6.857 Computer and Network Security Fall Term, 1997 Lecture 6 : September 23, 1997 Lecturer: Ron Rivest Scribe: El liot Schwartz 1 Topics Covered Concepts of Public-Key Cryptography Numb er Theory 2 Concepts of Public-Key Cryptography So far our cryptographic techniques have utilized a shared secret; b ecause of this they op erate in a symmetric and p oint-to-p oint manner. Because it breaks the symmetry and allows one-to-many and many-to-one op eration, public key cryptography is also called asymmetric cryptography. The main idea is to separate the capability of encryption from decryption. Thus, the system has the following requirements: 0 an encryption key E , such that E M =C A A a decryption key D , such that D E M = M A A A knowing E do es not imply knowing D i.e. knowing how to encrypt do es not A A imply knowing how to decrypt With such a system, E can be published in a directory as Alice's public key, and A p eople can use the key to create messages that only Alice can decrypt. Open question: How do we organize such a directory? The encryption function could b e a deterministic, one-to-one function, but this would 0 allow a guess and check attack: An adversary could compute E M for a guessed A 0 0 M , and see if the result matches an overheard C . Therefore, E should be and is A randomized in practice. 1 2 3 NUMBER THEORY 2.1 Digital Signatures We can use a corresp onding idea to public-key encryption for providing authentica- tion: we separate the pro cess of signing from verifying. This allows anyone to verify that an individual signed a message. Since this is like signing a pap er do cument, the technique is called a digital signature. Requirements: n tr ue public key veri es signature: V M; S = A false private key signs: M =S; transmit M; S A knowing verify do es not imply knowing how to sign 2.2 Miscellany We can combine digital signatures and public-key encryption to get b oth privacy and authentication. Under the Die-Hellman paradigm, D can b e used to encrypt and E to decrypt. A A This is a sp ecial case, and the way RSA works. Mathematically, M = D M , A A and veri cation uses E . A A signature once valid is always valid, therefore replay attacks are p ossible. Attaching sequence numb ers or the date to a message are common ways of allowing a veri er to rememb er whether he's seen the message b efore. 3 Number Theory Public-key cryptography can b e implemented using number theory. For a prime p, Z = f0; 1;:::;p1g forms a group under + identity is 0, asso ciative, inverses exist p ? Z = f1; 2;:::;p 1g forms a group under identityis1 p Z actually forms a eld with + distributivelaw holds, etc. p If p is not a prime, say 10, not all numb ers between 1 and 9 have multiplicative ? inverses mo dulo 10 for example, 2 and 5 do not. So, Z = fa : gcda; n=1g;a 2 n ? f1;2;:::;n 1g a's that are relatively prime to n. Z = f1; 3; 7; 9g. 10 3.1 Fast Mo dular Exp onentiation 3 ? Theorem 1 If p is prime, then Z is cyclic. p 1 2 p1 ? This means, there exists a generator g such that fg ;g ;:::;g g = Z . p 2 3 4 5 6 For example, in mo dulo 7, take g =3: g =2;g =6 =1;g =4;g =5;g =1. a b b a ab Note that g =g = g mo d p. ? p1 Theorem 2 If p is prime, then 8a 2 Z a 1 mo d p. Fermat's Little p Theorem ? p1 Lemma 1 If p is prime, and g is a generator of Z , then g 1 mo d p. p ? Pro of: For some generator g , g generates all the elements in Z . Therefore, the p generator must generate a 1. If a 1 was generated b efore p 1 exp onentiations, the sequence would rep eat and b e missing some elements. Ifa1was generated after p 1 exp onentiations, then the sequence would have rep eated b efore generating a 1, which p1 is not p ossible. Therefore, g 1 mo d p. ? x Pro of: 8a 2 Z 9x : a g mo d p. p p1 x p1 p1 x x Therefore, a g g 1 1 mo d p. 1 p2 Corollary 1 a a mo d p 3.1 Fast Mo dular Exp onentiation 1 b To nd a=b, we calculate a b using exp onentiation. How do we compute a mo d p eciently? 8 > 1 b =0 < b=2 2 b a mo d p b 6=0^b 0 mo d 2 a = > : bb=2c 2 a a mo d p b 6=0^b 1 mo d 2 Note that mo dulus p do esn't need to b e prime here, since were are only doing multi- plication and squarings. 3 Number of recursive calls is O lg b. Total work is O k for k -bit numb ers a, b, p, 2 and a algorithm for multiplying in mo dulo p that's O k . This is reasonable to do on a PC. 4 4 REFERENCES 3.2 Finding Primes How do we nd large primes? Pick a random numb er, and then check with some tests. Rabin-Miller Primality Test: 1. Given a large o dd number p, to test for primality: 2. Pick at random a 2f1;2;:::;p 1g. p1 3. Test if a 1 mo d p. If 6= 1 then halt; p is not prime. 2 4. Test if we ever saw an r , r 6= 1 such that r 1 mo d p in step 3. If so, halt; p is not prime. 5. Rep eat steps 2-4 20 times, or until happy. 6. Declare p to b e probably prime. Each pass has a chance of at least 1=2of declairing p to b e non-prime, if p is indeed non-prime. If p is prime, it is never declaired non-prime. Density: Ab out 1=1000 1000-bit numb ers are prime, so this is reasonable to do on a PC. 4 References W. Bie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, IT-22:644-654, November 1976..