Download Presentation
## Session 4

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Session 4**Asymmetric ciphers**Contents**• Definition of asymmetric (public key) ciphers • Applications of asymmetric ciphers • The public key encipherment procedure • The RSA public key cipher system**KEY**KEY encipher Ciphertext decipher Plaintext Plaintext A B Cryptanalysis decrypt Asymmetric cipher definition • The general cryptographic procedure:**Asymmetric cipher definition**• In a symmetric cipher system, the same key is delivered to both participants in advance, via a secure channel. • If there are n participants, the keys have to be distributed pairwise, i.e. • Each participant is given n -1 different keys • The total number of keys is n (n -1)/2. • Consequence: problems with distribution, storage and updating of keys.**Asymmetric cipher definition**• An alternative key distribution system is needed, or a different cipher system. • There is not much flexibility left within a symmetric cipher system to distribute the keys in a better way. • Then we need a cipher system that would NOT use the secure channel to distribute the keys.**Asymmetric cipher definition**• How can we define such a system? • Does such a system exist? • If such a system exists in theory, can we realize it in practice? • What is the security of such a system?**Asymmetric cipher definition**• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (1): • Let {K } be a finite key space and let {M } be a finite message space. • A public key cipher system is a pair of families of transformations and representing irreversible transformations:**Asymmetric cipher definition**• Diffie-Hellman’s definition of a public key (or asymmetric) cipher system (1976) (2): • In such a system, the following holds: • For every K{K }, EK is the inverse of DK • For every K{K } and M{M }, the algorithms EK and DK are easy to compute • For almost every K{K }, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK • For every K{K }, it is feasible to compute inverse pairs EK and DK from K.**Asymmetric cipher definition**• From the property 3, EK can be made public, without compromising DK • From the property 4, there is a guarantee that there is a feasible way of computing corresponding pairs of inverse transformations EK and DK.**Asymmetric cipher definition**• Given a system of this kind, the problem of key distribution is vastly simplified: • Each participant generates a pair of inverse transformations, E and D. • The deciphering transformation D must be kept secret but need not be transmitted by any channel – we do not need a secure channel. • The enciphering transformation E can be made public – placed in a public directory.**Asymmetric cipher definition**• But we still do not know whether such a cipher system is (theoretically) possible. • One of the possibilities to theoretically well define such a system is through so called one-way functions.**Asymmetric cipher definition**• A function y =f (x ) is a one-way function if • For any x, it is feasible to compute f (x ) • For almost all y in the range of f, it is computationally infeasible to solve the equation y =f -1(x ), for any x in the domain.**Asymmetric cipher definition**• The function f is not invertible from the computational point of view. • A special class of one-way functions is of interest in the public key context – trap-door one-way functions.**Asymmetric cipher definition**• A trap-door one-way function • A simply computed inverse exists • But given f, it is conditionally computationally infeasible to find a simply computed inverse • Only through knowledge of certain trap-door information can easily computed inverse be found.**Asymmetric cipher definition**• The problem • Strictly mathematically speaking, the existence of (trap-door) one-way functions has not been proved yet. • There are functions that have properties similar to these functions – we believe that they are candidates for (trap-door) one-way functions.**Asymmetric cipher definition**• Rivest-Shamir-Adleman’s (RSA’s) definition of an asymmetric (public key) cipher system (1977) (1): • Let E be an encipherment transformation and let D be the corresponding decipherment transformation.**Asymmetric cipher definition**• RSA’s definition of an asymmetric (public key) cipher system (1977) (2): • The properties of E and D • D (E (M ))=M • Both E and D are feasible to compute • Publicly revealing E does not reveal a feasible way to compute D • E (D (M ))=M**Asymmetric cipher definition**• A function E satisfying the properties 1-3 is a trap-door one-way function. • A function E satisfying the properties 1-4 is a trap-door one-way permutation (one-one and onto).**Applications of asymmetric ciphers**• Confidentiality • Integrity – digital signatures • Authentication – hash functions • Key exchange**The public key encipherment procedure**• The participants in the communication are usually given names, such as Alice and Bob. • Alice uses the transformation EA for encipherment and DA for decipherment • Bob uses the transformation EB for encipherment and DB for decipherment.**The public key encipherment procedure**• Illustration-confidentiality: Alice sends an enciphered message to Bob**The public key encipherment procedure**• Alice takes EB from a public directory • DB is kept secret by Bob. It is not transmitted by any means – no secure channel is needed.**The public key encipherment procedure**• The confidentiality protocol**The RSA public key cipher system**• The prerequisites: each participant does the following (1): • Generates two large distinct random primes p and q, approximately of the same size (if encoded in bits) • Computes n =pq and (n )=(p -1)(q -1) • Selects a random integer e, 1<e < (n ), such that (e, (n ))=1**The RSA public key cipher system**• The prerequisites: each participant does the following (2): • Computes the unique integer d, 1<d < (n ) such that ed1 (mod (n )). This can be done by means of the extended Euclidean algorithm. • The public key is (n,e) and the private key is d.**The RSA public key cipher system**• Encipherment: Alice enciphers a message for Bob • Obtains Bob’s authentic public key (nB,eB) • Represents the message in a form of an integer m on the segment [0,nB-1] • Computes • Sends c to Bob.**The RSA public key cipher system**• Decipherment: Bob deciphers the message enciphered by Alice • Bob uses his private key dB to compute • m is converted to a meaningful text.**The RSA public key cipher system**• The security of the RSA cipher system lies in the hope that the encipherment function is a one-way function. • The trap-door is the knowledge of the factorization of n. This knowledge allows Bob to decipher.**The RSA public key cipher system**• To realize RSA in practice we need (1) • Random primes • Generating random numbers • Primality testing • Euler’s function (n )**The RSA public key cipher system**• To realize RSA in practice we need (2) • Extended Euclidean algorithm • Multiplicative inverse • Modular exponentiation – to compute powers with large exponents**Random primes**• Random primes generation • Generate a random integer m • If m is even, replace m by m +1 • Test if m is prime • If m is not prime, test if m +2 is prime, etc.**Random primes**• Theorem (the prime number theorem) • If m is chosen at random, the probability that m is prime is approximately 1/lnm. • Consequence: we can expect to test lnm numbers for primality.**Random primes**• Example: if m can be represented with 512 bits, (i.e. the maximum representable integer is 2256-1) then lnm 177, which means that we have to test approximately 177 integers before we find a prime of that size.**Random primes**• Primality testing • In practice, probabilistic (Monte Carlo) algorithms for testing primality are used, e.g. • Solovay-Strassen • Miller-Rabin • These algorithms are fast, but they may give an integer that is not a prime at output, but the probability of this is small.**The Euler’s function (n )**• Let n be a positive integer. • The Euler’s function (n ) is defined to be the number of positive integers b less than or equal to n, which are relatively prime to n, i.e.**The Euler’s function (n )**• Theorem - computing (n ) • Given a positive integer n with the factorization • Then**The Euler’s function (n )**• Example – RSA • n =pq, where p and q are primes • Then (n ) = (p1-p 0)(q1-q 0)=(p -1)(q -1)**Extended Euclidean algorithm**• Euclidean algorithm - computes (a,b), given integers a and b**Extended Euclidean algorithm**• Example: find (1180,482) • 1180 = 2482 + 216 • 482 = 2216 + 50 • 216 = 450 + 16 • 50 = 316 + 2 • 16 = 82 + 0 • So, (1180,482)=2**Extended Euclidean algorithm**• Theorem – extended Euclidean algorithm • Let d =(a,b), where a >b. • Then there exist integers u and v such that d =ua+vb.**Extended Euclidean algorithm**• 2=50-316= • =50-3(216-450)= • =1350-3216= • =13(482-2216)-3216= • =13482-29216= • =13482-29(1180-2482)= • =71482-291180 • Example 1180=2482+216 482=2216+50 216=450+16 50=316+2 16=82+0 So, u =-29, v =71**Multiplicative inverse**• Arithmetic modulo m • Zm is defined to be the set G = {0,...,m -1}, equipped with two operations, + and , i.e. Zm is a structure (G,+,) • The results of addition and multiplication are reduced modulo m**Multiplicative inverse**• The structure (G,+) satisfies the axioms of the group – additive group: • Closure: • Associativity: • Existence of the identity (neutral) element • Existence of the inverse elements**Multiplicative inverse**• The structure (G,) satisfies closure, associativity and the existence of the neutral element, but does not satisfy the existence of inverse element for each element of G (in general). • Such a structure (G,+,) is called a ring.**Multiplicative inverse**• Multiplicative inverse – inverse of an element of the structure (G,) of the ring Zm • Theorem • An element a of Zm has a multiplicative inverse if and only if (a,m)=1**Multiplicative inverse**• Let a be an element of Zm and let (a,m)=1 (i.e. a and m are mutually prime). This can be shown by Euclidean algorithm. • Then by extended Euclidean algorithm we get 1=ua+vm**Multiplicative inverse**• Taking modulo m of the both sides of the expression 1=ua+vm we get 1ua (mod m ) • This means that u is the multiplicative inverse of a modulo m.**Multiplicative inverse**• Example • Find the multiplicative inverse of 2 in Z17. • The Euclidean algorithm gives • 17=82+1 • 2=21+0 • The extended Euclidean algorithm gives • 1=17-82 • Taking modulo 17 of both sides gives 1-82 (mod 17), or equivalently 192 (mod 17), i.e. 9=2-1**Modular exponentiation**• Modular exponentiation is computing bn (mod m ) • Let (n0,n1,...,nk-1) be the binary representation of n, i.e. n =n0+2n1+22n2+...+2k-1nk-1 • The binary representation of n is obtained by means of the “arrow algorithm”**Modular exponentiation**• The “arrow algorithm” – convert from base 10 to any base B • Get the last digit of the converted number by dividing n by B and taking the remainder • Replace n by the quotient • Repeat until the quotient is 0.