15-853:Algorithms in the Real World

Cryptography 3 and 4

15-853 Page 1
 Cryptography Outline
Introduction: terminology, cryptanalysis, security
Primitives: one-way functions, trapdoors, …
Protocols: digital signatures, key exchange, ..
Private-Key Algorithms: Rijndael, DES
Public-Key Algorithms:
– Diffie-Hellman Key Exchange
– RSA, El-Gamal, Blum-Goldwasser
– Quantum Cryptography
Case Studies: Kerberos, Digital Cash

15-853 Page 2
 Public Key Cryptosystems
Introduced by Diffie and Hellman in 1976.
Plaintext Public Key systems
K1 = public key
K1 Encryption Ek(M) = C
K2 = private key
Cyphertext
Digital signatures
K2 Decryption Dk(C) = M K1 = private key
K2 = public key
Original Plaintext

Typically used as part of a more complicated protocol.

15-853 Page 3
 One-way trapdoor functions
Both Public-Key and Digital signatures make use of
one-way trapdoor functions.
Public Key:
– Encode: c = f(m)
– Decode: m = f-1(c) using trapdoor
Digital Signatures:
– Sign: c = f-1(m) using trapdoor
– Verify: m = f(c)

15-853 Page 4
 Example of SSL (3.0)
SSL (Secure Socket Layer) is the standard for the web (https).
Protocol (somewhat simplified): Bob -> amazon.com
B->A: client hello: protocol version, acceptable ciphers
A->B: server hello: cipher, session ID, |amazon.com|verisign
B->A: key exchange, {masterkey}amazon’s public key
hand-
A->B: server finish: ([amazon,prev-messages,masterkey])key1
shake
B->A: client finish: ([bob,prev-messages,masterkey])key2
A->B: server message: (message1,[message1])key1
B->A: client message: (message2,[message2])key2 data
|h|issuer = Certificate
= Issuer, <h,h’s public key, time stamp>issuer’s private key
<…>private key = Digital signature {…}public key = Public-key encryption
[..] = Secure Hash (…)key = Private-key encryption
key1 and key2 are derived from masterkey and session ID

15-853 Page 5
 Public Key History
Some algorithms
– Diffie-Hellman, 1976, key-exchange based on discrete logs
– Merkle-Hellman, 1978, based on “knapsack problem”
– McEliece, 1978, based on algebraic coding theory
– RSA, 1978, based on factoring
– Rabin, 1979, security can be reduced to factoring
– ElGamal, 1985, based on discrete logs
– Blum-Goldwasser, 1985, based on quadratic residues
– Elliptic curves, 1985, discrete logs over Elliptic curves
– Chor-Rivest, 1988, based on knapsack problem
– NTRU, 1996, based on Lattices
– XTR, 2000, based on discrete logs of a particular field

15-853 Page 6
 Diffie-Hellman Key Exchange
A group (G,*) and a primitive element (generator) g is
made public.
– Alice picks a, and sends ga to Bob
– Bob picks b and sends gb to Alice
– The shared key is gab
Note this is easy for Alice or Bob to compute, but
assuming discrete logs are hard is hard for anyone
else to compute.
Can someone see a problem with this protocol?

15-853 Page 7
 Person-in-the-middle attack

ga gc

Alice Mallory Bob

gd gb
Key1 = gad Key1 = gcb

Mallory gets to listen to everything.

15-853 Page 8
 Merkle-Hellman
Gets “security” from the Subset Sum (also called
knapsack) which is NP-hard to solve in general.
Subset Sum (Knapsack): Given a sequence W = {w0,w1,
…,wn-1}, wi  Z of weights and a sum S, calculate a
boolean vector B, such that:
in
 BiWi  S
i 0

Even deciding if there is a solution is NP-hard.

15-853 Page 9
 Merkle-Hellman
i 1
W is superincreasing if: wi  w
j 0
j

It is easy to solve the subset-sum problem for

superincreasing W in O(n) time.
Main idea of Merkle-Hellman:
– Hide the easy case by multiplying each wi by a
constant a modulo a prime p
wi  a * wi mod p

– Knowing a and p allows you to retrieve the

superincreasing sequence

15-853 Page 10
 Merkle-Hellman

What we need Encode:

• w1, , wn y = E(m) = i=1n mi w’i
superincreasing Decode:
integers z = a-1 y mod p
• p > i=1n wi and prime = a-1 i=1n mi w’i mod p
• a, 1  a < p = a-1 i=1n miaiwi mod p
• w’i = a wi mod p = i=1n mi wi
Public Key: w’i Solve subset sum prob:
Private Key: wi, p, a, (w1, , wn, z)
obtaining m1,  mn
15-853 Page 11
 Merkle Hellman: Problem
Was broken by Shamir in 1984.
Shamir showed how to use integer programming to
solve the particular class of Subset Sum problems
in polynomial time.

Lesson: don’t leave your trapdoor loose.

15-853 Page 12
Groups based on modular arithmetic
The group of positive integers modulo a prime p
Zp*  {1, 2, 3, …, p-1}
*p  multiplication modulo p
Denoted as: (Zp*, *p)
Required properties
1. Closure. Yes.
2. Associativity. Yes.
3. Identity. 1.
4. Inverse. Yes.
Example: Z7*= {1,2,3,4,5,6}
1-1 = 1, 2-1 = 4, 3-1 = 5, 6-1 = 6
15-853 Page 13
 Other properties
|Zp*| = (p-1)
By Fermat’s little theorem: a(p-1) = 1 (mod p)
Example of Z7*
x x2 x3 x4 x5 x6
1 1 1 1 1 1
2 4 1 2 4 1
3 2 6 4 5 1
Generators 4 2 1 4 2 1
5 4 6 2 3 1
6 1 6 1 6 1

For all p the group is cyclic.

15-853 Page 14
 What if n is not a prime?
The group of positive integers modulo a non-prime n
Zn  {1, 2, 3, …, n-1}, n not prime
*p  multiplication modulo n
Required properties?
1. Closure. ?
2. Associativity. ?
3. Identity. ?
4. Inverse. ?
How do we fix this?

15-853 Page 15
Groups based on modular arithmetic
The multiplicative group modulo n
Zn*  {m : 1 ≤ m < n, gcd(n,m) = 1}
*  multiplication modulo n
Denoted as (Zn*, *n)
Required properties:
• Closure. Yes.
• Associativity. Yes.
• Identity. 1.
• Inverse. Yes.
Example: Z15* = {1,2,4,7,8,11,13,14}
1-1 = 1, 2-1 = 8, 4-1 = 4, 7-1 = 13, 11-1 = 11, 14-1 = 14
15-853 Page 16
 The Euler Phi Function
 (n)  *n  n  (1  1 / p)
p|n
If n is a product of two primes p and q, then

 (n)  pq(1  1 / p )(1  1 / q )  ( p  1)(q  1)

Euler’s Theorem:
a ( n )  1 (mod n) for a  *n
Or for n = pq
a ( p 1)( q 1)  1 (mod n) for a  *pq
Law of exponentiation:
if a  b mod  (n) then x a  x b mod n x  *n
This will be very important in RSA!
15-853 Page 17
 Generators
Example of Z10*: {1, 3, 7, 9}

x x2 x3 x4
1 1 1 1
3 9 7 1
Generators
7 9 3 1
9 1 9 1

15-853 Page 18
 Operations we will need
Multiplication: a*b (mod n)
– Can be done in O(log2 n) bit operations, or better
Power: ak (mod n)
– The power method O(log n) steps, O(log3 n) bit ops
fun pow(a,k) =
if (k = 0) then 1
else if (k mod 2 = 1)
then a * (pow(a,k/2))2
else (pow(a, k/2))2

Inverse: a-1 (mod n)

– Euclid’s algorithm O(log n) steps, O(log3 n) bit ops

15-853 Page 19
 Euclid’s Algorithm
Euclid’s Algorithm:
gcd(a,b) = gcd(b,a mod b)
gcd(a,0) = a
“Extended” Euclid’s algorithm:
– Find x and y such that ax + by = gcd(a,b)
– Can be calculated as a side-effect of Euclid’s
algorithm.
– Note that x and y can be zero or negative.
This allows us to find a-1 mod n, for a  Zn*
In particular return x in ax + ny = 1.

15-853 Page 20
 Euclid’s Algorithm
fun euclid(a,b) =
if (b = 0) then a
else euclid(b, a mod b)
gcd y
fun ext_euclid(a,b) =
if (b = 0) then (a, 1, 0)
else x
let (d, x, y) = ext_euclid(b, a mod b)
in (d, y, x – (a/b) y)
end integer quotient
The code is in the form of an inductive proof.
Exercise: prove the inductive step
15-853 Page 21
 RSA
Invented by Rivest, Shamir and Adleman in 1978
Based on difficulty of factoring.
Used to hide the size of a group Zn* since:
*n   (n)  n  (1  1 / p )
. p|n

Factoring has not been reduced to RSA

– an algorithm that generates m from c does not
give an efficient algorithm for factoring
On the other hand, factoring has been reduced to
finding the private-key.
– there is an efficient algorithm for factoring
given one that can find the private key.
15-853 Page 22
 RSA Public-key Cryptosystem

What we need: Public Key: (e,n)

• p and q, primes of Private Key: d
approximately the
same size Encode:
• n = pq m  Zn
(n) = (p-1)(q-1) E(m) = me mod n
• e  Z (n)*
• d = e-1 mod (n) Decode:
D(c) = cd mod n

15-853 Page 23
 RSA continued
Why it works:
D(c) = cd mod n
= med mod n
= m1 + k(p-1)(q-1) mod n
= m1 + k (n) mod n
= m(m (n))k mod n
=m
Why is this argument not quite sound?
What if m  Zn* then m(n)  1 mod n
Answer 1: Still works – prove mk(n)+1 = m mod n
via Chinese Remainder Theorem
Answer 2: jackpot – if you find an m  Zn* then
GCD(m,n) is a factor of n
15-853 Page 24
 Proof for m  Zn* Case
Assume w.l.o.g. that q divides m but p does not:
Let x = m1 + k(p-1)(q-1) = m*(m(p-1))k(q-1)
(1) x p m (by Euler’s Theorem)
(2) x q 0 (since q | m)

The Chinese Remainder Theorem states that for any two

solutions x1 and x2 to equations (1) and (2), x1 n x2.

Notice that for both x1 = m1 + k(p-1)(q-1) and x2 = m the equations

are satisfied.

Hence x1 n x2 n m.

15-853 Page 25
 RSA computations
To generate the keys, we need to
– Find two primes p and q. Generate candidates
and use primality testing to filter them.
– Find e-1 mod (p-1)(q-1). Use Euclid’s
algorithm. Takes time log2(n)
To encode and decode
– Take me or cd. Use the power method.
Takes time log(e) log2(n) and log(d) log2(n) .
In practice e is selected to be small so that encoding
is fast.

15-853 Page 26
 Security of RSA
Warning:
– Do not use this or any other algorithm naively!
Possible security holes:
– Need to use “safe” primes p and q. In particular p-
1 and q-1 should have large prime factors.
– p and q should not have the same number of digits.
Can use a middle attack starting at sqrt(n).
– e cannot be too small
– Don’t use same n for different e’s.
– You should always “pad”

15-853 Page 27
Algorithm to factor n given d and e
Given (n), easy to factor n (two equations, two
unknowns):

(p-1)(q-1) = (n)
pq = n

Given d and e, don’t have (n), but since

ed = 1 mod (n), have

ed-1 = k (n), for some unknown k. Almost as good.

15-853 Page 28
Algorithm to factor n given d and e
Suggested by Miller’s primality testing paper (1976):
Function TryFactor(e,d,n) LasVegas algorithm
1. write ed – 1 as 2sr, r odd Probability of pass
2. choose w at random < n is > .5.
3. v = wr mod n Will return p or q
4. if v = 1 then return(fail) if it passes.
5. while v  1 mod n Try until you pass.
6. v0 = v
Let ’(n) = LCM(p-1,q-1)
7. v = v2 mod n Let m = #2(k(n)/ ’(n)/2)
8. if v0 = n - 1 then return(fail) (#2 is largest power of 2)
9. return(pass, GCD(v0 - 1, n)) w’(n)/2 - 1 shares a factor
with n
w’(n)/2 = w k(n)/2m mod n
15-853 Page 29
 RSA Performance
Performance: (600Mhz PIII) (from: ssh toolkit):
Algorithm Bits/key Mbits/sec
1024 .35sec/key
RSA Keygen
2048 2.83sec/key
1024 1786/sec 3.5
RSA Encrypt
2048 672/sec 1.2
1024 74/sec .074
RSA Decrypt
2048 12/sec .024
ElGamal Enc. 1024 31/sec .031
ElGamal Dec. 1024 61/sec .061
DES-cbc 56 95
twofish-cbc 128 140
Rijndael 128 180
15-853 Page 30
 RSA in the “Real World”
Part of many standards: PKCS, ITU X.509,
ANSI X9.31, IEEE P1363
Used by: SSL, PEM, PGP, Entrust, …

The standards specify many details on the

implementation, e.g.
– e should be selected to be small, but not too
small
– “multi prime” versions make use of n = pqr…
this makes it cheaper to decode especially in
parallel (uses Chinese remainder theorem).

15-853 Page 31
 Factoring in the Real World
Quadratic Sieve (QS):
(1 o (1))(ln n )1 / 2 (ln(ln n ))1 / 2
T ( n)  e
– log n bits in input, superpolynomial time
– Used in 1994 to factor a 129 digit (428-bit) number. 1600
Machines, 8 months.
Number field Sieve (NFS):
(1.923 o (1))(ln n )1 / 3 (ln(ln n )) 2 / 3
T ( n)  e
– Used in 1999 to factor 155 digit (512-bit) number. 35 CPU
years. At least 4x faster than QS
– Used in 2003-2005 to factor 200 digits (663 bits) 75 CPU
years ($20K prize)

15-853 Page 32
 Discrete Logarithms
If g is a generator of Zn*, then for all y there is a
unique x (mod (n)) such that
– y = gx mod n
This is called the discrete logarithm of y and we use
the notation
– x = logg(y)
In general finding the discrete logarithm is
conjectured to be hard…as hard as factoring.

15-853 Page 33
 ElGamal
Based on the difficulty of the discrete log problem.
Invented in 1985
Digital signature and Key-exchange variants
– Digital signature is AES standard
– Public Key used by TRW (avoided RSA patent)
Works over various groups
– Z p,
– Multiplicative group GF(pn),
– Elliptic Curves

15-853 Page 34
 ElGamal Public-key Cryptosystem

(G,*) is a group Encode:

  a generator for G
• a  Z|G|
  = a
G is selected so that it
is hard to solve the
discrete log problem.
Public Key: (, ) and
some description of G
Private Key: a
15-853
Pick random k  Z|G|
E(m) = (y1, y2)
= ( k, m * k)
Decode:
D(y) = y2 * (y1a)-1
= (m * k) * (ka)-1
= m * k * (k)-1
=m
You need to know a to
easily decode y!
Page 35
 ElGamal: Example

G = Z11* Encode: 7
 =2 Pick random k = 4
E(m) = (24, 7 * 34)
• a =8
= (5, 6)
  = 28 (mod 11) = 3
Decode: (5, 6)
D(y) = 6 * (58)-1
= 6 * 4-1
= 6 * 3 (mod 11)
Public Key: (2, 3), Z11* =7
Private Key: a = 8

15-853 Page 36
 Probabilistic Encryption
For RSA one message goes to one cipher word. This
means we might gain information by running
Epublic(M).

Probabilistic encryption maps every M to many C

randomly. Cryptanalysists can’t tell whether
C = Epublic(M).

ElGamal is an example (based on the random k), but it

doubles the size of message.

15-853 Page 37
 BBS “secure” random bits
BBS (Blum, Blum and Shub, 1984)
– Based on difficulty of factoring, or finding
square roots modulo n = pq.
Fixed For a particular bit seq.
• p and q are primes such • Seed: random x
that p = q = 3 (mod 4) relatively prime to n.
• n = pq (is called a Blum • Initial state: x0 = x2
integer) • ith state: xi = (xi-1)2
• ith bit: lsb of xi
Note that: x  x ( 2i ) 1 mod ( n )
0 i (mod n)
Therefore knowing p and q allows us to find x0 from xi
15-853 Page 38
Blum-Goldwasser: A stream cypher
Public key: n (= pq) Private key: p or q
Encrypt:
mi (0  i  l) xor ci (0  i  l)
bi
lsb
Random x x2 mod n xi BBS

ci (l  i  l + log n) = xl
Decrypt:
2  i mod( p 1)( q 1)
Using p and q, find x 0  xi (mod n)
Use this to regenerate the bi and hence mi
15-853 Page 39
 Quantum Cryptography
In quantum mechanics, there is no way to take a
measurement without potentially changing the
state. E.g.
– Measuring position, spreads out the momentum
– Measuring spin horizontally, “spreads out” the
spin probability vertically
Related to Heisenberg’s uncertainty principal

15-853 Page 40
Using photon polarization

= or ? (equal probability)

= or ? (equal probability)

measure measure
diagonal square

destroys state

15-853 Page 41
 Quantum Key Exchange
1. Alice sends bob photon stream randomly polarized
in one of 4 polarizations:

2. Bob measures photons in random orientations

e.g.: x++xxx+x (orientations used)
\ | - \ / / - \ (measured polarizations)
and tells Alice in the open what orientations he
used, but not what he measured.
3. Alice tells Bob in the open which are correct
4. Bob and Alice keep the correct values
Susceptible to a man-in-the-middle attack
15-853 Page 42
 In the “real world”
Not yet used in practice, but experiments have
verified that it works.
IBM has working system over 30cm at 10bits/sec.
More recently, up to 10km of fiber.

15-853 Page 43