6.857 Computer and Network Security Fall Term, 1997
Lecture 6 : September 23, 1997
Lecturer: Ron Rivest Scribe: El liot Schwartz
1 Topics Covered
Concepts of Public-Key Cryptography
Numb er Theory
2 Concepts of Public-Key Cryptography
So far our cryptographic techniques have utilized a shared secret; b ecause of this they
op erate in a symmetric and p oint-to-p oint manner. Because it breaks the symmetry
and allows one-to-many and many-to-one op eration, public key cryptography is also
called asymmetric cryptography.
The main idea is to separate the capability of encryption from decryption. Thus, the
system has the following requirements:
0
an encryption key E , such that E M =C
A A
a decryption key D , such that D E M = M
A A A
knowing E do es not imply knowing D i.e. knowing how to encrypt do es not
A A
imply knowing how to decrypt
With such a system, E can be published in a directory as Alice's public key, and
A
p eople can use the key to create messages that only Alice can decrypt.
Open question: How do we organize such a directory?
The encryption function could b e a deterministic, one-to-one function, but this would
0
allow a guess and check attack: An adversary could compute E M for a guessed
A
0 0
M , and see if the result matches an overheard C . Therefore, E should be and is
A
randomized in practice. 1
2 3 NUMBER THEORY
2.1 Digital Signatures
We can use a corresp onding idea to public-key encryption for providing authentica-
tion: we separate the pro cess of signing from verifying. This allows anyone to verify
that an individual signed a message. Since this is like signing a pap er do cument, the
technique is called a digital signature.
Requirements:
n
tr ue
public key veri es signature: V M; S =
A
false
private key signs: M =S; transmit M; S
A
knowing verify do es not imply knowing how to sign
2.2 Miscellany
We can combine digital signatures and public-key encryption to get b oth privacy and
Under the Die-Hellman paradigm, D can b e used to encrypt and E to decrypt.
A A
This is a sp ecial case, and the way RSA works. Mathematically, M = D M ,
A A
and veri cation uses E .
A
A signature once valid is always valid, therefore replay attacks are p ossible. Attaching
sequence numb ers or the date to a message are common ways of allowing a veri er
to rememb er whether he's seen the message b efore.
3 Number Theory
Public-key cryptography can b e implemented using number theory.
For a prime p,
Z = f0; 1;:::;p 1g forms a group under + identity is 0, asso ciative, inverses exist
p
?
Z = f1; 2;:::;p 1g forms a group under identityis1
p
Z actually forms a eld with + distributivelaw holds, etc.
p
If p is not a prime, say 10, not all numb ers between 1 and 9 have multiplicative
?
inverses mo dulo 10 for example, 2 and 5 do not. So, Z = fa : gcda; n=1g;a 2
n
?
f1;2;:::;n 1g a's that are relatively prime to n. Z = f1; 3; 7; 9g. 10
3.1 Fast Mo dular Exp onentiation 3
?
Theorem 1 If p is prime, then Z is cyclic.
p
1 2 p 1 ?
This means, there exists a generator g such that fg ;g ;:::;g g = Z .
p
2 3 4 5 6
For example, in mo dulo 7, take g =3: g =2;g =6 = 1;g =4;g =5;g =1.
a b b a ab
Note that g =g = g mo d p.
? p 1
Theorem 2 If p is prime, then 8a 2 Z a 1 mo d p. Fermat's Little
p
Theorem
? p 1
Lemma 1 If p is prime, and g is a generator of Z , then g 1 mo d p.
p
?
Pro of: For some generator g , g generates all the elements in Z . Therefore, the
p
generator must generate a 1. If a 1 was generated b efore p 1 exp onentiations, the
sequence would rep eat and b e missing some elements. Ifa1was generated after p 1
exp onentiations, then the sequence would have rep eated b efore generating a 1, which
p 1
is not p ossible. Therefore, g 1 mo d p.
? x
Pro of: 8a 2 Z 9x : a g mo d p.
p
p 1 x p 1 p 1 x x
Therefore, a g g 1 1 mo d p.