Origins

A clear replacement for DES was needed

have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
can use Triple-DES – but slow, has small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
• The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and
Technology) in 2001. AES is a symmetric block cipher that is intended to replace DES as the approved
standard for a wide range of applications. The AES cipher (& other candidates) form the latest generation of
block ciphers, and now we see a significant increase in the block size - from the old standard of 64-bits up to
128-bits; and keys from 128 to 256-bits. In part this has been driven by the public demonstrations of
exhaustive key searches of DES. Whilst triple-DES is regarded as secure and well understood, it is slow,
especially in s/w. In a first round of evaluation, 15 proposed algorithms were accepted. A second round
narrowed the field to 5 algorithms. NIST completed its evaluation process and published a final standard
(FIPS PUB 197) in November of 2001. NIST selected Rijndael as the proposed AES algorithm. The two
researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr.
Joan Daemen and Dr.Vincent Rijmen.
The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity
• The Rijndael proposal for AES defined a cipher in which the block length and
the key length can be independently specified to be 128,192,or 256 bits. The
AES specification uses the same three key size alternatives but limits the
block length to 128 bits. Rijndael is an academic submission, based on the
earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr
Vincent Rijmen. It is an iterative cipher (operates on entire data block in
every round) rather than feistel (operate on halves at a time), and was
designed to have characteristics of: Resistance against all known attacks,
Speed and code compactness on a wide range of platforms, & Design
simplicity.
AES
Encryption
Process
 data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multiply of groups)
AES add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes
Structure initial XOR key material & incomplete last round
with fast XOR & table lookup implementation
• The input to the AES encryption and decryption algorithms is a single
128-bit block, depicted in FIPS PUB 197, as a square matrix of
bytes .This block is copied into the State array, which is modified at each
stage of encryption or decryption. After the final stage, State is copied to
an output.
• The key is expanded into 44/52/60 lots of 32-bit words (see later), with 4
used in each round. Note that the ordering of bytes within a matrix is by
column. So, for example, the first four bytes of a 128-bit plaintext input to
the encryption cipher occupy the first column of the in matrix, the second
four bytes occupy the second column, and so on. Similarly, the first four
bytes of the expanded key, which form a word, occupy the first column of
the w matrix.
• The data computation then consists of an “add round key” step, then
9/11/13 rounds with all 4 steps, and a final 10th/12th/14th step of byte subs
+ mix cols + add round key. This can be viewed as alternating XOR key &
scramble data bytes operations. All of the steps are easily reversed, and
can be efficiently implemented using XOR’s & table lookups.
AES
Structure
• Stallings Figure 5.3 shows the structure of AES in more detail. The cipher consists of N
rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key;
12 rounds for a 24-byte key; and 14 rounds for a 32-byte key. The first N – 1 rounds consist of
four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey,
which are described subsequently. The final round contains only 3 transformation, and there is
a initial single transformation (AddRoundKey) before the first round, which can be considered
Round 0. Each transformation takes one or more 4 x 4 matrices as input and produces a 4 x 4
matrix as output. Figure 5.1 shows that the output of each round is a 4 x 4 matrix, with the
output of the final round being the ciphertext. Also, the key expansion function generates N + 1
round keys, each of which is a distinct 4 x 4 matrix. Each round key serve as one of the inputs
to the AddRoundKey transformation in each round.
 1. an iterative rather than feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only AddRoundKey uses key
Some 6. AddRoundKey a form of Vernam cipher

Comment 7.
8.
each stage is easily reversible
decryption uses keys in reverse order
s on AES 9. decryption does recover plaintext
10. final round has only 3 stages
Substitute Bytes
a simple substitution of each byte
uses one table of 16x16 bytes containing a permutation of all 256 8-bit
values
each byte of state is replaced by byte indexed by row (left 4-bits) &
column (right 4-bits)
eg. byte {86} is replaced by byte in row 8 column 6
which has value {2A}
S-box constructed using defined transformation of values in GF(28)
designed to be resistant to all known attacks
• We now turn to a discussion of each of the four transformations used
in AES. For each stage, we mention the forward (encryption)
algorithm, the inverse (decryption) algorithm, and the rationale for
the design of that stage.
• The Substitute bytes stage uses an S-box to perform a byte-by-byte
substitution of the block. There is a single 8-bit wide S-box used on
every byte. This S-box is a permutation of all 256 8-bit values,
constructed using a transformation which treats the values as
polynomials in GF(28) – however it is fixed, so really only need to
know the table when implementing. Decryption requires the inverse
of the table. These tables are given in Stallings Table 5.2.
• The table was designed to be resistant to known cryptanalytic
attacks. Specifically, the Rijndael developers sought a design that
has a low correlation between input bits and output bits, with the
property that the output cannot be described as a simple
mathematical function of the input, with no fixed points and no
“opposite fixed points”.
Shift Rows
a circular byte shift in each row
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this step permutes bytes
between the columns
• The ShiftRows stage provides a simple “permutation” of the
data, whereas the other steps involve substitutions. Further,
since the state is treated as a block of columns, it is this step
which provides for diffusion of values between columns. It
performs a circular rotate on each row of 0, 1, 2 & 3 places for
respective rows. When decrypting it performs the circular shifts
in the opposite direction for each row. This row shift moves an
individual byte from one column to another, which is a linear
distance of a multiple of 4 bytes, and ensures that the 4 bytes of
one column are spread out to four different columns.
Mix Columns

• can express each col as 4 equations

• to derive each new byte in col
• decryption requires use of inverse matrix
• with larger coefficients, hence a little harder
• have an alternate characterisation
• each column a 4-term polynomial
• with coefficients in GF(28)
• and polynomials multiplied modulo (x4+1)
• coefficients based on linear code with maximal
distance between codewords
• In practise, you implement Mix Columns by expressing the transformation
on each column as 4 equations (Stallings equation 5.4) to compute the
new bytes for that column. This computation only involves shifts, XORs &
conditional XORs (for the modulo reduction).
• The decryption computation requires the use of the inverse of the matrix,
which has larger coefficients, and is thus potentially a little harder & slower
to implement.
• The designers & the AES standard provide an alternate characterisation of
Mix Columns, which treats each column of State to be a four-term
polynomial with coefficients in GF(28). Each column is multiplied by a fixed
polynomial a(x) given in Stallings eqn 5.7. Whilst this is useful for analysis
of the stage, the matrix description is all that’s required for implementation.
• The coefficients of the matrix are based on a linear code with maximal
distance between code words, which ensures a good mixing among the
bytes of each column. The mix column transformation combined with the
shift row transformation ensures that after a few rounds, all output bits
depend on all input bits. In addition, the choice of coefficients in
MixColumns, which are all {01}, {02}, or {03}, was influenced by
implementation considerations.
Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though effectively a series of byte operations)
 inverse for decryption identical
 since XOR own inverse, with reversed keys
 designed to be as simple as possible
 a form of Vernam cipher on expanded key
 requires other stages for complexity / security

• Lastly is the Add Round Key stage which is a simple bitwise XOR of the
current block with a portion of the expanded key. Note this is the only step
which makes use of the key and obscures the result, hence MUST be
used at start and end of each round, since otherwise could undo effect of
other steps. But the other steps provide confusion/diffusion/non-linearity.
That us you can look at the cipher as a series of XOR with key then
scramble/permute block repeated. This is efficient and highly secure it is
believed.
AES Key Expansion
takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on values in previous & 4 places back
 in 3 of 4 cases just XOR these together
 1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th
back
 The AES key expansion algorithm takes as input a 4-word (16-byte) key and
produces a linear array of words, providing a 4-word round key for the initial
AddRoundKey stage and each of the 10/12/14 rounds of the cipher. It
involves copying the key into the first group of 4 words, and then constructing
subsequent groups of 4 based on the values of the previous & 4th back
words. The first word in each group of 4 gets “special treatment” with rotate +
S-box + XOR constant on the previous word before XOR’ing the one from 4
back. In the 256-bit key/14 round version, there’s also an extra step on the
middle word. The text includes in section 5.4 pseudocode that describes the
key expansion.
Key Expansion Rationale
• designed to resist known attacks
• design criteria included
• knowing part key insufficient to find many more
• invertible transformation
• fast on wide range of CPU’s
• use round constants to break symmetry
• diffuse key bits into round keys
• enough non-linearity to hinder analysis
• simplicity of description
• The Rijndael developers designed the expansion key algorithm to be
resistant to known cryptanalytic attacks. It is designed to be simple to
implement, but by using round constants break symmetries, and make it
much harder to deduce other key bits if just some are known (but once
have as many consecutive bits as are in key, can then easily recreate the
full expansion). The design criteria used are listed above.
Private-Key Cryptography
traditional private/secret/single key cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message & claiming is
sent by sender
 The development of public-key cryptography is the greatest and perhaps the only true revolution in the entire
history of cryptography. From its earliest beginnings to modern times, virtually all cryptographic systems have
been based on the elementary tools of substitution and permutation, and can be classed as private/secret/single
key (symmetric) systems. All classical, and modern block and stream ciphers are of this form.
Why Public-Key Cryptography?
• developed to address two key issues:
• key distribution – how to have secure communications in general without having to trust a KDC with your key
• digital signatures – how to verify a message comes intact from the claimed sender
• public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
• known earlier in classified community
• The concept of public-key cryptography evolved from an attempt to attack two of the most difficult
problems associated with symmetric encryption: key distribution and digital signatures. The first
problem is that of key distribution, which under symmetric encryption requires either (1) that two
communicants already share a key, which somehow has been distributed to them; or (2) the use of a
key distribution center. This seemed to negated the very essence of cryptography: the ability to
maintain total secrecy over your own communication. The second was that of "digital signatures." If the
use of cryptography was to become widespread, not just in military situations but for commercial and
private purposes, then electronic messages and documents would need the equivalent of signatures
used in paper documents.
• The idea of public key schemes, and the first practical scheme, which was for key distribution only, was
published in 1976 by Diffie & Hellman. The concept had been previously described in a classified report
in 1970 by James Ellis (UK CESG) - and subsequently declassified [ELLI99]. Its interesting to note that
they discovered RSA first, then Diffie-Hellman, opposite to the order of public discovery! There is also a
claim that the NSA knew of the concept in the mid-60’s [SIMM93].
Public-Key Cryptography
• probably most significant advance in the 3000 year history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal
• uses clever application of number theoretic concepts to function
• complements rather than replaces private key crypto
• Will now discuss the radically different public key systems, in which two keys are used. Public-key
cryptography provides a radical departure from all that has gone before. The development of public-key
cryptography is the greatest and perhaps the only true revolution in the entire history of cryptography. It is
asymmetric, involving the use of two separate keys, in contrast to symmetric encryption, that uses only
one key. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt
messages or create signatures, counter-intuitive though this may seem. The use of two keys has
profound consequences in the areas of confidentiality, key distribution, and authentication. It works by the
clever use of number theory problems that are easy one way but hard the other. Note that public key
schemes are neither more nor less secure than private key (security depends on the key size for both),
nor do they replace private key schemes (they are too slow to do so), rather they complement them. Both
also have issues with key distribution, requiring the use of some suitable protocol.
Public-Key Cryptography
public-key/two-key/asymmetric cryptography involves
the use of two keys:
a public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
a related private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
infeasible to determine private key from public
is asymmetric because
those who encrypt messages or verify signatures cannot
decrypt messages or create signatures
• Asymmetric algorithms rely on one key for encryption and a different
but related key for decryption. These algorithms have the following
important characteristic:
• • It is computationally infeasible to determine the decryption key
given only knowledge of the cryptographic algorithm and the
encryption key.
• In addition, some algorithms, such as RSA, also exhibit the following
characteristic:
• • Either of the two related keys can be used for encryption, with the
other used for decryption.
• Anyone knowing the public key can encrypt messages or verify
signatures, but cannot decrypt messages or create signatures,
thanks to some clever use of number theory.
Public-Key Cryptography
• Stallings Figure 9.1a “Public-Key Cryptography”, shows that a public-key encryption scheme has six
ingredients:
• • Plaintext: the readable message /data fed into the algorithm as input.
• • Encryption algorithm: performs various transformations on the plaintext.
• • Public and private keys: a pair of keys selected so that if one is used for encryption, the other is
used for decryption. The exact transformations performed by the algorithm depend on the public or
private key that is provided as input.
• • Ciphertext: the scrambled message produced as output. It depends on the plaintext and the key.
For a given message, two different keys will produce two different ciphertexts.
• • Decryption algorithm: accepts the ciphertext and matching key and produces the original plaintext.
• Consider the following analogy using padlocked boxes: traditional schemes involve the sender
putting a message in a box and locking it, sending that to the receiver, and somehow securely also
sending them the key to unlock the box. The radical advance in public key schemes was to turn this
around, the receiver sends an unlocked box (their public key) to the sender, who puts the message
in the box and locks it (easy - and having locked it cannot get at the message), and sends the
locked box to the receiver who can unlock it (also easy), having the (private) key. An attacker would
have to pick the lock on the box (hard).
Symmetric
vs Public-
Key
Public-Key Cryptosystems
• Stallings Figure 9.4 “Public-Key Cryptosystems: Secrecy and Authentication” illustrates the
essential elements of a public-key encryption scheme.
• Note that public-key schemes can be used for either secrecy or authentication, or both (as shown
here). There is some source A that produces a message in plaintext X The M elements of X are
letters in some finite alphabet. The message is intended for destination B. B generates a related
pair of keys: a public key, PUb, and a private key, PRb. PRb is known only to B, whereas PUb is
publicly available and therefore accessible by A. With the message X and the encryption key PUb
as input, A forms the ciphertext Y = E(PUb, X) The intended receiver, in possession of the matching
private key, is able to invert the transformation: X = D(PRb, Y) An adversary, observing Y and
having access to PUb, but not having access to PRb or X, must attempt to recover X and/or PRb.
This provides confidentiality. Can also use a public-key encryption to provide authentication: Y =
E(PRa, X); X = D(PUa, Y) To provide both the authentication function and confidentiality have a
double use of the public-key scheme (as shown here): Z = E(PUb, E(PRa, X)) X = D(PUa, D(PRb,
Z)) In this case, separate key pairs are used for each of these purposes. The receiver owns and
creates secrecy keys, sender owns and creates authentication keys.
• In practice typically DO NOT do this, because of the computational cost of public-key schemes.
Rather encrypt a session key which is then used with a block cipher to encrypt the actual message,
and separately sign a hash of the message as a digital signature - this will be discussed more later.
Public-Key Applications

• can classify uses into 3 categories:

• encryption/decryption (provide secrecy)
• digital signatures (provide authentication)
• key exchange (of session keys)
• some algorithms are suitable for all uses, others are specific to
one
• Public-key systems are characterized by the use of a cryptographic type of
algorithm with two keys. Depending on the application, the sender uses either the
sender’s private key or the receiver’s public key, or both, to perform some type of
cryptographic function. In broad terms, we can classify the use of public-key
cryptosystems into the three categories:
• • Encryption/decryption: The sender encrypts a message with the recipient’s
public key.
• • Digital signature: The sender “signs” a message with its private key, either to
the whole message or to a small block of data that is a function of the message.
• • Key exchange: Two sides cooperate to exchange a session key. Several
different approaches are possible, involving the private key(s) of one or both
parties.
• Some algorithms are suitable for all three applications, whereas others can be
used only for one or two of these applications. Stallings Table 9.3 (shown here)
indicates the applications supported by the algorithms discussed in this book.
Public-Key Requirements

Public-Key algorithms rely on two keys where:

it is computationally infeasible to find decryption key
knowing only algorithm & encryption key
it is computationally easy to en/decrypt messages when the
relevant (en/decrypt) key is known
either of the two related keys can be used for encryption,
with the other used for decryption (for some algorithms)
these are formidable requirements which only a few algorithms
have satisfied
• The cryptosystem illustrated in Figures 9.2 through 9.4 depends on a cryptographic algorithm based on two related
keys. Diffie and Hellman postulated this system without demonstrating that such algorithms exist. However, they did lay
out the conditions that such algorithms must fulfill:
1. It is computationally easy for a party B to generate a pair (public key PUb, private key PRb).
2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the
corresponding ciphertext: C = E(PUb, M)
3. It is computationally easy for the receiver B to decrypt the resulting ciphertext using the private key to recover the
original message: M = D(PRb, C) = D[PRb, E(PUb, M)
4. It is computationally infeasible for an adversary, knowing the public key, Pb, to determine the private key, PRb
5. It is computationally infeasible for an adversary, knowing the public key, Pb, and a ciphertext, C, to recover the original
message, M.
6. (optional) The two keys can be applied in either order:
• M = D[PU , E(PR, M)] = D[PR, E(PU, M)]
• These are formidable requirements, as evidenced by the fact that only a few algorithms (RSA, elliptic curve
cryptography, Diffie-Hellman, DSS) have received widespread acceptance in the several decades since the concept of
public-key cryptography was proposed.
 Public-Key Requirements

• need a trapdoor one-way function

• one-way function has
• Y = f(X) easy
• X = f–1(Y) infeasible
• a trap-door one-way function has
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known
• a practical public-key scheme depends on a suitable trap-door
one-way function
• The requirements boil down to the need for a trap-door one-way function. A one-way function is one
that maps a domain into a range such that every function value has a unique inverse, with the
condition that the calculation of the function is easy whereas the calculation of the inverse is
infeasible:
• Y = f(X) easy
• X = f–1(Y) infeasible
• Generally, easy is defined to mean a problem that can be solved in polynomial time as a function of
input length. The term infeasible is a much fuzzier concept. In general, we can say a problem
• Now consider a trap-door one-way function, which is easy to calculate in one direction and
infeasible to calculate in the other direction unless certain additional information is known. With the
additional information the inverse can be calculated in polynomial time. We can summarize as
follows: A trap-door one-way function is a family of invertible functions fk, such that:
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known
• Thus, the development of a practical public-key scheme depends on discovery of a suitable trap-
door one-way function.
 Security of Public Key Schemes

like private key schemes brute force exhaustive search attack is

always theoretically possible
but keys used are too large (>512bits)
security relies on a large enough difference in difficulty between
easy (en/decrypt) and hard (cryptanalyse) problems
more generally the hard problem is known, but is made hard
enough to be impractical to break
requires the use of very large numbers
hence is slow compared to private key schemes
• Public key schemes are no more or less secure than private key schemes - in both cases
the size of the key determines the security. As with symmetric encryption, a public-key
encryption scheme is vulnerable to a brute-force attack. The countermeasure is the
same: Use large keys. However, there is a tradeoff to be considered. Public-key systems
depend on the use of some sort of invertible mathematical function. The complexity of
calculating these functions may not scale linearly with the number of bits in the key but
grow more rapidly than that. Thus, the key size must be large enough to make brute-force
attack impractical but small enough for practical encryption and decryption. In practice,
the key sizes that have been proposed do make brute-force attack impractical but result
in encryption/decryption speeds that are too slow for general-purpose use. Instead, as
was mentioned earlier, public-key encryption is currently confined to key management
and signature applications. Another form of attack is to find some way to compute the
private key given the public key. To date, it has not been mathematically proven that this
form of attack is infeasible for a particular public-key algorithm.
• Note also that you can't compare key sizes - a 64-bit private key scheme has very
roughly similar security to a 512-bit RSA - both could be broken given sufficient
resources. But with public key schemes at least there is usually a firmer theoretical basis
for determining the security since its based on well-known and well studied number
theory problems.
RSA

by Rivest, Shamir & Adleman of MIT in 1977

best known & widely used public-key scheme
based on exponentiation in a finite (Galois) field over
integers modulo a prime
nb. exponentiation takes O((log n)3) operations (easy)
uses large integers (eg. 1024 bits)
security due to cost of factoring large numbers
nb. factorization takes O(e log n log log n) operations (hard)
• RSA is the best known, and by far the most widely used general
public key encryption algorithm, and was first published by
Rivest, Shamir & Adleman of MIT in 1978 [RIVE78]. The Rivest-
Shamir-Adleman (RSA) scheme has since that time reigned
supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption. It is based
on exponentiation in a finite (Galois) field over integers modulo
a prime, using large integers (eg. 1024 bits). Its security is due
to the cost of factoring large numbers.
RSA En/decryption

to encrypt a message M the sender:

obtains public key of recipient PU={e,n}
computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
uses their private key PR={d,n}
computes: M = Cd mod n
note that the message M must be smaller than the
modulus n (block if needed)
• The scheme developed by Rivest, Shamir, and Adleman makes
use of an expression with exponentials. Plaintext is encrypted in
blocks, with each block having a binary value less than some
number n. The actual RSA encryption and decryption
computations are each simply a single exponentiation mod (n).
Both sender and receiver must know the value of n. The sender
knows the value of e, and only the receiver knows the value of
d. Thus, this is a public-key encryption algorithm with a public
key of PU = {e, n} and a private key of PR = {d, n}. Note that
the message must be smaller than the modulus. The “magic” is
in the choice of the modulus and exponents which makes the
system work.
 RSA Key Setup

each user generates a public/private key pair by:

selecting two large primes at random: p, q
computing their system modulus n=p.q
note ø(n)=(p-1)(q-1)
selecting at random the encryption key e
where 1<e<ø(n), gcd(e,ø(n))=1
solve following equation to find decryption key d
e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: PU={e,n}
keep secret private decryption key: PR={d,n}
• The required moduls and exponent values are chosen during
key setup. RSA key setup is done once (rarely) when a user
establishes (or replaces) their public key, using the steps as
shown. The exponent e is usually fairly small, just must be
relatively prime to ø(n). Need to compute its inverse mod ø(n) to
find d. It is critically important that the factors p & q of the
modulus n are kept secret, since if they become known, the
system can be broken. Note that different users will have
different moduli n.
Why RSA Works

because of Euler's Theorem:

aø(n)mod n = 1 where gcd(a,n)=1
in RSA have:
n=p.q
ø(n)=(p-1)(q-1)
carefully chose e & d to be inverses mod ø(n)
hence e.d=1+k.ø(n) for some k
hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
• For this algorithm to be satisfactory for public-key encryption, it
must be possible to find values of e, d, n such that M ed mod n =
M for all M < n. We need to find a relationship of the form Med
mod n = M The preceding relationship holds if e and d are
multiplicative inverses modulo ø (n), where ø (n) is the Euler
totient function. This is a direct consequence of Euler’s
Theorem, so that raising a number to power e then d (or vica
versa) results in the original number!
RSA Example - Key Setup

1. Select primes: p=17 & q=11

2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88<187)
encryption: C = Me mod n
C = 887 mod 187 = 11
decryption: M = Cd mod n
M = 1123 mod 187 = 88
Exponentiation

can use the Square and Multiply Algorithm

a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to compute the
result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
eg. 75 = 74.71 = 3.7 = 10 mod 11
eg. 3129 = 3128.31 = 5.3 = 4 mod 11
Exponentiation

c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
Efficient Encryption

encryption uses exponentiation to power e

hence if e small, this will be faster
often choose e=65537 (216-1)
also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
using Chinese remainder theorem & 3 messages with
different modulii
if e fixed must ensure gcd(e,ø(n))=1
ie reject any p or q not relatively prime to e
• To speed up the operation of the RSA algorithm using the public key,
can choose to use a small value of e. The most common choice is
65537 (216 + 1); two other popular choices are 3 and 17. Each of
these choices has only two 1 bits and so the number of
multiplications required to perform exponentiation is minimized.
However, with a very small public key, such as e = 3, RSA becomes
vulnerable to a simple attack.
• The reader may have noted that the definition of the RSA algorithm
(Figure 9.5) requires that during key generation the user selects a
value of e that is relatively prime to ø (n). Thus, if a value if e is
selected first, and the primes p and q are generated, it may turn out
that gcd(ø(n), e) /= 1. In that case, the user must reject the p, q
values and generate a new p, q pair.
Efficient Decryption

• decryption uses exponentiation to power d

• this is likely large, insecure if not
• can use the Chinese Remainder Theorem (CRT) to compute
mod p & q separately. then combine to get desired answer
• approx 4 times faster than doing directly
• only owner of private key who knows values of p & q can
use this technique
RSA Key Generation

users of RSA must:

determine two primes at random - p, q
select either e or d and compute the other
primes p,q must not be easily derived from modulus n=p.q
means must be sufficiently large
typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse algorithm to
compute the other
RSA Security
• possible approaches to attacking RSA are:
• brute force key search - infeasible given size of numbers
• mathematical attacks - based on difficulty of computing ø(n), by factoring modulus n
• timing attacks - on running of decryption
• chosen ciphertext attacks - given properties of RSA
• Note some possible possible approaches to attacking the RSA algorithm,
as shown.
• The defense against the brute-force approach is the same for RSA as for
other cryptosystems, namely, use a large key space. Thus the larger the
number of bits in d, the better. However because the calculations involved
both in key generation and in encryption/decryption are complex, the larger
the size of the key, the slower the system will run.
• Will now review the other possible types of attacks.
Factoring Problem

mathematical approach takes 3 forms:

factor n=p.q, hence compute ø(n) and then d
determine ø(n) directly and compute d
find d directly
currently believe all equivalent to factoring
have seen slow improvements over the years
as of May-05 best is 200 decimal digits (663) bit with LS
biggest improvement comes from improved algorithm
cf QS to GHFS to LS
currently assume 1024-2048 bit RSA is secure
ensure p, q of similar size and matching other constraints
• We can identify three approaches to attacking RSA mathematically, as shown.
Mathematicians currently believe all equivalent to factoring.
• See Stallings Table 9.4 (next slide) for progress in factoring, where see slow
improvements over the years, with the biggest improvements coming from improved
algorithms. The best current algorithm is the “Lattice Sieve” (LS), which replaced the
“Generalized Number Field Sieve” (GNFS), which replaced the “Quadratic Sieve”(QS).
• Have to assume computers will continue to get faster, and that better factoring algorithms
may yet be found. Thus, we need to be careful in choosing a key size for RSA. For the
near future, a key size in the range of 1024 to 2048 bits seems reasonable. In addition to
specifying the size of n, a number of other constraints have been suggested by
researchers. To avoid values of n that may be factored more easily, the algorithm's
inventors suggest the following constraints on p and q:
1.p and q should differ in length by only a few digits. Thus, for a 1024-bit key (309 decimal
digits), both p and q should be on order of 1075 to 10100.
2.Both (p – 1) and (q – 1) should contain a large prime factor
3.gcd(p–1, q–1) should be small.
 Timing Attacks

developed by Paul Kocher in mid-1990’s

exploit timing variations in operations
eg. multiplying by small vs large number
or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures
use constant exponentiation time
add random delays
blind values used in calculations
• Have a radical new category of attacks developed by Paul Kocher in
mid-1990’s, based on observing how long it takes to compute the
cryptographic operations. Timing attacks are applicable not just to
RSA, but to other public-key cryptography systems. This attack is
alarming for two reasons: It comes from a completely unexpected
direction and it is a ciphertext-only attack. A timing attack is
somewhat analogous to a burglar guessing the combination of a
safe by observing how long it takes for someone to turn the dial from
number to number.
• Although the timing attack is a serious threat, there are simple
countermeasures that can be used, including using constant
exponentiation time algorithms, adding random delays, or using blind
values in calculations.
Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext Attack (CCA)
• attackers chooses ciphertexts & gets decrypted plaintext back
• choose ciphertext to exploit properties of RSA to provide info to help
cryptanalysis
• can counter with random pad of plaintext
• or use Optimal Asymmetric Encryption Padding (OASP)
• The RSA algorithm is vulnerable to a chosen ciphertext attack (CCA). CCA is defined as an attack
in which adversary chooses a number of ciphertexts and is then given the corresponding plaintexts,
decrypted with the target’s private key. The adversary exploits properties of RSA and selects blocks
of data that, when processed using the target’s private key, yield information needed for
cryptanalysis. Can counter simple attacks with random pad of plaintext. More sophisticated variants
need to modify the plaintext using a procedure known as optimal asymmetric encryption padding
(OAEP).
Optimal
Asymmetric
Encryption
Padding
(OASP)
• To counter such attacks RSA Security Inc., a leading RSA vendor and
former holder of the RSA patent, recommends modifying the plaintext
using a procedure known as optimal asymmetric encryption padding
(OAEP). Stallings Figure 9.10 depicts OAEP encryption. As a first step the
message M to be encrypted is padded. A set of optional parameters P is
passed through a hash function H. The output is then padded with zeros to
get the desired length in the overall data block (DB). Next, a random seed
is generated and passed through another hash function, called the mask
generating function (MGF). The resulting hash value is bit-by-bit XORed
with DB to produce a maskedDB. The maskedDB is in turn passed through
the MGF to form a hash that is XORed with the seed to produce the
masked seed. The concatenation of the maskedseed and the maskedDB
forms the encoded message EM. Note that the EM includes the padded
message, masked by the seed, and the seed, masked by the maskedDB.
The EM is then encrypted using RSA.