P^3 mod n1 n2 n3.
Hence P^3 < n1 n2 n3, - C = P^3.
Attacks on Decryption Exponent of RSA
Revealed decryption component attack:

If Eve knows the value of d, she can use a
probabilistic algorithm to factor n and find
the value of p and q.

If Bob changes only the compromised
decryption exponent, but keeps the same
modulus n, then Eve will be able to decrypt
future messages because she has the
factorization n.
Timing attack
Attack is based on the fast-exponential
algorithm.

The algorithm uses only squaring if the
corresponding bit in the decryption
exponent is d is 0, else it uses both squaring
and multiplication.

Timing required for each iteration is longer if
the corresponding bit in d is 1.

The timing difference allows Eve to compute
the bits in d one by one.
Timing attack
Solutions:
1. Add random delays during
exponentiation.

2. Blinding:
1. Select a secret random number r
between 1 and n-1.
2. Calculate C1=C r ^e mod n
3. Calculate P1 = C1 ^d mod n
4. Calculate P = P1 r ^-1 mod n.
Power attack
Similar to timing attack.

Kocher showed that

If Eve can measure the power consumed
during decryption, then similar idea will be
used.

An iteration involving squaring and
multiplication requires more power.
Timing attack
Attack is based on the fast-exponential
algorithm.

The algorithm uses only squaring if the
corresponding bit in the decryption
exponent is d is 0, else it uses both squaring
and multiplication.

Timing required for each iteration is longer if
the corresponding bit in d is 1.

The timing difference allows Eve to compute
the bits in d one by one.