284 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA

LEARNING OBJECTIVES
After studying this chapter, you should be able to:
◆ Present an overview of the basic principles of public-key cryptosystems.
◆ Explain the two distinct uses of public-key cryptosystems.
◆ List and explain the requirements for a public-key cryptosystem.
◆ Present an overview of the RSA algorithm.
◆ Understand the timing attack.
◆ Summarize the relevant issues related to the complexity of algorithms.

The development of public-key, or asymmetric, cryptography is the greatest and per-

haps the only true revolution in the entire history of cryptography. From its earliest
beginnings to modern times, virtually all cryptographic systems have been based on
the elementary tools of substitution and permutation. After millennia of working with
algorithms that could be calculated by hand, a major advance in symmetric cryptogra-
phy occurred with the development of the rotor encryption/decryption machine. The
electromechanical rotor enabled the development of fiendishly complex cipher sys-
tems. With the availability of computers, even more complex systems were devised,
the most prominent of which was the Lucifer effort at IBM that culminated in the Data
Encryption Standard (DES). But both rotor machines and DES, although represent-
ing significant advances, still relied on the bread-and-butter tools of substitution and
permutation.
Public-key cryptography provides a radical departure from all that has gone be-
fore. For one thing, public-key algorithms are based on mathematical functions rather
than on substitution and permutation. More important, public-key cryptography is
asymmetric, involving the use of two separate keys, in contrast to symmetric encryp-
tion, which uses only one key. The use of two keys has profound consequences in the
areas of confidentiality, key distribution, and authentication, as we shall see.
Before proceeding, we should mention several common misconceptions con-
cerning public-key encryption. One such misconception is that public-key encryption
is more secure from cryptanalysis than is symmetric encryption. In fact, the security of
any encryption scheme depends on the length of the key and the computational work
involved in breaking a cipher. There is nothing in principle about either symmetric or
public-key encryption that makes one superior to another from the point of view of
resisting cryptanalysis.
A second misconception is that public-key encryption is a general-purpose tech-
nique that has made symmetric encryption obsolete. On the contrary, because of the
computational overhead of current public-key encryption schemes, there seems no
foreseeable likelihood that symmetric encryption will be abandoned. As one of the
inventors of public-key encryption has put it [DIFF88], “the restriction of public-key
cryptography to key management and signature applications is almost universally
accepted.”
 9.1 / PRINCIPLES OF PUBLIC-KEY CRYPTOSYSTEMS 285
Table 9.1 Terminology Related to Asymmetric Encryption

Asymmetric Keys
Two related keys, a public key and a private key, that are used to perform complementary operations, such as
encryption and decryption or signature generation and signature verification.
Public Key Certificate
A digital document issued and digitally signed by the private key of a Certification Authority that binds the
name of a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate
has sole control and access to the corresponding private key.
Public Key (Asymmetric) Cryptographic Algorithm
A cryptographic algorithm that uses two related keys, a public key and a private key. The two keys have the
property that deriving the private key from the public key is computationally infeasible.
Public Key Infrastructure (PKI)
A set of policies, processes, server platforms, software and workstations used for the purpose of administer-
ing certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key
certificates.

Source: Glossary of Key Information Security Terms, NIST IR 7298 [KISS06].

Finally, there is a feeling that key distribution is trivial when using public-key
encryption, compared to the rather cumbersome handshaking involved with key dis-
tribution centers for symmetric encryption. In fact, some form of protocol is needed,
generally involving a central agent, and the procedures involved are not simpler nor
any more efficient than those required for symmetric encryption (e.g., see analysis in
[NEED78]).
This chapter and the next provide an overview of public-key cryptography. First,
we look at its conceptual framework. Interestingly, the concept for this technique was
developed and published before it was shown to be practical to adopt it. Next, we ex-
amine the RSA algorithm, which is the most important encryption/decryption algo-
rithm that has been shown to be feasible for public-key encryption. Other important
public-key cryptographic algorithms are covered in Chapter 10.
Much of the theory of public-key cryptosystems is based on number theory. If
one is prepared to accept the results given in this chapter, an understanding of number
theory is not strictly necessary. However, to gain a full appreciation of public-key
algorithms, some understanding of number theory is required. Chapter 2 provides the
necessary background in number theory.
Table 9.1 defines some key terms.

9.1 PRINCIPLES OF PUBLIC-KEY CRYPTOSYSTEMS

The concept of public-key cryptography evolved from an attempt to attack two of

the most difficult problems associated with symmetric encryption. The first problem
is that of key distribution, which is examined in some detail in Chapter 14.
As Chapter 14 discusses, key distribution under symmetric encryption requires
either (1) that two communicants already share a key, which somehow has been dis-
tributed to them; or (2) the use of a key distribution center. Whitfield Diffie, one
286 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA

of the discoverers of public-key encryption (along with Martin Hellman, both at

Stanford University at the time), reasoned that this second requirement negated the
very essence of cryptography: the ability to maintain total secrecy over your own
communication. As Diffie put it [DIFF88], “what good would it do after all to de-
velop impenetrable cryptosystems, if their users were forced to share their keys with
a KDC that could be compromised by either burglary or subpoena?”
The second problem that Diffie pondered, and one that was apparently un-
related to the first, was that of digital signatures. If the use of cryptography was to
become widespread, not just in military situations but for commercial and private
purposes, then electronic messages and documents would need the equivalent of
signatures used in paper documents. That is, could a method be devised that would
stipulate, to the satisfaction of all parties, that a digital message had been sent by a
particular person? This is a somewhat broader requirement than that of authentica-
tion, and its characteristics and ramifications are explored in Chapter 13.
Diffie and Hellman achieved an astounding breakthrough in 1976 [DIFF76 a, b]
by coming up with a method that addressed both problems and was radically different
from all previous approaches to cryptography, going back over four millennia.1
In the next subsection, we look at the overall framework for public-key cryp-
tography. Then we examine the requirements for the encryption/decryption algo-
rithm that is at the heart of the scheme.

Public-Key Cryptosystems
Asymmetric algorithms rely on one key for encryption and a different but related
key for decryption. These algorithms have the following important characteristic.
■ It is computationally infeasible to determine the decryption key given only
knowledge of the cryptographic algorithm and the encryption key.
In addition, some algorithms, such as RSA, also exhibit the following characteristic.
■ Either of the two related keys can be used for encryption, with the other used
for decryption.
A public-key encryption scheme has six ingredients (Figure 9.1a; compare
with Figure 3.1).
■ Plaintext: This is the readable message or data that is fed into the algorithm
as input.
■ Encryption algorithm: The encryption algorithm performs various transfor-
mations on the plaintext.

1
Diffie and Hellman first publicly introduced the concepts of public-key cryptography in 1976. Hellman
credits Merkle with independently discovering the concept at that same time, although Merkle did not
publish until 1978 [MERK78]. In fact, the first unclassified document describing public-key distribution
and public-key cryptography was a 1974 project proposal by Merkle (http://merkle.com/1974). However,
this is not the true beginning. Admiral Bobby Inman, while director of the National Security Agency
(NSA), claimed that public-key cryptography had been discovered at NSA in the mid-1960s [SIMM93].
The first documented introduction of these concepts came in 1970, from the Communications-Electronics
Security Group, Britain’s counterpart to NSA, in a classified report by James Ellis [ELLI70]. Ellis re-
ferred to the technique as nonsecret encryption and describes the discovery in [ELLI99].
 9.1 / PRINCIPLES OF PUBLIC-KEY CRYPTOSYSTEMS 287

Bobs's
public-key
ring
Joy
Ted
Mike Alice

PUa Alice's public PRa Alice's private

key key

Transmitted X=
X ciphertext D[PRa, Y]

Y = E[PUa, X]
Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Bob (a) Encryption with public key Alice

Alice's
public key
ring
Joy
Ted
Mike Bob

PRb Bob's private PUb Bob's public

key key

X=
X Transmitted D[PUb, Y]
ciphertext

Y = E[PRb, X]

Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Bob (b) Encryption with private key Alice

Figure 9.1 Public-Key Cryptography

■ Public and private keys: This is a pair of keys that have been selected so that if
one is used for encryption, the other is used for decryption. The exact transfor-
mations performed by the algorithm depend on the public or private key that
is provided as input.
■ Ciphertext: This is the encrypted message produced as output. It depends on
the plaintext and the key. For a given message, two different keys will produce
two different ciphertexts.
288 CHAPTER 9 / PUBLIC-KEY CRYPTOGRAPHY AND RSA

■ Decryption algorithm: This algorithm accepts the ciphertext and the matching
key and produces the original plaintext.
The essential steps are the following.
1. Each user generates a pair of keys to be used for the encryption and decryp-
tion of messages.
2. Each user places one of the two keys in a public register or other accessible
file. This is the public key. The companion key is kept private. As Figure 9.1a
suggests, each user maintains a collection of public keys obtained from others.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the mes-
sage using Alice’s public key.
4. When Alice receives the message, she decrypts it using her private key. No
other recipient can decrypt the message because only Alice knows Alice’s pri-
vate key.
With this approach, all participants have access to public keys, and private
keys are generated locally by each participant and therefore need never be distrib-
uted. As long as a user’s private key remains protected and secret, incoming com-
munication is secure. At any time, a system can change its private key and publish
the companion public key to replace its old public key.
Table 9.2 summarizes some of the important aspects of symmetric and public-
key encryption. To discriminate between the two, we refer to the key used in sym-
metric encryption as a secret key. The two keys used for asymmetric encryption are
referred to as the public key and the private key.2 Invariably, the private key is kept
secret, but it is referred to as a private key rather than a secret key to avoid confu-
sion with symmetric encryption.
Let us take a closer look at the essential elements of a public-key encryption
scheme, using Figure 9.2 (compare with Figure 3.2). There is some source A that
produces a message in plaintext, X = [X1, X2, c , XM]. The M elements of X are
letters in some finite alphabet. The message is intended for destination B. B gener-
ates a related pair of keys: a public key, PUb, and a private key, PRb. PRb is known
only to B, whereas PUb is publicly available and therefore accessible by A.
With the message X and the encryption key PUb as input, A forms the cipher-
text Y = [Y1, Y2, c , YN]:
Y = E(PUb, X)
The intended receiver, in possession of the matching private key, is able to invert
the transformation:
X = D(PRb,Y)

2
The following notation is used consistently throughout. A secret key is represented by Km, where m is
some modifier; for example, Ka is a secret key owned by user A. A public key is represented by PUa, for
user A, and the corresponding private key is PRa. Encryption of plaintext X can be performed with a
secret key, a public key, or a private key, denoted by E(Ka, X), E(PUa, X), and E(PRa, X), respectively.
Similarly, decryption of ciphertext Y can be performed with a secret key, a public key, or a private key,
denoted by D(Ka, Y), D(PUa, Y), and D(PRa, Y), respectively.
 9.1 / PRINCIPLES OF PUBLIC-KEY CRYPTOSYSTEMS 289
Table 9.2 Conventional and Public-Key Encryption

Conventional Encryption Public-Key Encryption

Needed to Work: Needed to Work:
1. The same algorithm with the same key is 1. One algorithm is used for encryption and a related
used for encryption and decryption. algorithm for decryption with a pair of keys, one for
2. The sender and receiver must share the encryption and one for decryption.
algorithm and the key. 2. The sender and receiver must each have one of the
matched pair of keys (not the same one).
Needed for Security:
1. The key must be kept secret. Needed for Security:

2. It must be impossible or at least impractical 1. One of the two keys must be kept secret.
to decipher a message if the key is kept 2. It must be impossible or at least impractical to
secret. decipher a message if one of the keys is kept secret.
3. Knowledge of the algorithm plus samples of 3. Knowledge of the algorithm plus one of the keys
ciphertext must be insufficient to determine plus samples of ciphertext must be insufficient to
the key. determine the other key.

An adversary, observing Y and having access to PUb, but not having access to PRb
or X, must attempt to recover X and/or PRb. It is assumed that the adversary does
have knowledge of the encryption (E) and decryption (D) algorithms. If the ad-
versary is interested only in this particular message, then the focus of effort is to
recover X by generating a plaintext estimate X n . Often, however, the adversary is
interested in being able to read future messages as well, in which case an attempt is
made to recover PRb by generating an estimate PRnb.

^
X
Cryptanalyst
^
PRb

Source A Destination B

Message X Encryption Decryption

Destination
source algorithm Y = E[PUb, X] algorithm
X=
D[PRb, Y]

PUb PRb

Key pair
source

Figure 9.2 Public-Key Cryptosystem: Confidentiality