6.857 Computer and Network Security Fall Term, 1997

Lecture 6 : September 23, 1997

Lecturer: Scribe: El liot Schwartz

1 Topics Covered

 Concepts of Public-

 Numb er Theory

2 Concepts of Public-Key Cryptography

So far our cryptographic techniques have utilized a ; b ecause of this they

op erate in a symmetric and p oint-to-p oint manner. Because it breaks the symmetry

and allows one-to-many and many-to-one op eration, public key cryptography is also

called asymmetric cryptography.

The main idea is to separate the capability of from decryption. Thus, the

system has the following requirements:

0

 an encryption key E , such that E M =C

A A

 a decryption key D , such that D E M  = M

A A A

 knowing E do es not imply knowing D i.e. knowing how to encrypt do es not

A A

imply knowing how to decrypt

With such a system, E can be published in a directory as Alice's public key, and

A

p eople can use the key to create messages that only Alice can decrypt.

Open question: How do we organize such a directory?

The encryption function could b e a deterministic, one-to-one function, but this would

0

allow a guess and check attack: An adversary could compute E M  for a guessed

A

0 0

M , and see if the result matches an overheard C . Therefore, E should be and is

A

randomized in practice. 1

2 3 NUMBER THEORY

2.1 Digital Signatures

We can use a corresp onding idea to public-key encryption for providing authentica-

tion: we separate the pro cess of signing from verifying. This allows anyone to verify

that an individual signed a message. Since this is like signing a pap er do cument, the

technique is called a digital signature.

Requirements:

n

tr ue

 public key veri es signature: V M; S =

A

false

 private key signs:  M =S; transmit M; S 

A

 knowing verify do es not imply knowing how to sign

2.2 Miscellany

We can combine digital signatures and public-key encryption to get b oth privacy and

.

Under the Die-Hellman paradigm, D can b e used to encrypt and E to decrypt.

A A

This is a sp ecial case, and the way RSA works. Mathematically,  M  = D M ,

A A

and veri cation uses E .

A

A signature once valid is always valid, therefore replay attacks are p ossible. Attaching

sequence numb ers or the date to a message are common ways of allowing a veri er

to rememb er whether he's seen the message b efore.

3 Number Theory

Public-key cryptography can b e implemented using number theory.

For a prime p,

Z = f0; 1;:::;p1g forms a group under + identity is 0, asso ciative, inverses exist

p

?

Z = f1; 2;:::;p 1g forms a group under  identityis1

p

Z actually forms a eld with +   distributivelaw holds, etc.

p

If p is not a prime, say 10, not all numb ers between 1 and 9 have multiplicative

?

inverses mo dulo 10 for example, 2 and 5 do not. So, Z = fa : gcda; n=1g;a 2

n

?

f1;2;:::;n 1g a's that are relatively prime to n. Z = f1; 3; 7; 9g. 10

3.1 Fast Mo dular Exp onentiation 3

?

Theorem 1 If p is prime, then Z is cyclic.

p

1 2 p1 ?

This means, there exists a generator g such that fg ;g ;:::;g g = Z .

p

2 3 4 5 6

For example, in mo dulo 7, take g =3: g =2;g =6 =1;g =4;g =5;g =1.

a b b a ab

Note that g  =g  = g mo d p.

? p1

Theorem 2 If p is prime, then 8a 2 Z a 1 mo d p. Fermat's Little

p

Theorem

? p1

Lemma 1 If p is prime, and g is a generator of Z , then g 1 mo d p.

p

?

Pro of: For some generator g , g generates all the elements in Z . Therefore, the

p

generator must generate a 1. If a 1 was generated b efore p 1 exp onentiations, the

sequence would rep eat and b e missing some elements. Ifa1was generated after p 1

exp onentiations, then the sequence would have rep eated b efore generating a 1, which

p1

is not p ossible. Therefore, g 1 mo d p.

? x

Pro of: 8a 2 Z 9x : a g mo d p.

p

p1 x p1 p1 x x

Therefore, a g  g  1 1 mo d p.

1 p2

Corollary 1 a a mo d p

3.1 Fast Mo dular Exp onentiation

1 b

To nd a=b, we calculate a  b using exp onentiation. How do we compute a

mo d p eciently?

8

>

1 b =0

<

b=2 2

b

a  mo d p b 6=0^b 0 mo d 2

a =

>

:

bb=2c 2

a  a  mo d p b 6=0^b 1 mo d 2

Note that mo dulus p do esn't need to b e prime here, since were are only doing multi-

plication and squarings.

3

Number of recursive calls is O lg b. Total work is O k  for k -bit numb ers a, b, p,

2

and a for multiplying in mo dulo p that's O k . This is reasonable to do

on a PC.

4 4 REFERENCES

3.2 Finding Primes

How do we nd large primes? Pick a random numb er, and then check with some

tests.

Rabin-Miller Primality Test:

1. Given a large o dd number p, to test for primality:

2. Pick at random a 2f1;2;:::;p 1g.

p1

3. Test if a 1 mo d p. If 6= 1 then halt; p is not prime.

2

4. Test if we ever saw an r , r 6= 1 such that r 1 mo d p in step 3. If so,

halt; p is not prime.

5. Rep eat steps 2-4 20 times, or until happy.

6. Declare p to b e probably prime.

Each pass has a chance of at least 1=2of declairing p to b e non-prime, if p is indeed

non-prime. If p is prime, it is never declaired non-prime.

Density: Ab out 1=1000 1000-bit numb ers are prime, so this is reasonable to do on a

PC.

4 References

 W. Bie and M. E. Hellman. New directions in cryptography. IEEE Trans.

Inform. Theory, IT-22:644-654, November 1976.