Symmetric key encryption helps provide data confidentiality and, to some extent, data integrity. But leaves us with the problem of how to communicate the key securely. Public-key cryptography addresses this problem. It also gives us a way of digitally signing messages.

The problem with symmetric-key encryption

Alice and Bob want to communicate securely, over a channel on which all messages are potentially overheard, and may be intercepted and replaced with fakes. Alice and Bob could consider communicating securely using symmetric key crypto; they agree on a key in advance, and all messages between them are encrypted using that key. Lack of knowledge of the key prevents intruders from making use of overheard messages, or introducing convincing fake messages. The intruder can prevent communication by intercepting messages and/or inserting garbage, but cannot change it in a way which would fool Alice & Bob.

The problem is: how can Alice & Bob agree the key in advance? Obviously they cannot just send it on the channel that they will later use to send the encrypted messages. They might use a different channel for the key, such as a telephone call, a meeting, etc. They can even split the key into 5 chunks and send each chunk by a separate channel. However, these options are ridiculously insecure (if the potential intruder has millions of dollars of resources) and ridiculously inconvenient if Alice is just buying a book from Bob (say, Amazon). Public key encryption attempts to solve this problem.

Public-key encryption

In public-key encryption, there are two keys: one is used to encrypt, called the public key (PK), and the other one is used to decrypt, called the private key or secret key (PK^-1).

ciphertext = encrypt( plaintext, PK )

plaintext = decrypt( ciphertext, PK^-1 )

Alice lets her public key be known to everyone, but keeps the private key secret. Bob may send a confidential message to Alice like this:

B gets A's public key (he can get it from her web page, or she can just send it to him in clear text).
B encrypts the message with A's public key, and sends it.
A decrypts the message with her private key.

For this to work, the system must guarantee that it is (effectively) impossible to decrypt the message without knowledge of the private key. In particular, it must be impossible to decrypt using the public key, or to derive the private key from the public key.

Public key cryptography relies on it being computationally infeasible for the intruder to reverse the encryption by the public key, even though intuitively he has enough information to do it, since the public key uniquely specifies the private key. Because he has all the information he needs, public key crypto might appear to be less secure than symmetric key crypto. In symmetric key crypto, the cryptanalyst cannot be sure he has found the right decryption key, since applying the wrong decryption key will still result in something. (If it is really a "plain text" in ASCII, he can recognise it; but what if it is just some binary?) In public key crypto, he can be absolutely sure whether he has found the right decryption key (to verify it, he simply checks whether it successfully decrypts things encrypted with the known public key). In practice, however, we assume that the security resides in the difficulty of finding the private key, rather than any difficulty in verifying whether a candidate private key is the right one. Even in symmetric-key crypto we should assume that the attacker could recognise the plain text.

The concept of PK crypto was invented by Whitfield Diffie and Martin Hellman, and independently by Ralph Merkle. Ralph Merkle and Martin Hellman invented the first known public key crypto system in 1974 (see [1]). It was based on puzzles that were easy to solve if you knew the private key, and hard if you didn't. But the security of their system was eroded; circumstances were found in which parts of the encryption could be reversed, in a sequence of results spanning 10 years. Finally, Adi Shamir found a general way to break it in 1982, but by then there were many other PK crypto systems. In recent years, GCHQ has revealed that its James Ellis had the concept of PK in 1965 and its Clifford Cocks had an algorithm in 1973, but were unable to publish them because of GCHQ classification.

Many algorithms have been proposed for public-key crypto. But some of them have been found insecure, and others of them are impractical, because the keys are too long or the ciphertext is much longer than the plain text. Still others are good only for encryption, or only for signing. According to Schneier, only three algorithms are thought secure, practical, and good for both signing and encrypting. They are RSA, El Gamal, and Rabin's algorithm. We study RSA and El Gamal.

RSA

RSA was invented in 1978 by Ron Rivest, Adi Shamir, and Leonard Adleman, and takes its name from their initials. It gets its security from the difficulty of factoring large numbers.

Mathematical background

Prime numbers. A number is prime if it can be divided only by itself and 1. For example, 7, 11, 101 are prime, but 15 is not prime because it can be divided by 3, and 1111 is not because it can be divided by 11. There are infinitely many prime numbers, or, to put it another way, you can find prime numbers as large as you like. Two numbers are relatively prime if they have no common factors except 1. For example, 15 and 49 are relatively prime, even though neither of them is prime. Obviously, any prime number is relatively prime to all numbers except its multiples.

Euler's totient. How many relatively prime numbers to n are there, which are less than n? This number is called "Euler's totient" and is written phi(n). If n=59, all 58 of the numbers less than n are relatively prime to n, because n is prime. So phi(59)=58. Fact: if n is the composite pq, where p and q are prime, then phi(n) = (p-1)(q-1). For example, suppose n=35. We can work out manually that there are 24 primes relative to 35 which are below 35, namely {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}. We can use the fact mentioned to calculate this more directly. Since 35 = 5*7, and 5 and 7 are primes, phi(35)=4*6=24, as expected.

Modulo arithmetic. In "mod n" arithmetic, all numbers are reduced to their remainder on division by n. For example, we are used to working in "mod 256", where (for example) 250 + 10 = 4 (mod 256), and 100 * 4 = 144 (mod 256), and 100² = 16, 100³=64, 100⁴=0 (mod 256). Fact: if a and n are coprime, then a^phi(n) = 1 (mod n)

How RSA works

Generating the public and private keys. Pick two large prime numbers, p and q. Let n=pq. Typically, n is a number which in binary is written with 1024 bits (in decimal, that's about 308 digits). Pick e relatively prime to (p-1)(q-1). Now find d such that ed=1 mod (p-1)(q-1). You can use Euclid's algorithm to find this d. The pair of numbers (e, n) is the public key. The pair of numbers (d, n) is the private key. The two primes p,q are no longer needed, and can be discarded, but should never be revealed.

Exercise. Which of the following key pairs are valid?

K=(7,187), K^-1=(23,187)
K=(23,187), K^-1=(7,187)
K=(7,143), K^-1=(23,143)

Can you invert the key (7,299)?

Message format. Divide the message into blocks, each block corresponding to a number less than n. For example, for binary data, the blocks will be (log₂ n) bits.
Encryption. The encryption of message m is c = m^e mod n.
Decryption. To decrypt c, put m' = c^d mod n.

Why it works.

m'	=	c^d	(mod n)	by definition of decryption
	=	m^ed	(mod n)	by definition of encryption
	=	m^{k(p-1)(q-1) + 1}	(mod n)	since ed = k(p-1)(q-1) + 1, some k
	=	m^{k phi(n) + 1}	(mod n)	Fact 1
	=	(m^phi(n))^km	(mod n)	elementary equivalences
	=	m	(mod n)	Fact 2

Exercise. Encode the message 88 with the key (7,187). (Details [2],p.271, or similar calculation [1],p.468.)

How to break RSA. Since the intruder has e and n, all she has to do is: factor n into its primes p,q (there is only one way of doing that). Next, find d such that ed = 1 mod (p-1)(q-1), using the same algorithm as the encrypter used. Then, decrypt the message using d. Yes, this works, and if you can do it, you can break RSA. The only difficulty is in the first step: finding p,q such that pq=n. If n is a 1024 bit number (i.e. 308 decimal digits) then it is likely to take you 10 million mips-years [1, p.161]. A 1GHz Pentium has about 500 mips power, so it will take 20,000 years. Many applications now use 2048 bit keys as standard. Such a number requires 10¹⁴ mips-years to factor. If you harnessed the power of 100 million computers on the internet (each providing 500 mips) on the internet, you could factor it in about 2000 years.

That is the brute-force way of attacking RSA. There are other more subtle ways, based on weaknesses which are exposed when RSA is used in particular ways. If used correctly, RSA seems practically secure and has withstood decades of extensive cryptanalysis. But there is no proof of its security. (Presumably, someone who discovered a crack for RSA would not reveal it.) Advances in number theory, in computational complexity, and in computer technology, will all continue to erode confidence in RSA by improving our ability to factor large numbers, although every time we increase the key length by 30 bits we make this a billion times harder [2^30=1billion]. There is some possibility that a quantum computer could eventually be built to factorise numbers (IBM research article).

RSA in practice

Padding. When used in practice, RSA is generally combined with some padding scheme.

OAEP padding.

In the diagram,

Let n be the number of bits in the RSA modulus, and k0 and k1 are two numbers.
Format the message m as a n - k0 - k1 bit string.
Pad the message m with k1 zeros.
Let r be a random k0 bit string
G is a mask generation function expanding k0 bits to n - k0 bits
H is a mask generation function reducing n - k0 bits to k0 bits.
Let X = m00..0 ⊕ G(r)
and Y = r ⊕ H(X).
The output is X || Y.
To decode, recover the random string as r = Y ⊕ H(X), then recover the message as m00..0 = X ⊕ G(r)

The goal of the padding scheme is to prevent a number of attacks that potentially work against RSA without padding:

When encrypting with low encryption exponents (e.g., e = 3) and small values of the m, the result of m^e is strictly less than the modulus n. In this case, ciphertexts can be easily decrypted by taking the eth root of the ciphertext over the integers.

Because RSA encryption is a deterministic encryption algorithm (i.e., has no random component) an attacker can successfully launch a chosen plaintext attack against the cryptosystem, by encrypting likely plaintexts under the public key and test if they are equal to the ciphertext.

RSA has the property that the product of two ciphertexts is equal to the encryption of the product of the respective plaintexts.

To avoid these problems, practical RSA implementations typically embed some form of structured, randomized padding into the value m before encrypting it. This padding ensures that m does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts. Block sizes need to be chosen to be smaller than the modulus allows, in order to leave some space for the padding.

Designing padding schemes that are secure has proved to be quite subtle. Optimal Asymmetric Encryption Padding (OAEP) is a commonly used (and believed secure) padding system.

Keep ingredients private. Obviously d must be kept private, since it is the private key. Also, p and q must be kept private, because if the attacker has them, he can calculate d. Normally, p and q are discarded after e and d have been calculated. It is also important to keep phi(n) secret, since, again, if the attacker has it he can calculate d.

Don't share n between sets of keys. It is tempting to use the same n to produce different key pairs, say (e₁,n),(d₁,n) and (e₂,n),(d₂,n), because then all calculations are done modulo the same n. However, an attacker who sees {m}_(e1,n) and {m}_(e2,n) can calculate m [4, p.154].

Don't use a small exponent. Fielded RSA systems often use a small exponent e to cut down the computational cost of the sender. However, this can yield problems, if the small exponent is used for several different n's. If the attacker sees {m}_(e,n1) {m}_(e,n2) and {m}_(e,n3) then he can calculate m [4, p.155].

Elgamal

Elgamal encryption invented by Egyptian cryptographer Taher Elgamal in 1984. (It is sometimes written ElGamal or El Gamal because of variations in the transliteration of his name.) Elgamal gets its security from the computational difficulty of obtaining discrete logarithms.

Some more math

Finite fields. A field is a space in which we have addition, multiplication, subtraction and division with the usual properties we expect. For example, the real numbers form a field, which is of course infinite. Cryptography makes use of finite fields. For example, if p is a prime number then F_p is the field with elements {0,1,2,...,p-1} and with addition and multiplication interpreted modulo p. Note that the operations addition, multiplication and subtraction always result in an element of the field. If p is prime, then division also always results in an element of the field. For example, 3/2 mod 5 is 4. There is a straightforward algorithm to calculate division in F_p. Euclid's algorithm can be used.

For example in F₅, multiplication is defined like this. (Just multiply the numbers in the usual way, and take the answer modulo 5.)

*	1	2	3	4
0	0	0	0	0
1	1	2	3	4
2	2	4	1	3
3	3	1	4	2
4	4	3	2	1

Discrete logarithms. Logarithms are the opposite of exponentiation; for example, since 2⁵=32, we say that the logarithm of 32 in base 2 is 5, or log₂(32)=5. Logarithms on the real numbers are easy to calculate (there is an straightforward algorithm). But they are not easy to calculate in the finite field F_p. If p is large, it is thought to be a hard problem. This is what Elgamal encryption relies on.

How Elgamal works

Take the following ingredients:

p -- a "large prime", say 1024 bits, such that p-1 is divisible by another "medium prime" q, say 160 bits.
g -- an element of F_p of order divisible by q, i.e. g^(p-1)/q (mod p) is not equal to 1.

These parameters are public can be shared between a large number of users.

Key generation. The private key is chosen to be an integer d, while the public key is given by

e = g^d (mod p)

Encryption. To encrypt the message m, invent some random number r and set the ciphertext c to be a pair, as follows:

c = ( g^r, m.e^r )

Note that you can encrypt the same message in many different ways, by choosing different r's.

Decryption. To decrypt c=(c₁,c₂), we compute

c₂ / (c₁^d) = m.e^r / g^dr = m.g^dr / g^dr = m.

Encrypting a session key

Typically, public-key crypto algorithms are much slower than symmetric key algorithms. Therefore, we usually use PK crypto just to communicate a symmetric key for the current session, and then use that session key for the encryption of the messages we want to transmit.

Signing with private keys

Public key cryptography can be used for digitally signing messages, too. Signing is done with the private part of the key (and therefore can only be done by the key owner). Anyone in possession of the public key can verify the signature. In RSA, the low-level (number theoretic) operation of signing is the same as decryption:
Signing. To sign m, let s = m^d mod n. The result s is the signature.
Verification. Given s and e, one can extract the message m' = s^e mod n.

As in the case of RSA encryption, it is important to pre-process the message to be signed. Indeed, it is not necessary or desirable to sign the complete message. Sending the plaintext message together with a signed hash of it is enough. This means that the signature part is a fixed length independent of the message size.

To: Mark Ryan <mark.ryan@somemail.com>
Subject: Re: Hello
From: Alice Jones <alice@blahblah>
Date: 07 Sep 2005 15:25:41 +0200
Lines: 96
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark. I'm pleased to hear your news. I'll get in touch with Bob about it.
Sorry not to reply earlier.  Blah blah blah (very long message).

Alice
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6
iD8DBQFDHupUZnhMljHaD8DBQFDHupv3Ic+o0sf0PqIAq0U7tgRAhxKAK
CHBCtxDrv3Ic+o0sf0PqIAq0deUQCfVYb2
CPEucTKlPZQnhglLzb4HIrcpIOH
-----END PGP SIGNATURE-----

Digital signatures are better than hand-written ones, because they guarantee integrity of the message.

Key security and key distribution

When you generate a key pair, you need to keep the private key part secret. You can and should distribute the public key part widely. If Alice wants to send an encrypted message to Bob, she will encrypt it using his public key. And if she gets a signed message apparently from Bob, she will verify the signature again using his public key.

But how can she reliably find out his public key? If an intruder could persuade Alice some other key was Bob's key, then he could launch a man-in-the-middle attack. When Alice sends a message, he decrypts it with the fake key, reads it, encrypts it with Bob's real key, and sends it on. Neither A nor B will be aware of his attack. This attack will also enable the intruder apparently to sign messages on B's behalf. Since everyone thinks the fake public key is B's public key, they will accept as genuine messages from Bob messages which are signed by the fake private key.

Therefore, public key crypto depends critically on the ability for users to be sure of each other's public keys. In general, distribution via email and web sites is not secure enough, since emails and web pages can be faked. We need to have a way to be sure that a given public key is really the public key of the user or organisation it claims to be. For that, we use certificates (next lecture).

References

[1] Bruce Schneier, Applied Cryptography. Second Edition, J. Wiley and Sons, 1996.
[2] William Stallings, Cryptography and Network Security, Principles and Practice, Prentice Hall, 1999.
[3] Nigel Smart, Cryptography. McGraw Hill, 2003.