DOCSLIB.ORG

Cryptanalysis of a New Knapsack Type Public-Key Cryptosystem

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Cryptanalysis of a New Knapsack Type Public-Key Cryptosystem Roohollah Rastaghi Department of Electrical Engineering, Aeronautical University of Since & Technology, Tehran, Iran [email protected] protections any longer, and PKC schemes secure in quantum Abstract — Recently, Hwang et al. introduced a knapsack computing environment are needed to be developed. Although type public-key cryptosystem. They proposed a new algorithm the underlying problem is NP-complete, but almost all called permutation combination algorithm. By exploiting this knapsack cryptosystems were shown insecure in that they are algorithm, they attempt to increase the density of knapsack to vulnerable to some known attacks such as: low density attack avoid the low-density attack. [2,6], Shamir’s attack [14] and diophantine approximation We show that this cryptosystem is not secure, as it based on attack [17]. This vulnerability is due to the special structure of basic Merkel-Hellman knapsack cryptosystem and because of the private key and the mathematical methods that public key the superincreasing structure, we can use shamir's attack on (public knapsack) was built from the private key. the basic Merkel-Hellman knapsack to break this In this paper, we analyze security of the Hwang et al . cryptosystem. cryptosystem [5]. We show that due to similarity of the key generation algorithm of their scheme with the basic Merkel- Keywords — Public-key cryptosystem, Knapsack problem, Hellman cryptosystem, we can use Shamir’s attack to obtain Shamir’s attack, Cryptanalysis. equivalent private keys. The rest of this paper is organized as follows. In the next I. INTRODUCTION section, we briefly explain subset sum problem and the basic N 1976, Diffie and Hellman [3] introduced the notion of the Merkle-Hellman cryptosystem. Then, in Section 3, we review Ipublic-key cryptography. Until that time, most public-key the Shamir’s attack. Hwang et al.’s knapsack cryptosystem cryptosystems (PKC) fall into one of the two below categories will be presented in Section 4 and cryptanalysis of this system [1]: will be given in Section 5. • Public-key cryptosystems based on hard number- theoretic problems: e.g., RSA [13], ElGamal [4] and …. II. THE SUBSET SUM PROBLEM AND THE BASIC MERKLE - • Public-key cryptosystems based on subset sum or HELLMAN CRYPTOSYSTEM subset product problems: e.g., Merkle-Hellman [9], The subset sum problem is stated as follows: given a set of Chor-Rivest [1], Morri-Kasahara [11], Naccache-Stern positive integers and positive integer . Whether [12],… . there is a subset of(͕ theͥ, . ,s ͕ that)) sums to . This is equivalentͧ to Unlike hard number-theoretic problems, the knapsack determine whether there͕ $are variables ͧ such that problem has been proven to be NP-complete [10]. That is, (ͬͥ, . , ͬ)) there is no polynomial algorithm will be invented to solve the ) knapsack problem. Since its Merkle-Hellman proposal, knapsack PKCs had ͧ = ȕ ͕$ ͬ$ , ͬ$# ʜ0, 1ʝ, 1 ≤ ͝ ≤ ͢ . been widely studied, and many knapsack-based PKCs were $Ͱͥ developed. There is no question that knapsack PKCs still If the set of positive integers be a superincreasing sequence, e.g. (͕ͥ, . , ͕, ))then the knapsack warrant continuous researches, as a result of the NP- $ͯͥ completeness nature, the faster speed and a desire to have a problem is solvable͖ $in> polynomial∑%Ͱͥ ͖%, ͝ ≥time. 2 wide variety of available cryptosystems. Nowadays, The basic Merkel-Hellman knapsack cryptosystem uses a researchers reconsider knapsack public-key cryptography also superincreasing sequence as a private key. This cryptosystem because Shor [15] showed that integer factorization and is as follows: discrete logarithm problems can be easily solved by using Key generation. The designer chooses a superincreasing quantum computers. Therefore, traditional PKC schemes sequence and two large positive integers and , based on the two problems cannot be used to provide privacy such that (͖ͥ, . , ͖)) ͫ ͤ , . ) ͤ > ∑$Ͱͥ ͖$ gcd(ͫ, ͤ) = 1 1 He also selects a permutation of and then ͖$ = ͏͕$ mod ͤ. transforms the easily solved knapsack ʜ1,2,...,͢ʝ into trapdoor This means that for , there exists some integers knapsack via the relation ̼ such that 1 ≤ ͝ ≤ ͢ (͕ͥ, . , ͕)) ͟$ . (1) ͕$͏ − ͟$ͤ = ͖$ ͕$ = ͫ. ͖_($) mod ͤ and . Hence, The public key is and the private key is 0 ≤ ͟$ < ͕$ (͕. ͥ, . , ͕)) . (2) ʜ(͖ ͥ, ͖ͦ, . , ͖)), ͑, ͊, ʝ 0 ≤ ͏/ͤ − ͟$/͕$ = ͖$/͕$ͤ Encryption. To encrypt message , he Since the s are superincreasing we have and so )ͯ$ computes ͡ = (ͥ͡, … , ͡)) ͖$ ͖$ < ͤ/2 . )ͯ$ $ $ $ ) 0 ≤ ͏/ͤ − ͟ /͕ < 1/͕ 2 In particular, the right side of is )ͯͥ ͗ = ȕ ͕$͡$, very small. Hence we can assume͏/ͤ − ͥ͟/͕ͥ <.1/(͕ ͥ2 ) $Ͱͥ We now observe that to break͏/ͤ the ≈basic ͥ͟/͕ Merkle-Hellmanͥ and sends it to the receiver. knapsack it is sufficient to find any pair of positive Decryption: To recover plaintext from ciphertext , the integers such that is a superincreasing(͏′, ͤ′) sequence receiver should perform the following steps. ͡ ͗ (or similar enough ͏′͕to a$ mod ͤ′superincreasing sequence that one can 1) Compute solve the subset sum problem). We show that if is close enough to , then . ͥ͟/͕ͥ ͯͥ Subtracting͏/ͤ the case(͏′, ͤ′) = (͟of ͥequation, ͕ͥ) (2) from the -th ͘ = ͗ͫ mod ͤ. gives ͝ = 1 ͝ 2) With his private key, solve a superincreasing subset sum problem(͖ ͥand, . , ͖find)), integers such that (ͦͥ, . , ͦ)), ͥ͟ ͟$ ͖$ ͖ͥ ͕͖ͥ$ − ͕$͖ͥ $ ʜ ʝ − = − = ͦ # 0, 1 ͕ͥ ͕$ ͕$ ͤ ͕ͥͤ ͕͕ͥ$ͤ ) and so, for , 2 ≤ ͝ ≤ ͢ ͘ = ȕ ͘$ͦ$ ͣ͘͡ ͤ . $Ͱͥ |uĜͯĜu| ͦ+Ĝ + (3) Note that since hence . |͕$ͥ͟ − ͕ͥ͟$| = + < + = 2͖$ < ͦġĜu. ) ) 3) The message bitsͤ >are∑ $Ͱͥ ͖$ ͘ = ∑$Ͱͥ ͘$ͦ$ Taking and then is very close to a superincreasingͤ′ = ͕ͥ sequence.͏′ = ͥ͟ ͏′͕$ mod ͤ′ Since is public, It remains to compute the integer such ͡$ = ͦ_($) , ͝ = 1, 2, … , ͢. that equation͕ͥ (3) holds, given only the integers ͥ͟ . III. SHAMIR ATTACK ON BASIC MERKLE -HELLMAN Another way to write equation (3) is ͕ͥ, . , ͕) KNAPSACK CRYPTOSYSTEM In 1982, Adi Shamir [14] shows that modular multiplication cannot perfectly hide the superincreasing sequence (private ͕$ ͟$ ͤ ɴ − ɴ = )ͯ$ͯͥ, key), and hence, all the equation of the form ͕ͥ ͥ͟ ͕ͥͥ͟2 and one sees that the problem is precisely simultaneous diophantine approximation. We can use lattice based reduction ) algorithm for solving simultaneous diophantine ͗ = ȕ ͬ$͕$ , ͬ$ ∈ ʜ0,1ʝ, approximation. Performing lattice basis reduction one obtains $Ͱͥ a guess for . We now set and and ɑ can be solved in polynomial time. This approach originates computes ͥ͟ for ͏ = ͥ͟ . Thisͤ′ = ͕isͥ a with Shamir [14] although we follow the presentation of superincreasing͏′͕ $sequence. mod ͤ′ We then2 ≤compute ͝ ≤ ͢ for Lagarias [7]. any challenge ciphertext that is decrypted͏′͗ mod ͤ′ using the Such as Hwang et al.’s knapsack cryptosystem [5], we superincreasing sequence, and͗ therefore message is recovered. assume that no permutation is used. Hence equation (1) can be written as follows: IV. DESCRIPTION OF HWANG ET AL.’ S CRYPTOSYSTEM Hwang’s cryptosystem is based on the Merkle-Hellman $ $ ͕ = ͫ. ͖ mod ͤ. cryptosystem. In the key generation stage, each user chooses a Let where . We have ͯͥ superincreasing sequence as secret key. ͏ = ͫ mod ͤ 1 ≤ ͏ < ͤ ̼ = ʜ͖ͥ,… , ͖ͥͧͪͤ ʝ 2 i.e. ̾)!ͯͥ = ʜ̿ͥ, ̿ͦ,̿ͧ̿ͨ, … , ̿)ͯͦ, ̿)ͯͥ, ̿) ʝ $ͯͥ 3) Suppose we can compute for . can ͖$ > ȕ ͖% (͝ = 1, 2, … , 1360 ). be written as ̾( 1 ≤ ͡ ≤ ͢! − 1 ͡ %Ͱͥ ) and are secret modular multipliers such that ͑ ͑′ ͡ = ȕ ̀$(͢ − ͝)! , 0 ≤ ̀$ ≤ ͢ − ͝ , and $Ͱͥ ͥͧͪͤ ɑ gcd (͊, ͑) = 1 ͊ > ∑$Ͱͥ ͖. $ ͑ × ͑ = each sequence has an own corresponding value called the 1 ͣ͘͡ ͊ factorial carry value . Using the Each user transfers superincreasing sequence factorial carry value, ʜ̀we), ̀can)ͯͥ , …efficiently . , ̀ͦ, ̀ͥʝ obtain any into a pseudorandom sequence sequence. Let and we want determine the sequence ̼ = ʜ͖ͥ , … , ͖ ͥͧͪͤas follows:ʝ ̻ = . We can write͡ = 6 ʜ͕ ͥ, … , ͕ͥͧͪͤ ʝ ̾ͪ (4) So6 the = factorials 0 × (͢ − 1carry)!+⋯+1×3!+0×2!+0×1!+0 value of is: ͕$ = ͖$ .͑ mod ͊ , (1 ≤ ͝ ≤ 1360 ). ̾ͪ Further, each user chooses a random 170× 256 binary matrix 4) With ʜthè), ̀)ͯͥknowledge, … . , ̀ͦ, ̀ ͥʝof= ʜ0,the 0, …original , 0, 1, 0, 0, 0ʝsequence H, a vector and a vector and the factorial to͌ =satisfy (ͦͥ, the … , ͦfollowingͦͩͪ ) equation: ͂͌ = ʜcarry̿), ̿ )ͯͥvalue, ̿ )ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ ,of ̿ͥ ʝ , we can compute (ℎͦ ͥ, … , ℎͦͥͫͤ ) sequence ʜ0,0,0, as follows: . , 0,1,0,0,0ʝ ̾ͪ ̾ͪ ͂. ͌ = ͂͌ ͣ͘͡ ͢ Get by introducing . Here, the remaining elements̿) in ̀the) = 0 sequence are #-u . ℎͥ,ͥ ⋯ ℎͥ,ͦͩͪ ͦͥ #-v Getʜ̿)ͯͥ , ̿)ͯͦ by, … introducing , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ,̿ͥʝ . Here, the remaining ʬ ⋮ ⋱ ⋮ ʭ . Ƶ ⋮ ƹ = ʬ ⋮ ʭ ͣ͘͡ ͢ ͦͩͪ elements̿)ͯͥ in the sequence arè)ͯͥ = 0 . ℎͥͫͤ,ͥ ⋯ ℎͥͫͤ,ͦͩͪ ͦ ℎͦͥͫͤ ʜ̿)ͯͦ, … , ̿ͩ, ̿ͨ, ̿ͧ, ̿ͦ, ̿ͥʝ t ͦ Get by introducing . Here, the remaining u ⋮ ͦ elementsͩ in the sequence areͩ . = ʦ ⋮ ʧ ͣ͘͡ ͢ ̿ ̀ = 0 ͦuz} Get by introducing ʜ̿ͨ1., ̿ ͧHere,, ̿ͦ, ̿ ͥʝthe remaining elements̿ͧ in the sequence arè ͨ = . ͦͩͪ Get by introducing ͨ . ͦ Here,ͥ the remaining $ͯͥ ʜ̿ , ̿ , ̿ ʝ ℎͦ$ = 2 = ȕ ℎ$,%ͦ% ͣ͘͡ ͢ (͝ = 1, 2, … , 170 ).
Recommended publications
  • Problems in Group Theory Motivated by Cryptography

    Problems in Group Theory Motivated by Cryptography

    PROBLEMS IN GROUP THEORY MOTIVATED BY CRYPTOGRAPHY VLADIMIR SHPILRAIN ABSTRACT. This is a survey of algorithmic problems in group theory, old and new, moti- vated by applications to cryptography. 1. INTRODUCTION The object of this survey is to showcase algorithmic problems in group theory motivated by (public key) cryptography. In the core of most public key cryptographic primitives there is an alleged practical irre- versibility of some process, usually referred to as a one-way function with trapdoor, which is a function that is easy to compute in one direction, yet believed to be difficult to compute the inverse function on “most” inputs without special information, called the “trapdoor”. For example, the RSA cryptosystem uses the fact that, while it is not hard to compute the prod- uct of two large primes, to factor a very large integer into its prime factors appears to be computationally hard. Another, perhaps even more intuitively obvious, example is that of the function f (x)= x2. It is rather easy to compute in many reasonable (semi)groups, but the inverse function √x is much less friendly. This fact is exploited in Rabin’s cryptosystem, with the multiplicative semigroup of Zn (n composite) as the platform. In both cases though, it is not immediately clear what the trapdoor is. This is typically the most nontrivial part of a cryptographic scheme. For a rigorous definition of a one-way function we refer the reader to [71]; here we just say that there should be an efficient (which usually means polynomial-time with respect to the complexity of an input) way to compute this function, but no visible (probabilistic) polynomial-time algorithm for computing the inverse function on “most” inputs.
  • Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack

    Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack

    Part V Public-key cryptosystems, I. Key exchange, knapsack, RSA CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA The main problem of secret key (or symmetric) cryptography is that in order to send securely A secret message we need to send at first securely a secret key and therefore secret key cryptography is clearly not a sufficiently good tool for massive communication capable to protect secrecy, privacy and anonymity. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 2/67 SECURE ENCRYPTION - a PRACTICAL POINT OF VIEW From practical point of view encryptions by a cryptosystem can be considered as secure if they cannot be broken by many (thousands) superomputeers with exaflop performance working for some years. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 3/67 CONTENT In this chapter we describe the birth of public key cryptography, that can better manage key distribution problem, and three of its cryptosystems, especially RSA. The basic idea of a public key cryptography: In a public key cryptosystem not only the encryption and decryption algorithms are public, but for each user U also the key eU for encrypting messages (by anyone) for U is public. Moreover, each user U keeps secret another (decryption) key, dU , that can be used for decryption of messages that were addressed to him and encrypted with the help of the public encryption key eU . Encryption and decryption keys could (and should) be different - we can therefore speak also about asymmetric cryptography. Secret key cryptography, that has the same key for encryption and for decryption is also called symmetric cryptography.
  • New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem

    New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem

    New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem Roohallah Rastaghi [email protected] Abstract — Chosen-ciphertext security, which guarantees confidentiality of encrypted messages even in the presence of a decryption oracle, has become the de facto notion of security for public-key encryption under active attack. In this manuscript, for the first time, we propose a new approach for constructing post-quantum cryptosystems secure against adaptive chosen ciphertext attack (CCA2-secure) in the standard model using the knapsack problem. The computational version of the knapsack problem is NP-hard . Thus, this problem is expected to be difficult to solve using quantum computers. Our construction is a precoding-based encryption algorithm and uses the knapsack problem to perform a permutation and pad random fogged data to the message bits. Compared to other approaches in use today, our approach is more efficient and its CCA2 security in quantum environment can be reduced in the standard model to the assumption that the knapsack problem is intractable. Furthermore, we show that our approach is a general paradigm and can be applying to any (post-quantum) trapdoor one-way function candidate. Index Terms — CCA2-security, Encoding, Knapsack problem, Post-quantum cryptosystem, Standard model I. INTRODUCTION HE notion of public-key cryptography was introduced by Diffy and Hellman [18] and the ultimate goal of public-key Tencryption is the production of a simple and efficient encryption scheme that is provably secure in a strong security model under a weak and reasonable computational assumption. The accepted notion for the security of a public-key encryption scheme is semantically secure against adaptive chose ciphertext attack (i.e.
  • New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem

    New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem

    New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem Roohallah Rastaghi [email protected] Abstract— Chosen-ciphertext security, which guarantees confidentiality of encrypted messages even in the presence of a decryption oracle, has become the de facto notion of security for public-key encryption under active attack. In this manuscript, for the first time, we propose a new approach for constructing post-quantum cryptosystems secure against adaptive chosen ciphertext attack (CCA2-secure) in the standard model using the knapsack problem. The computational version of the knapsack problem is NP-hard. Thus, this problem is expected to be difficult to solve using quantum computers. Our construction is a precoding-based encryption algorithm and uses the knapsack problem to perform a permutation and pad random fogged data to the message bits. Compared to other approaches in use today, our approach is more efficient and its CCA2 security in quantum environment can be reduced in the standard model to the assumption that the knapsack problem is intractable. Furthermore, we show that our approach is a general paradigm and can be applying to any (post-quantum) trapdoor one-way function candidate. Index Terms— CCA2-security, Encoding, Knapsack problem, Post-quantum cryptosystem, Standard model I. INTRODUCTION HE notion of public-key cryptography was introduced by Diffy and Hellman [18] and the ultimate goal of public-key T encryption is the production of a simple and efficient encryption scheme that is provably secure in a strong security model under a weak and reasonable computational assumption. The accepted notion for the security of a public-key encryption scheme is semantically secure against adaptive chose ciphertext attack (i.e.
  • Post Quantum Cryptography

    Post Quantum Cryptography

    i postquantumnitaj 2017/9/14 14:03 page 1 #1 i i i Malaysian Journal of Mathematical Sciences 11(S) August: 1 - 28 (2017) Special Issue: The 5th International Cryptology and Information Security Conference (New Ideas in Cryptology) MALAYSIAN JOURNAL OF MATHEMATICAL SCIENCES Journal homepage: http://einspem.upm.edu.my/journal Post Quantum Cryptography Nitaj, A. Laboratoire de Mathématiques Nicolas Oresme Université de Caen Normandie, France E-mail: [email protected] ABSTRACT Public key cryptography is widely used for many applications such as signing con- tracts, electronic voting, encryption, securing transactions over the Internet and stor- ing sensitive data. The discovery of an ecient algorithm based on quantum me- chanics for factoring large integers and computing discrete logarithms by Peter Shor in 1994 undermined the security assumptions upon which currently used public key cryptographic algorithms are based, like RSA, El Gamal and ECC. However, some cryptosystems, called post quantum cryptosystems, while not currently in widespread use are believed to be resistant to quantum computing based attacks. In this paper, we provide a survey of quantum and post quantum cryptography. We review the principle of a quatum computer as well as Shor's algorithm and quantum key dis- tribution. Then, we review some cryptosystems undermined by Shor's algorithm as well as some post quantum cryptosystems, that are believed to resist classical and quantum computers. Keywords: Quantum cryptography, Shor's algorithm, Quantum key distribution, Lattice reduction, LWE cryptosystem, NTRU cryptosystem. i i i i i postquantumnitaj 2017/9/14 14:03 page 2 #2 i i i Nitaj A. 1.
  • Survey of Computational Assumptions Used in Cryptography Broken Or Not by Shor’S Algorithm

    Survey of Computational Assumptions Used in Cryptography Broken Or Not by Shor’S Algorithm

    Survey of Computational Assumptions Used in Cryptography Broken or Not by Shor's Algorithm by Hong Zhu School of Computer Science McGill University Montr´eal,Canada December, 2001 A Thesis submitted to the Faculty of Graduate Studies and Research in partial fulfillment of the requirements for the degree of Master in Science c Hong Zhu, 2001 Abstract We survey the computational assumptions of various cryptographic schemes, and discuss the security threat posed by Shor's quantum algorithm. One-way functions form the the basis of public-key cryptography. Although we have candidate hard problems that are believed to be one-way, none has been proven to be so. Therefore the security of the corresponding cryptographic schemes depends on the the intractability assumptions of these problems. Two major species of such problems, factoring and discrete logarithm, are widely believed to be intractable, and serve as the basis of many popular schemes. However, these two problems turned out to be polynomial-time solvable on a hypothetical quantum computer using Shor's algorithm. This is the most worrisome long-term threat to current public-key cryp- tosystems. In the thesis we provide a review of existing cryptosystems, with a focus on their underlying computational assumptions and the security. Other than factoring and discrete logarithm, schemes have been proposed based on error-correcting codes, subset-sum and subset-product problems, lattice, polynomials, combinatorial group theory, number fields, etc. Many are to be furtherly evaluated in future research. i R´esum´e Nous faisons un survol des hypoth`esescalculatoires de plusieurs sch´emascryp- tographiques, et nous discutons de la menace pos´eepar l'algorithme quantique de Shor.
  • Towards a Probabilistic Knapsack Public-Key Cryptosystem with High Density

    Towards a Probabilistic Knapsack Public-Key Cryptosystem with High Density

    information Article PKCHD: Towards A Probabilistic Knapsack Public-Key Cryptosystem with High Density Yuan Ping 1,2,* , Baocang Wang 1,3,*, Shengli Tian 1, Jingxian Zhou 2 and Hui Ma 1 1 School of Information Engineering, Xuchang University, Xuchang 461000, China; [email protected] (S.T.); [email protected] (H.M.) 2 Information Technology Research Base of Civil Aviation Administration of China, Civil Aviation University of China, Tianjin 300300, China; [email protected] 3 Key Laboratory of Computer Networks and Information Security, Ministry of Education, Xidian University, Xi’an 710071, China * Correspondence: [email protected] (Y.P.); [email protected] (B.W.) Received: 22 January 2019; Accepted: 19 February 2019; Published: 21 February 2019 Abstract: By introducing an easy knapsack-type problem, a probabilistic knapsack-type public key cryptosystem (PKCHD) is proposed. It uses a Chinese remainder theorem to disguise the easy knapsack sequence. Thence, to recover the trapdoor information, the implicit attacker has to solve at least two hard number-theoretic problems, namely integer factorization and simultaneous Diophantine approximation problems. In PKCHD, the encryption function is nonlinear about the message vector. Under the re-linearization attack model, PKCHD obtains a high density and is secure against the low-density subset sum attacks, and the success probability for an attacker to recover the message vector with a single call to a lattice oracle is negligible. The infeasibilities of other attacks on the proposed PKCHD are also investigated. Meanwhile, it can use the hardest knapsack vector as the public key if its density evaluates the hardness of a knapsack instance.
  • Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack

    Part V Public-Key Cryptosystems, I. Key Exchange, Knapsack

    Part V Public-key cryptosystems, I. Key exchange, knapsack, RSA CHAPTER 5: PUBLIC-KEY CRYPTOGRAPHY I. RSA The main problem of secret key (or symmetric) cryptography is that in order to send securely a secret message we need to send at first securely a secret key Therefore, secret key cryptography is not a sufficiently good tool for massive communication capable to protect secrecy, privacy and anonymity. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 2/75 SECURE ENCRYPTION - a PRACTICAL POINT OF VIEW From practical point of view encryptions by a cryptosystem can be considered as secure if they cannot be broken by many (thousands) supercomputers with exaflop performance working for some years. prof. Jozef Gruska IV054 5. Public-key cryptosystems, I. Key exchange, knapsack, RSA 3/75 PUBLIC KEY CRYPTOGRAPHY In this chapter we first describe the birth of public key cryptography, that can better manage the key distribution problem, and three of its cryptosystems, especially RSA. The basic idea of a public key cryptography: In a public key cryptosystem not only the encryption and decryption algorithms are public, but for each user U also the key eU for encrypting messages (by anyone) for U is public. Moreover, each user U keeps secret another (decryption) key, dU , that can be used for decryption of messages that were addressed to him and encrypted with the help of the public encryption key eU . Encryption and decryption keys could (and should) be different - we can therefore speak also about asymmetric cryptography. Secret key cryptography, that has the same key for encryption and for decryption is called also symmetric cryptography.