Inside PK Cryptography: Math and Implementation Sriram Srinivasan (“Ram”) sriram@malhar.net Agenda    Introduction to PK Cryptography Essential Number Theory  Fundamental Number Theorem  GCD, Euclid’s algorithm  Linear combinations  Modular Arithmetic  Euler’s Totient Function Java implementation of RSA Sriram Srinivasan 2/47 Security Issues    Authentication, Authorization, and Encryption, Non-repudiation Shared Secrets (e.g passwords, Enigma) Something shared, something (else) secret  Concept by Ellis, Cocks and Williams   Popularly attributed to Diffie and Hellman Algorithm by Rivest, Shamir and Adelman  Used everywhere: https, SSL, email, certificates Sriram Srinivasan 3/47 Public Key Cryptography  Consider a pair of magic pens    You want to send a message to me     Write with one, use the other to decode Symmetric: either can be used to encode You borrow one of my pens and write with it I decode it with my other pen Avoids problems of shared secrets Same tools for authentication, encryption and non-repudiation Sriram Srinivasan 4/47 Mathematics Fundamental Theorem of Arithmetic   All numbers are expressible as a unique product of primes  10 = * 5, 60 = * * * Proof in two parts  All numbers are expressible as products of primes  There is only one such product sequence per number Sriram Srinivasan 6/47 Fundamental Theorem proof  First part of proof  All numbers are products of primes Let S = {x | x is not expressible as a product of primes Let c = min{S} c cannot be prime Let c = c1 c2 c1, c2 < c ⇒ c1, c2 ∉ S (because c is min{S}) ∴c1, c2 are products of primes ⇒ c is too ∴S is an empty set Sriram Srinivasan 7/47 Fundamental Theorem proof  Second part of proof  The product of primes is unique Let n = p1p2p3p4… = q1q2q3q4… Cancel common primes Now unique primes on both si Now, p1 | p1p2p3p4 ⇒ p1 | q1q2q3q4… ⇒ p1 | one of q1, q2, q3, q4… ⇒ p1 = qi which is a contradiction Sriram Srinivasan 8/47 GCD (Greatest Common Divisor)   gcd(a,b) = the greatest of the divisors of a,b Many ways to compute gcd  Extract common prime factors      Express a, b as products of primes Extract common prime factors gcd(18, 66) = gcd(2*3*3, 2*3*11) = 2*3 = Factoring is hard Not practical Euclid’s algorithm Sriram Srinivasan 9/47 Euclid’s algorithm a b r=a%b b r r r1 r1 = b % r r % r1 = ∴gcd (a,b) = r1 Sriram Srinivasan 10/47 RSA Key Generation     Bob selects primes p, q computes n = pq φ(n) = φ(p) φ(q) = (p - 1) (q - 1) Select e, such that gcd(e, φ(n)) = Compute the decrypting key, d, where     ed ≡ (mod φ(n)) Bob publishes public key info: e, n Keeps private key: d, n Important: m < n Sriram Srinivasan 35/47 RSA Key Generation       Bob p,⇒q computes p = selects 3, q = primes 11 n = 33 n = pq φ(n) = (p - 1)=(q20 - 1) φ(n)==φ(p) (3 -φ(q) 1)(11 - 1) Select e, such that gcd(e, φ(n)) = e=7 Compute the decrypting key, d, where 7d = (mod 20) ⇒ d = (1 + 20k)/7  ed ≡ (mod φ(n)) ⇒d = Bob publishes public key pair: e, n Public key = (7, 33) Keeps private key: d, n Private key = (3, 33) Sriram Srinivasan 36/47 RSA algorithm  Treat each letter or block “RSA” ⇒ {18, 19,as 1}m (m < n) n = 33, e = 7, d = Encryption: for each m 77 18compute 19 %%33 33 ⇒ {6, {6 {6, 13 13, 1} e c=m (mod n)    Decryption: for each c, 63compute 13 % %33 33 ⇒ {18n) 19, {18, 19 1} cd (mod Sriram Srinivasan 37/47 RSA proof  Prove c = me (mod n) ⇒ cd(mod n) = m Review: a ≡ b (mod n) ⇒ ak ≡ bk (mod n) a 1) e = e.add(new BigInteger("2"));  Select d, such that ed ≡ (mod φ(n)) d = e.modInverse(phi); Sriram Srinivasan 42/47 RSA Implementation  Encrypt/decrypt BigInteger encrypt (BigInteger message) { return message.modPow(e, n); } BigInteger decrypt (BigInteger message) { return message.modPow(d, n); } Sriram Srinivasan 43/47 Digital Signature    med (mod n) = mde (mod n) Bob encrypts his name using private key Alice, the recipient, decrypts it using Bob’s public key Sriram Srinivasan 44/47 RSA Deployment  If msg m > n, m chop it up in blocks < n  p and q are usually 512 bits, e = 65537  Ensure p - doesn’t have small prime factors Ensure d is large  Pad m with random bits  Never reuse n  Sign documents very carefully Sriram Srinivasan 45/47 Examples of RSA Attacks    Exploiting algorithm parameter values  Low e or d values Exploiting implementation  Measuring time and power consumption of smart cards  Exploiting random errors in hardware  Exploiting error messages Social Engineering: Blinding attack Sriram Srinivasan 46/47 Ellis / Diffie-Hellman Key Exchange    RSA is slow in practice  Encrypt AES’s keys using RSA Alice and Bob agree publicly on a prime p, and some integer, c < p gcd(p,c) = Alice chooses a privately, and Bob chooses b a, b < p Sriram Srinivasan 47/47 Ellis / Diffie-Hellman Key Exchange (contd)      Alice computes A=ca (mod p) Bob computes B=cb (mod p) They exchange these numbers Alice computes Ba Bob computes Ab Both of them compute cab (mod p) Both use this number as a key for AES Sriram Srinivasan 48/47 References  “Cryptological Mathematics”, Robert Lewand  “Twenty Years of Attacks on the RSA Cryptosystem”, Dan Boneh  http://crypto.stanford.edu/~dabo  pajhome.org.uk/crypt/index.html  “Concrete Mathematics”, Donald Knuth et al  "The Code Book", Simon Singh Sriram Srinivasan 49/47 ... φ (pk) = pk - pk- 1 , if p is prime and k > Only numbers that are a multiple of p have a common factor with pk : 1.p, 2.p, 3.p, … pk- 1 p and The rest don’t share any factors, so are coprime ∴φ (pk) ... If m - a is divisible by both p and q, p and q must be one of p1 , p2 , p3 ⇒ m - a is divisible by pq Sriram Srinivasan 20/47 GCD and modulus  If gcd(a,n) = 1, and a = b (mod n), then gcd(b,n)... φ(pq) = (p - 1)(q - 1) = φ(p) φ(q)  if p and q are prime Which numbers ≤ pq share factors with pq? 1.p, 2.p, 3.p, … (q-1)p and 1.q, 2.q, 3.q, … (p-1)q and pq The rest are coprime to pq Count them