BLOCK CIPHERS AND

PUBLIC KEY
CRYPTOGRAPHY
Prof. Saurabh Kulkarni
Department of Artificial Intelligence & Data Science
 AGENDA FOR THE DAY
• Recap of last lecture
• RSA algorithm
• Clicker activity
• Summary/conclusion of the lecture
 RSA ALGORITHM
• One of the first public-key schemes was developed in
1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT
and first published in 1978
• One of the widely accepted and implemented approach to
public key encryption
• Block cipher in which the plaintext and ciphertext are
integers between 0 and n - 1 for some n
 RSA ALGORITHM
• C = M^e mod n
• M = C^d mod n = (M^e)^d mod n = M^(ed) mod n
• Both sender and receiver must know the values of n and
e, and only the receiver knows the value of d
• This is a public-key encryption algorithm with a public key
of PU = {e, n} and a private key of PR = {d, n}
 RSA ALGORITHM
1. It is possible to find values of e, d, n such that Med mod n
= M for all M < n
2. It is relatively easy to calculate Me and Cd for all values
of M < n
3. It is infeasible to determine d given e and n
• The first two requirements are easily met. The third
requirement can be met for large values of e and n
 RSA ALGORITHM
• Need to find relationship of the form Med mod n = M
• The preceding relationship holds if e and d are
multiplicative inverses modulo f(n), where f(n) is the
Euler totient function
• For p, q prime, Φ(pq) = (p - 1)(q - 1).
• Φ(n), referred to as the Euler totient of n, is the number
of positive integers less than n and relatively prime to n
• The relationship between e and d can be expressed as
ed mod Φ(n) = 1
 RSA ALGORITHM
• This is equivalent to saying
• ed mod Φ(n) = 1
• d mod Φ(n)= e-1
• e and d are multiplicative inverses mod Φ(n)
• According to the rules of Modular arithmetic, this is true
only if d (and therefore e) is relatively prime to Φ(n)
• Equivalently, gcd(Φ(n),d) = 1
RSA ALGORITHM
 EXAMPLE
1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 * 11 = 187.
3. Calculate Φ(n) = (p - 1)(q - 1) = 16 * 10 = 160.
4. Select e such that e is relatively prime to Φ(n) = 160
and less than Φ(n); we
choose e = 7
5. Determine d such that de mod 160 = 1 and d < 160.
The correct value is
d = 23, because 23 * 7 = 161 = (1 * 160) + 1
EXAMPLE
 EXAMPLE
• PU = {7, 187}
• PR = {23, 187}
• M=88
• C = 887 mod 187
EXAMPLE
 SECURITY OF RSA
• Brute force: This involves trying all possible private
keys.
• Mathematical attacks: There are several approaches,
all equivalent in effort to factoring the product of two
primes
• Timing attacks: These depend on the running time of
the decryption algorithm
• Chosen ciphertext attacks: This type of attack exploits
properties of the RSA algorithm
 SECURITY OF RSA
• The defense against the brute force approach is the same
for RSA as for other cryptosystems; namely, use a large
key space
• Larger the key size, the system will run slow. Why??
• Because the calculations involved, both in key Generation
and in encryption/decryption, are complex
 FACTORING PROBLEM
• Factor n into its two prime factors. This enables
calculation of Φ(n) = (p - 1) * (q - 1), which, in turn,
enables determination of d = e -1 (mod Φ(n))
• Determine Φ(n) directly, without first determining p and
q. Again, this enables determination of d = e -1(mod Φ(n))
• Determine d directly, without first determining Φ(n)
FACTORING PROBLEM
 FACTORING PROBLEM
• GNFS and SNFS- study for more information
• To avoid values of n that may be factored more easily, the algorithm’s
inventors suggest the following constraints on p and q:
1. p and q should differ in length by only a few digits. Thus, for a 1024-bit
key
(309 decimal digits), both p and q should be on the order of magnitude of
1075 to 10100
2. Both (p - 1) and (q - 1) should contain a large prime factor.
3. gcd(p - 1, q - 1) should be small.
 TIMING ATTACKS
• Timing attacks are applicable not just to RSA, but also to
other public-key cryptography systems
• This attack is alarming for two reasons: It comes from a
completely unexpected direction and it is a ciphertext-
only attack
• The attack exploits the common use of a modular
exponentiation
• Algorithm in RSA encryption and decryption, but the
attack can be adapted to work with any implementation
that does not run in fixed time
 TIMING ATTACKS
• In the modular Exponentiation algorithm, exponentiation
is accomplished bit by bit, with one Modular Multiplication
performed at each iteration and an additional modular
Multiplication performed for each 1 bit
• For a few values of a and d, the modular multiplication
will be extremely slow, and the attacker knows which
these are
• Modular exponentiation implementations do not have
such extreme timing variations, in which the execution
time of a single iteration can exceed the mean execution
time of the entire algorithm
 SOME COUNTERMEASURES
• Constant exponentiation time: Ensure that all exponentiations
take the same amount of time before returning a result. This is a
simple fix but does degrade performance
• Random delay: Better performance could be achieved by adding
a random delay to the exponentiation algorithm to confuse the
timing attack
• Blinding: Multiply the ciphertext by a random number before
performing exponentiation. This process prevents the attacker from
knowing what Ciphertext bits are being processed inside the
computer and therefore prevents the bit-by-bit analysis essential to
the timing attack
 RSA DATA SECURITY
INCORPORATES BLINDING
1. Generate a secret random number r between 0 and n -
1.
2. Compute C = M(re) mod n, where e is the public
exponent.
3. Compute M’ = (C’)d mod n with the ordinary RSA
implementation.
4. Compute M = M’r-1 mod n. In this equation, r-1 is the
multiplicative inverse of r mod n. It can be demonstrated
that this is the correct result by observing that red mod n =
r mod n.
• RSA Data Security reports a 2 to 10% performance