This version prepared 6/30/2003 15 Lecture 4: Public key encryption 4.1 Classical crypto The classical setup for secure communication sees Alice trying to communicate with Bob, while an eavesdropper called Eve tries to listen or look EVE at the communication learning anything she can. One setup with some historical justi¯cation is a \book code", which will be used here principally A B to introduce vocabulary. Alice and Bob are given copies of the same book. They are told that messages from one to the other will be made secure by looking at a page on the book and adding each letter in a message with a corresponding letter on the page, mod 26. So if Alice wants to send Bob a message beginning \MAY WE MEET SOON : : :" and the ¯rst words on the page are \ONCE UPON A TIME : : :" then the ¯rst letter Eve would send would be B. That's because M is the thirteenth letter in the alphabet, O is the ¯fteenth, and 13 + 15 = 28 = 2 mod 26, and B is the second letter in the alphabet. In this case the entire arrangement (sending each letter, adding letter values mod 26, selecting pages, etc.) would be called a cryptosystem. We could think of Eve with various abilities. Minimally, Eve might just know the transmitted letter. Eve might be more powerful, and might know the entire system, and might even know the book used. She might not know the speci¯c page of the book selected, and that would be called the key of the system. Generally it is assumed that an attacker knows the cryptosystem, but does not know the key. This assumption, formulated explicitly about a century ago, is called \Kerckho®'s maxim" and is named after a Dutch cryptographer who spent most of his life in France Look at http://www.cl.cam.ac.uk/~fapp2/kerckhoffs/ which has a link to a copy of the original article (written in French, published in 1883). Now much communication is digital. The assumption is frequently made that the cryptosystem is implemented via computer, and that Eve has much greater computer resources (both speed and storage) than Alice and Bob. This corresponds with some real situations, where Eve might be a government agency or a large corporation. 4.2 Public key encryption* Much cryptography is done with high-speed machines using clever programs. A con- stant problem is to make sure that the machines can talk to each other. These machines should have the same keys. Key distribution has historically been a problem: in the 1500's, a country might need to tell its ambassadors which pages in a book to use on which days, or communication might be seriously impaired. A critical question might be phrased: how can keys be distributed \publically" without compromising security? * Some of this material follows notes written by Sa·sa Radomirovi¶c, a math grad student. See http://www.math.rutgers.edu/~greenfie/teaching/display/diary.html. Links there have information about the course he helped with during spring 2000. This version prepared 6/30/2003 16 In the digital environment this is even more important. Hundreds of thousands of users might want to communicate securely with each other, and reality is that, e®ectively, there can be little prearrangement of keys. The users might agree on cryptosystems, but for a long time transactions were obstructed by a lack of ability to communicate keys securely. The problem is: Alice wants to send Bob a message (the key). Eve will listen, Eve will know the protocols, and Eve has much greater computer resources than Alice and Bob. Is it possible for Alice and Bob to exchange information securely in spite of these obstacles? The surprising and perhaps unintuitive answer is \Yes". There are several solutions, and here we discuss RSA*. Another solution in widespread use is the Di±e-Hellman method, and there have been a number of other proposals. 4.3 Introducing RSA If P and Q are distinct primes, Euler's generalization of Fermat's Little Theorem states (²) a(any integer)(P ¡1)(Q¡1) = 1 mod P Q for certain integers, a. I'll forget temporarily about the restriction on a until later. It will turn out that no (operational) problem will occur. Notice that if T is a number with T = 1 mod (P ¡ 1)(Q ¡ 1), then aT = a mod P Q. Suppose Alice chooses a number e for encryption. The linear equation ex = 1 mod (P ¡ 1)(Q ¡ 1) can be e±ciently solved by the Euclidean algorithm. Suppose d is a solution of this equation. Then (ae)d = ade = aed = a(an integer)(P ¡1)(Q¡1)+1. This is a consequence of the mod equation (²). But mod P Q the complicated stu® in the exponent vanishes, and result of all the computation is just a1 = a! So take a, compute b = ae mod P Q, compute bd mod P Q, and the result must be a. Here is a step-by-step description of RSA, a public key encryption protocol. Step 1: Alice prepares Alice selects distinct primes P and Q. She computes N = P Q, selects e and d so that ed = 1 mod (P ¡ 1)(Q ¡ 1). Alice makes public only N and e, so everyone knows N and e. Please note: here again there may appear to be an operational di±cultly { selecting e and ¯nding d. I'll address this later, also. It is not a serious problem. Step 2: Bob encrypts Bob wants to send a message, a, to Alice. He computes b = ae mod N and sends that to Alice. Step 3: Alice decrypts Alice computes bd mod N and gets the message, a. That's it, a communications revolution, one which has made governments very annoyed for several decades. 4.4 An example In \the real world" nobody would ever use numbers as small as what is here. This is just a toy which I hope will help you understand the steps above. * R=Ron Rivest, S=Adi Shamir, and A=Len Adleman, and, yes, this is the same Shamir as in the secret sharing section. They published a description of this system in 1977. It had likely been discovered by other people earlier. See the bibliography. This version prepared 6/30/2003 17 Step 1: Alice prepares Alice chooses 11 and 5 as her primes, and computes N = 11 ¢ 5 = 55. She chooses e = 3 and ¯nds that d = 27. She ¯nds d by solving 3 ¢ x = 1 mod 10 ¢ 4. Alice \publishes" N = 55 and e = 3. Step 2: Bob encrypts Bob knows N = 55 and e = 3. Suppose Bob's message is a = 9. He computes ae mod N, which is 93 mod 55 = 14. He sends b = 14 to Alice. Step 3: Alice decrypts Alice gets 14 from Bob. She computes 1427 mod 55. Her answer is 9, which is Bob's message. That's no surprise, since (93)27 = 981 = 4 94¢20+1 = 920 ¢ 91 = 14 ¢ 9 = 9 mod 55 by Euler's Theorem. ¡ ¢ 4.5 How to break it Is RSA any good? Any serious cryptosystem should be evaluated critically, and such evaluation such probably be redone fairly often. What does Eve know and can she \break" RSA? We assume that Eve knows that Alice and Bob are using this system. In the example above, Eve knows N = 55, e = 3, and the encrypted message, b = 14. Eve also knows the Alice and Bob are using RSA. Solving a3 = 14 mod 55 might take some time. There's an easier way, as Eve tries to imitate Alice's decryption. Eve must know d to decrypt this easily. But to ¯nd d e±ciently, she has to know P and Q! In this example, Eve has little problem factoring 55 as 5 ¢ 11. Then her computer solves 3x = 1 mod 4 ¢ 10 rapidly, and gets the answer 27 for d. Eve can now decrypt every message sent to Alice the same way that Alice does. Much e®ort has been devoted to ¯nding ways to break RSA. Some special cases can be attacked easily, but there are defenses against these. Factoring the modulus is the best known general attack on RSA, and some people believe it is the only general attack. 4.6 The real world In the real world the primes P and Q which are currently used each have about 170 digits Many people are trying to factor numbers which are the product of two big primes. The largest such number factored so far is a product of two 78 digit primes and is known as RSA-155. This result was announced on August 22, 1999 by Dr. H. J. J. te Riele at the CWI in Amsterdam (which is the national research institute for mathematics and computer science in the Netherlands) and was a result of joint work involving many organizations and people. The factoring process for RSA-155 took about 7 months and more than 300 work- stations were involved. At the end, a Cray supercomputer was needed. The amount of computer time needed was about the equivalent of 800 years on a standard PC. This com- parison is not useful because the amount of memory needed was almost 20 times as much as a standard PC has. Some details: 2048 MB of RAM and up to 3.7 GB of hard disk space were needed. The factoring process had various stages. At the end a huge system of linear equations had to be solved.