CS431 Computer and Network Security

Asymmetric Key
Cryptography
Abhishek Bichhawat 10/02/2023
Challenges with Symmetric Key Cryptography

● Alice and Bob can communicate securely using the shared

secret keys and algorithms like AES or DES

How did Alice and

Bob share the
secret key?

2
Challenges with Symmetric Key Cryptography

● How does Alice communicate with different parties?

3
Diffie-Hellman-Merkle (DH) Key Exchange

● Efforts were made to share symmetric keys

● Diffie-Hellman-Merkle
○ Solve key exchange problem by using
independent secret keys and public
information
○ Foundation for public (asymmetric) key
cryptography
● Similar method developed in UK by James
Ellis (1960s) but remained classified

4
DH Key Exchange

5
DH Key Exchange

g and p are
public values
Generate x Generate y

Compute gx mod p gx mod p gy mod p Compute gy mod p

Receive gy mod p Receive gx mod p

Compute (gy)x mod p Compute (gx)y mod p

6
Man-in-the-middle Attack

● Desired Property
○ Alice and Bob should know the shared secret
● What if there is a man-in-the-middle?
○ Alice thinks she is talking to Bob
○ Bob thinks he is talking to Alice
○ But, both are talking to Mallory who
now shares secret keys with both
Alice and Bob (reading all their
messages comfortably)!
○ DH (as is described) is not secure against a MITM

7
Public Key Cryptography

● Keys are generated in pairs

○ Public key
○ Private key
● Public key is known to all
○ E.g., everyone knows that the public key PKA belongs to Alice
● Private key is known only to the owner
● Private key should not be derivable from the public key!
● Message encrypted with Alice’s public key can only be
decrypted by Alice’s private key
○ Gives authentication guarantees, too.
● Use modular arithmetic, discrete log problem etc.
(instead of XORs and bit-shifts) 8
Definition of PK Encryption Scheme

A public key encryption scheme is a triple〈G, E, D〉of efficiently computable

functions such that:

1. G is keygen function that outputs a “public key” PK and a “private key” SK

〈PK, SK〉 ← G (⋅)
2. E takes public key PK and plaintext M as input, and outputs a ciphertext
C ← EPK(M)
3. D takes a ciphertext C and private key SK, and outputs ⊥ or a plaintext
M ← DSK(c)
4. If C ← EPK(M) then M ← DSK(C)
5. If C ← EPK(M), then C and PK should reveal “no information” about M
9
RSA Public Key Encryption Algorithm

● Most popular public key encryption algorithm

● Developed shortly after Diffie-Hellman by
○ Ron Rivest
○ Adi Shamir
○ Leonard Adelman
● Allows encryption and authentication
● Clifford Cocks (w/ James Ellis and Malcolm Williamson), at
GCHQ (UK), invented independently a particular case of this
method 3 years before RSA, but it was classified by British
intelligence (declassified in 1997)
10
RSA

● Key generation:
○ Choose two large prime numbers p and q such that p ≠ q,
randomly and independently of each other.
○ Pick integer e coprime with (p-1)(q-1) (i.e., gcd(e, (p-1)(q-1)) = 1)
○ Compute d such that
ed mod (p-1)(q-1) = 1 mod (p-1)(q-1) (or) ed mod (p-1)(q-1) = 1
○ n = pq (Factoring problem)
○ Private key = (n, d)
○ Public key = (n, e)
● Messages are a numbers
11
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed mod (p-1)(q-1) = 1)
(ed - 1 = h(p-1) = k(q-1))

12
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● Let p = 7 and q = 17
○ n = 7 * 17 = 119
○ (p-1)(q-1) = 96
○ e should be coprime with 96 - choose 5
○ Compute d such that ed mod (p-1)(q-1) = 1, i.e., 5*d mod 96 = 1
■ Assume d is 77
13
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed - 1 = h(p-1) = k(q-1))
(me mod pq)d mod pq = m mod pq
med mod pq = m mod pq

14
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed - 1 = h(p-1) = k(q-1))
(me mod pq)d mod pq = m mod pq
med mod pq = m mod pq
med mod p = m mod p med mod q = m mod q
med - 1 m mod p = m mod p …
m(p - 1)h m mod p = m mod p … Fermat’s little theorem
(m(p - 1))h m mod p = m mod p … ap − 1 ≡ 1 (mod p) 15
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed - 1 = h(p-1) = k(q-1))
(me mod pq)d mod pq = m mod pq
med mod pq = m mod pq
med mod p = m mod p med mod q = m mod q
med - 1 m mod p = m mod p …
m(p - 1)h m mod p = m mod p …
(m(p - 1))h m mod p = m mod p … Fermat’s little theorem
1h m mod p = m mod p … ap − 1 ≡ 1 (mod p) 16
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
○ Clear-text message m sent to e or more recipients that share the
same exponent e, but different n (p and q), can be decrypted easily
via the Chinese remainder theorem.
○ c1 = m3 mod n1, c2 = m3 mod n2, c3 = m3 mod n3
○ Chinese remainder theorem gives c’ = m3 mod n1*n2*n3 = m3
(m3 .is smaller than n1*n2*n3)

17
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
● Deterministic encryption algorithm
○ Chosen plaintext attack against the cryptosystem
○ RSA without padding is not semantically secure

18
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
● Deterministic encryption algorithm
○ Chosen plaintext attack against the cryptosystem
● Vulnerable to chosen ciphertext attack
○ Product of two ciphertexts is equal to the encryption of the
product of the respective plaintexts

19
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
● Deterministic encryption algorithm
○ Chosen plaintext attack against the cryptosystem
● Vulnerable to chosen ciphertext attack
○ Product of two ciphertexts is equal to the encryption of the
product of the respective plaintexts
● Timing and power attacks
○ Measure time and power consumption to figure operations
20
Digital Signatures

21
Digital Signatures

● Digital signatures are a way to provide integrity/authenticity

● A digital signature scheme is a triple〈G, S, V〉of efficiently computable
algorithms
○ G outputs a “public key” VK and a “private key” SK:
〈VK, SK〉← G(⋅)
○ S takes a “message” m and SK as input and outputs a “signature” σ:
σ ← SSK(m)
○ V takes a “message” m, signature σ and public key VK as input, and outputs a bit
b:
b ← VVK(m, σ)
○ If σ ← SSK(m) then VVK(m, σ) outputs 1 (“valid”)
○ Given only VK and message/signature pairs {〈mi, SSK(mi)〉}i, it is computationally
infeasible to compute 〈m, σ〉such that VVK(m, σ) = 1 for any new m ≠ mi

22
Digital Signatures
YES!

Certificate Authority

Is this Alice’s
signature? 23
Digital Signatures

D E

M S S,M

24
RSA Signatures

● Key generation (same as in RSA PKE):

○ Choose two large prime numbers p and q such that p ≠ q.
○ Pick integer e coprime with (p-1)(q-1) (i.e., gcd(e, (p-1)(q-1)) = 1)
○ Compute d such that ed mod (p-1)(q-1) = 1
○ Private key = (n, d)
○ Public key = (n, e)
● Sign (d, m):
○ Compute sig = md mod pq
● Verify(e, n, m, sig):
○ Check m ≡ sige mod pq
25
Digital Signatures - Compromises

● Existential forgery
○ The attacker manages to forge a signature of (at least) one
message, but not necessarily of his choice
● Selective forgery
○ The attacker manages to forge a signature of (at least) one
message of his choice
● Universal forgery
○ The attacker manages to forge a signature of any message

26
Summary

● Public key encryption

○ Private and public key pairs
○ Public key encrypts and private key decrypts
○ Provides properties similar to symmetric key encryption
● Digital signatures
○ Provide integrity and authenticity for asymmetric schemes
○ Private and public key pairs
○ Encrypt with private key and decrypt with public key

27