Encryption Digital Signatures Entity Authentication Public-key Cryptography Theory and Practice Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 5: Cryptographic Algorithms Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Common Encryption Algorithms Encryption algorithm Security depends on RSA encryption Integer factoring problem ElGamal encryption DHP (DLP) Rabin encryption Square-root problem Goldwasser-Micali encryption Quadratic residuosity problem Blum-Goldwasser encryption Square-root problem Chor-Rivest encryption Subset sum problem XTR DLP NTRU Closest vector problem in lattices Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange RSA Encryption Key generation The recipient generates two random large primes p, q, computes n = pq and φ(n) = (p 1)(q 1), finds a − − random integer e with gcd(e, φ(n)) = 1, and determines an integer d with ed 1 (mod φ(n)). ≡ Public key: (n, e). Private key: (n, d). Encryption Input: Plaintext m Zn and the recipient’s public key (n, e). ∈ Output: Ciphertext c me (mod n). ≡ Decryption Input: Ciphertext c and the recipient’s private key (n, d). Output: Plaintext m cd (mod n). ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange RSA Encryption: Example Let p = 257, q = 331, so that n = pq = 85067 and φ(n) = (p 1)(q 1)= 84480. Take e = 7, so that − − − d e 1 60343 (mod φ(n)). ≡ ≡ Public key: (85067, 7). Private key: (85067, 60343). Let m = 34152. Then c me (34152)7 53384 (mod n). ≡ ≡ ≡ Recover m cd (53384)60343 34152 (mod n). ≡ ≡ ≡ Decryption by an exponent d ′ other than d does not give back m. For example, take d ′ = 38367. We have ′ m′ cd (53384)38367 71303 (mod n). ≡ ≡ ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Why RSA Works? Assume that m Z∗. By Euler’s theorem, mφ(n) 1 (mod n). ∈ n ≡ Now, ed 1 (mod φ(n)), that is, ed = 1 + kφ(n) for some integer k.≡ Therefore, k cd med m1+kφ(n) m mφ(n) m 1k m (mod n). ≡ ≡ ≡ × ≡ × ≡ Note: The message can be recovered uniquely even when m / Z∗. ∈ n Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Security of RSA If n can be factored, φ(n) can be computed and so d can be determined from e by extended gcd computation. Once d is known, any ciphertext can be decrypted. At present, no other method is known to decrypt RSA-encrypted messages. RSA derives security from the intractability of the IFP. If e, d, n are known, there exists a probabilistic polynomial-time algorithm to factor n. So RSA key inversion is as difficult as IFP. But RSA decryption without the knowledge of d may be easier than factoring n. In practice, we require the size of n to be > 1024 bits with each of p, q having nearly half the size of n. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange How to Speed Up RSA? Encryption: Take small encryption exponent e (like the smallest prime not dividing φ(n)). Decryption: Small decryption exponents invite many attacks. Store n, e, d, p, q, d1, d2, h, where d1 = d rem (p 1), −1 − d2 = d rem (q 1) and h = q (mod p). − Carry out decryption as: d m1 = c 1 (mod p). d m2 = c 2 (mod q). t = h(m1 m2) (mod p). − m = m2 + tq. A speedup of about 4 is obtained. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange ElGamal Encryption Key generation The recipient selects a random big prime p and a primitive root g modulo p, chooses a random d 2, 3,..., p 2 , ∈ { − } and computes y gd (mod p). ≡ Public key: (p, g, y). Private key: (p, g, d). Encryption Input: Plaintext m Zp and recipient’s public key (p, g, y). ∈ Output: Ciphertext (s, t). Generate a random integer d ′ 2, 3,..., p 2 . ′ ∈ { ′ − } Compute s gd (mod p) and t my d (mod p). ≡ ≡ Decryption Input: Ciphertext (s, t) and recipient’s private key (p, g, d). Output: Recovered plaintext m ts−d (mod p). ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange ElGamal Encryption (contd) ′ Correctness: We have s gd (mod p) and ′ ′ ≡ ′ t my d m(gd )d mgdd (mod p). Therefore, ≡ − ≡′ ′ −≡ − m tg dd t(gd ) d ts d (mod p). ≡ ≡ ≡ Example of ElGamal encryption Take p = 91573 and g = 67. The recipient chooses d = 23632 and so y (67)23632 87955 (mod p). Let m = 29485 be the≡ message to≡ be encrypted. The sender chooses d ′ = 1783 and computes ′ ′ s gd 52958 (mod p) and t my d 1597 (mod p). The≡ recipient≡ retrieves ≡ ≡ m ts−d 1597 (52958)−23632 29485 (mod p). ≡ ≡ × ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Security of ElGamal Encryption An eavesdropper knows g, p, y, s, t, where y gd (mod p) ′ ≡ and s gd (mod p). Determining m from (s, t) is ≡ ′ equivalent to computing gdd (mod p), since ′ t mgdd (mod p). (Here, m is masked by the quantity ≡′ ′ gdd (mod p).) But d, d are unknown to the attacker. So the ability to solve the DHP lets the eavesdropper break ElGamal encryption. Practically, we require p to be of size > 1024 bits for achieving a good level of security. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Probabilistic Encryption To generate different ciphertext messages in different runs (for the same public key and plaintext message) Goldwasser-Micali Encryption Quadratic residuosity problem: For a composite integer a n and for an a with n = 1, determine whether a is a quadratic residue modulo n, that is, the whether the congruence x 2 a (mod n) is solvable. ≡ a Suppose n = pq (product of two primes). n = 1 implies a a either p = q = 1 (a is a quadratic residue) or a = a = 1 (a is a quadratic non-residue). p q − We know no methods other than factoring n to solve this problem. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption: Key Generation Choose two large primes p and q (of bit size > 512), and let n = pq. Generate random integers a, b with a = b = 1. p q − Use CRT to generate x (mod n) withx a (mod p) and ≡ x b (mod q). ≡ The Public key is (n, x), and the private key is p. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption Encryption The input is the r-bit plaintext message m1m2 . mr . Z∗ For each i = 1, 2,..., r, choose ai n randomly and mi 2 ∈ compute ci = x ai (mod n). ∗ r The ciphertext message is the r-tuple (c1, c2,..., cr ) (Z ) . ∈ n Decryption For i = 1, 2,..., r, take ci mi = 0 if p = 1, or m = 1 if ci = 1. i p − Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption (contd) Correctness 2 If mi = 0, then ci = ai (mod n) is a quadratic residue modulo n (and so modulo p and q also). 2 If mi = 1, then ci = xai (mod n) Is a quadratic non-residue− modulo n (or modulo p and q). Remarks Probabilistic encryption: The ciphertext ci depends on the choice of ai . Message expansion: An r-bit plaintext message generates an rl-bit ciphertext message, where l = n . | | Without the knowledge of p (the private key), we do not know how to determine whether ci is a quadratic residue or not modulo n. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption: Example Key generation Take p = 653 and q = 751, so n = pq = 490403. Take a = 159 and b = 432, so x 313599 (mod n). ≡ The public-key is (490403, 313599) and the private key is 653. Encryption Let us encrypt the 3-bit message m1m2m3 = 101. 2 Choose a1 = 356217 and compute c1 xa1 398732 (mod n). ≡ 2 ≡ Choose a2 = 159819 and compute c2 a2 453312 (mod n). ≡ 2≡ Choose a3 = 482474 and compute c3 xa 12380 (mod n). ≡ 3 ≡ Decryption 398732 = 1, so m1 = 1. p − 453312 p = 1, so m2 = 0. 12380 = 1, so m = 1. p − 3 Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Alice and Bob decide about a prime p and a primitive root g modulo p. Alice generates a random a 2, 3,..., p 2 and sends ∈ { − } ga (mod p) to Bob.