Lecture 25: Public key cryptographyDANIEL WELLER

TUESDAY, APRIL 23, 2019

AgendaSymmetric versus asymmetric cryptography

Chinese remainder theorem

RSA algorithm

Pretty good privacy (PGP)

Advanced encryption standard (AES)

The Chinese remainder theorem simplifies a complicated congruence similar to how gears with different numbers of teeth interact with each other.

2

Image credit: Oliver Knill/Harvard.

Recall: Diffie-Hellman key exchangeDiffie-Hellman key exchange allows sharing a secret key generated on the fly, but it is not so useful for transmitting specific pieces of information.

Both Alice (A) and Bob (B) have access to the same information after decryption. To get away from this, let’s introduce the idea of public key cryptography. First, we must discuss symmetric and asymmetric key encryption…

3

Symmetry versus asymmetrySymmetry: same key used for encryption, decryption

◦ Methods generally fairly simple, like the one time pad or other ciphers

◦ At the end, Alice and Bob have access to all the same information

This idea of a single shared key is not necessary – we can construct procedures that use different keys in encryption and decryption. We call these asymmetric key exchange.

◦ Different information used in encryption, decryption procedure

◦ For Diffie-Hellman, Alice and Bob share different values but can still compute the same secret info.

◦ At the end, Alice and Bob have shared information, but not necessarily all information.

◦ If Alice shares a public key with Bob, Bob still has no access to Alice’s private key. This asymmetry prevents impersonation via public key cryptography.◦ A public key can be used for either encryption or decryption, but the private key is needed for the other.

4

Public key cryptographyProblem: I am a website that sells stuff. How can people send payment information securely?

◦ Provide a public key that anyone can use for encryption.

◦ Users encrypt their payment info and send it to us.

◦ We keep a secret second key (private key) used for decryption.

◦ We decrypt the payment info, but nobody else can.

◦ This is public key cryptography.

Analogy: anybody can lock a padlock, but only we have the key or combination.

5

Public key cryptographyBesides sharing payment information, how else is public key cryptography used?

◦ User authentication

◦ Wi-Fi encryption

◦ Website certificates

◦ Encrypted internet traffic (e.g., HTTPS)

◦ Digitally signed documents (digital signature)

Think about how many times you’ve logged on to UVA’s Cavalier Wi-Fi network or accessed your email/Facebook/etc. accounts today – all these are secured using various forms of public key cryptography!

6

Public key cryptographyA number of methods exist we will discuss today:

◦ RSA (Rivest-Shamir-Adleman) algorithm

◦ PGP (pretty good privacy) algorithm

◦ AES (advanced encryption standard) algorithm

For each, we’ll describe how and why these work.

To start with RSA, let’s first introduce a bit more math: the Chinese remainder theorem.

7

Chinese remainder theoremThe fundamental idea was developed by 3rd century CE Chinese mathematician Sunzi: we can identify a number according to the remainders with respect to different integers.

Sunzi’s example: “If we count them by threes, we have two left over; by fives, we have three left over; and by sevens, two are left over.”

Expressed using congruences, we have:𝑥 ≡ 2 𝑚𝑜𝑑 3𝑥 ≡ 3 𝑚𝑜𝑑 5𝑥 ≡ 2 𝑚𝑜𝑑 7

What is x? Let’s do some counting…

8

Counting congruences𝑥 ≡ 2 𝑚𝑜𝑑 3 , 𝑥 ≡ 3 𝑚𝑜𝑑 5 , 𝑥 ≡ 2 𝑚𝑜𝑑 7

Here are some integers that satisfy the first:𝑥 = 2,5,8,11,14,17,20, 𝟐𝟑, 26,…

Here are some integers that satisfy the second:𝑥 = 3,8,13,18, 𝟐𝟑, 28,33, …

Here are some that satisfy the third:𝑥 = 2,9,16, 𝟐𝟑, 30,37, …

So what is a feasible value of x?𝑥 = 23

9

Chinese remainder theoremOur counting approach yielded an answer of x = 23. What is another valid value of x? (Hint: what does 3*5*7 = ?)

How do we know if our solution is unique?

The Chinese remainder theorem guarantees the uniqueness of such an x between 0 and N-1 (where N is the product of the divisors n1, n2, n3, …), as long as all the pairs of divisors are relatively prime.

Another way of stating this is that any solution of these congruences are congruent modulo N as long as the divisors are relatively prime.

10

Chinese remainder theoremHow do we search? Let’s try this again:

𝑥 ≡ 2 𝑚𝑜𝑑 3 , 𝑥 ≡ 3 𝑚𝑜𝑑 5 , 𝑥 ≡ 2 𝑚𝑜𝑑 7

Start by iterating with respect to the first congruence:𝑥 = 2,5, 𝟖, …

Find a value that solves the second congruence. Iterate with the product of divisors n1n2 = 15:𝑥 = 8, 𝟐𝟑, …

Repeat this process to find a value that solves the third congruence. Continue until we’re done:𝑥 = 23

11

Chinese remainder theoremThis simple searching method is called a “sieve”, where each step narrows the set of numbers we iterate.

To make it as fast as possible, we should order the divisors in decreasing order (n1 > n2 > n3 > …)

In general, there are much faster algorithms, too.

Your turn: solve 𝑥 ≡ 3 𝑚𝑜𝑑 5 , 𝑥 ≡ 6 𝑚𝑜𝑑 9 , 𝑥 ≡ 1 𝑚𝑜𝑑 7

12

RSA algorithmRSA was developed by Ron Rivest, Adi Shamir, and Leonard Adleman, in 1978.

As a “mathematical padlock”, it is intended for use for public key cryptography.

It depends on a one-way function (recall: a function that’s hard to invert). In this case, the one-way function is related to integer factorization, which is a very hard problem (at least, pre-quantum).

13

Integer factorizationWhat is integer factorization?

Given a number (e.g., 63), find all its prime factors:

63 = 3 * 3 * 7 = 32 * 7

For relatively small numbers, this is easy.

For numbers with big prime factors, factoring them is hard. How hard? The best conventional methods take an exponentially long time.

◦ Quantum algorithms (e.g., Shor’s algorithm) can reduce this substantially, hence one of the reasons governments are interested in quantum computers!

14

RSA algorithmBack to our one-way function:

Suppose p and q are very large prime numbers.

It is relatively easy to compute N = pq.

Given N, however, factoring it to find p and q is not so easy.

Example: p = 9419, q = 1933. Then, N = pq = 18,206,927. Easy!

How can we find the prime factors for a similarly large number N? We could exhaustively search up to the square root of N? But the square root might be pretty big.

15

Integer factorizationThe Martin Gardner Challenge (1977): Factor N = 114,381,625,757,888,867,669,235,779,976,146,612,010,218,296,721,242,362,562,561,842,935,706,935,245,733,897,830,597,123,563,958,705,058,989,075,147,599,290,026,879,543,541

It was solved 17 years later using a team of 600 volunteers over 8 months. They donated the $100 reward. Let’s not quit our day jobs…

Moral of the story? Yes Virginia, factorization is hard!

16

RSA algorithmHere we go!

Begin by generating two very large primes p and q. This is the time-consuming part!

Let 𝑁 = 𝑝𝑞. We have Euclid’s totient function 𝜑(𝑁) = 𝑝 − 1 𝑞 − 1◦ For an integer 0 < 𝑀 < 𝑁, we have

𝑀𝑘𝜑 𝑁 +1 ≡ 𝑀 (𝑚𝑜𝑑 𝑁)

◦ If gcd 𝑀,𝑁 = 1, by Euler’s theorem (last time)

𝑀𝑘𝜑 𝑁 +1 ≡ 𝑀 × 𝑀𝜑 𝑁𝑘≡ 𝑀 × 1𝑘 ≡ 𝑀 mod 𝑁

◦ The Chinese remainder theorem provides the general case for M and N not relatively prime.

17

RSA algorithmBased on this idea, we have the following encryption and decryption scheme. Notice it is asymmetric:

We need e and d such that 𝑒𝑑 = 𝑘𝜑(𝑁) + 1 for the N generated previously, and some choice of k. Note that e and d are both relatively prime to 𝜑(𝑁). Why is this?

If we have this, then by the previous statement, we have 𝑀𝑒 𝑑 ≡ 𝑀 (𝑚𝑜𝑑 𝑁)

Thus, encryption: compute 𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑁.

And, decryption: compute 𝑀 = 𝐶𝑑 𝑚𝑜𝑑 𝑁.

18

RSA algorithmTo summarize,

◦ The product N and the value e become the public key (used for encryption).

◦ The product N and the value d are the private key (used for decryption).

With this scheme, anybody can compute the ciphertext C from the message M, using the public key (N,e).

But only someone with the private key (N,d) can decrypt the message.

If we knew e, we could find d, and break the algorithm. However, it would be equivalent to finding some k between 1 and 𝜑(𝑁) that yields an integer d; this is not easy.

19

RSA algorithmLet’s see how this works on a simple example.

First, start with p and q: p = 3, q = 7. Then N = pq = 21.

From N, we have the totient 𝜑 𝑁 = 12 for this example (1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20) are relatively prime with 21).

Now, let’s choose d = 5, e = 5 as our private and public keys (they just happen to be equal to each other). This means de = 25 = 2(12)+1.

Encrypt M = 8: 𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑁 = 85 𝑚𝑜𝑑 21 = 8228 𝑚𝑜𝑑 21 . Note 64 = 1 (mod 21), so

we have 𝐶 = 8 as well.

Decrypt C = 8: 𝑀 = 𝐶𝑑 𝑚𝑜𝑑 𝑁 = 85 𝑚𝑜𝑑 21 = 8.

20

RSA and pretty good privacyEven though RSA was state-of-the-art when it was proposed, it has some downsides:

◦ The value of N limits the range of values that can be encrypted at a time. So, it is best applied to relatively small messages.

◦ This process requires a bit of computation at both the encryption and decryption stages.

Instead, we can use RSA to encrypt and share a symmetric encryption key that is then used with a much simpler algorithm. One such procedure that does this is called PGP (pretty good privacy).

◦ Idea: source encrypts a secret key K using the destination’s public key (e.g., from RSA). The destination decrypts K using its private key, thus achieving sharing of the symmetric key K. Then, K can be used to encrypt and decrypt messages both ways.

◦ Once the “handshake” is completed, encryption and decryption of messages can be simple and fast.

21

Advanced encryption standardAES (advanced encryption standard) is used by the US government and many public encryption systems, including those to keep the iPhone secure.

To begin, a message is coded as a vector, which is then encrypted using several steps:◦ Construct a state matrix from the message vector

◦ Encrypt each state matrix column using a substitution cipher

◦ Cycle the rows of the state matrix

◦ Repeat enciphering columns and cycling rows the desired number of “passes”

22

AES state matrixArrange the message vector into a matrix:

23

Image credit: Tim van der Horst/BYU.

Enciphering the state matrixAdd entropy by using different short ciphers on each matrix column:

24

Image credit: Tim van der Horst/BYU.

Cycling the state matrixSpread the entropy around by cycling the rows (essential to ensure the overall encryption is hard to break):

25

Image credit: Tim van der Horst/BYU.

Your turnLet’s encode the message vector “14,7,9,12,2,0,8,5,1,11,2,14,7,5,6,10” using two passes of AES with 4-bit random keys shown below:

26

0100 0111 0100 1100

1011 0001 1001 1000

0101 0110 1111 0011

1001 1000 0011 0010

AnnouncementsNext class: Boolean algebra and digital logic

Homework 8 due Thursday.

ECE 2066: second part of Lab 8 is today (lab report for both parts due next Tuesday).

27