RSA

Part 1 ⎯ Cryptography 1

RSA
❑ Inventedby Clifford Cocks (GCHQ)
and Rivest, Shamir, and Adleman
 (MIT)
o RSA is the gold standard in public key

crypto ❑ Let p and q be two large prime

numbers ❑ Let N = pq be the modulus

❑ Choose e relatively prime to (p−1)
(q−1) ❑ Find d such that ed = 1 mod
(p−1)(q−1) ❑ Public key is (N,e)
❑ Private key is d

Part 1 ⎯ Cryptography 2

RSA
❑ Message M is treated as a
number ❑ To encrypt M we
compute
C = Me mod N
❑ To decrypt ciphertext C, we
compute M = Cd mod N
❑ Recall that e and N are public

❑ IfTrudy can factor N = pq, she can use

e to easily find d since ed = 1 mod (p−1)
(q−1) ❑ So, factoring the modulus
breaks RSA
Part 1 ⎯ Cryptography 3

Simple RSA Example

❑ Example of textbook RSA o
Select “large” primes p = 11, q = 3 o
Then N = pq = 33 and (p − 1)(q − 1) = 20
o Choose e = 3 (relatively prime to
20) o Find d such that ed mod 20 = 1
▪ We find that d = 7 works

❑ Public key: (N, e) = (33, 3)

 ❑ Private key: d = 7

Part 1 ⎯ Cryptography 4

Simple RSA Example

❑ Public key: (N, e) = (33, 3)
❑ Private key: d = 7
❑ Suppose message to encrypt is M
= 8 ❑ Ciphertext C is computed as
C = Me mod N = 83 = 512 mod 33 => 17
❑ Decrypt C to recover the message M
by M = Cd mod N = 177 = 410,338,673 mod 33 8

Part 1 ⎯ Cryptography 5

x1 mod y = z1
x2 mod y = z2

Then,
x1 . x2 mod y = z1 . z2 mod y
Part 1 ⎯ Cryptography 6

More Efficient RSA (1)

❑ Modular exponentiation
example o 232 = 4,294,967,296 mod 99
❑ A better way: repeated
squaring o 21 mod 99 = 2 mod 992
o (22) 2 mod 99 = (4) 2 mod 9916
o ((22) 2 )2 mod 99 = 2 8 mod 99 (24)2 mod 99 = 16.16 mod 99 = 256
mod 99 58
o (28) 2 mod 99 = 28 . 28 mod 99 = 58 . 58 mod 99 97 o ((((22)2)2)2)2
mod 99 = (((4)2) 2)2)2)2 mod 99 = (4)2.(4)2.(4).(4)2 mod 99 =
16.16.16.16 mod 99 4
o 232 = 4,294,967,296 mod 99 4
 o No huge numbers and it’s efficient!

Part 1 ⎯ Cryptography 7

Diffie-Hellman

Part 1 ⎯ Cryptography 8
Diffie-Hellman Key Exchange
❑ Invented by Williamson (GCHQ)
and, independently, by D and H
(Stanford) ❑ A “key exchange”
algorithm
o Used to establish a shared symmetric
key o Not for encrypting or signing
❑ Based on discrete log
problem o Given: g, p, and gk mod
p
o Find: exponent k
Part 1 ⎯ Cryptography 9

Diffie-Hellman
❑ Let p be prime, let g be a generator o For
any x ∈ {1,2,…,p-1} there is n s.t. x = gn mod p ❑ Alice
selects her private value a
❑ Bob selects his private value b
❑ Alice sends ga mod p to Bob
❑ Bob sends gb mod p to Alice
❑ Both compute shared secret, gab mod p ❑
Shared secret can be used as symmetric
 key

Part 1 ⎯ Cryptography 10

Diffie-Hellman
❑ Public: g and p
❑ Private:
Alice’s
exponent a,
Bob’s
exponent b

ga mod p
 gb mod p

b a
Alice, a Bob, b ❑ Alice computes (g ) =
gba = gab mod p ❑ Bob computes (ga)b = gab
mod p
❑ They can use K = gab mod p as symmetric key
Part 1 ⎯ Cryptography 11

Diffie-Hellman
❑ Suppose Bob and Alice use Diffie-Hellman to
determine symmetric key K = gab mod p
❑ Trudy can see ga mod p and gb mod p
o But… ga gb mod p = ga+b mod p ≠ gab mod p

❑ If Trudy can find a or b, she gets K

❑ If Trudy can solve discrete log problem, she can find

a or b

Part 1 ⎯ Cryptography 12

Diffie-Hellman
❑ Subject to man-in-the-middle (MiM) attack
 ga p gt mod p
mod gt mod p gb mod p

Alice, a Bob, b Trudy, t

❑ Trudy shares secret gat mod p with Alice

❑ Trudy shares secret gbt mod p with Bob
❑ Alice and Bob don’t know Trudy is
MiM
Part 1 ⎯ Cryptography 13
 Diffie-Hellman
❑ How to prevent MiM attack? o
Encrypt DH exchange with symmetric
key o Encrypt DH exchange with public
key o Sign DH values with private key
o Other?

❑ At this point, DH may look

pointless… o …but it’s not (more on this
later)
❑ YouMUST be aware of MiM attack
on Diffie-Hellman
Part 1 ⎯ Cryptography 14

Uses for Public Key Crypto

Part 1 ⎯ Cryptography 15

Non-repudiation
❑ Alice orders 100 shares of stock from
Bob ❑ Alice computes MAC using
symmetric key ❑ Stock drops, Alice claims
she did not order ❑ Can Bob prove that
Alice placed the order?
❑ No! Bob also knows the symmetric key, so he could
have forged the MAC
❑ Problem: Bob knows Alice placed the order, but he
can’t prove it

Part 1 ⎯ Cryptography 16
 Non-repudiation
❑ Alice orders 100 shares of stock from Bob
❑ Alice signs order with her private key
❑ Stock drops, Alice claims she did not order
❑ Can Bob prove that Alice placed the order?

❑ Yes! Alice’s private key used to sign the order ⎯ only

Alice knows her private key
❑ This assumes Alice’s private key has not been
lost/stolen
Part 1 ⎯ Cryptography 17

Public Key Notation

❑ Sign message M with

Alice’s private key:
[M]Alice
❑ Encrypt message M with
Alice’s public key: {M}Alice
❑ Then

{[M]Alice}Alice = M
[{M}Alice]Alice = M
Part 1 ⎯ Cryptography 18

Sign and
Encrypt vs
Encrypt and Sign

Part 1 ⎯ Cryptography 19

Confidentiality and
 Non-repudiation?
❑ Suppose that we want
confidentiality and integrity/non-
repudiation
❑ Can public key crypto achieve

both? ❑ Alice sends message to

Bob
o Sign and encrypt: {[M]Alice}Bob
o Encrypt and sign: [{M}Bob]Alice
❑ Can the order possibly matter?
Part 1 ⎯ Cryptography 20

Sign and
Encrypt ❑M = “I love you”
 {[M]Alice
Alice Bob
}Bob

{[M]Alice}Charlie Charlie

❑ Q: What’s the problem?

❑ A: No problem ⎯ public key is public

Part 1 ⎯ Cryptography 21
 Encrypt and
Sign ❑M = “My theory, which

is mine….”

[{M}Bob]Alice [{M}Bob]Charlie
Alice Bob Charlie
 ❑ Note that Charlie cannot decrypt
M ❑ Q: What is the problem?

❑ A: No problem ⎯ public key is public

Part 1 ⎯ Cryptography 22