2. RSA Scheme
The scheme first introduced by Ron Rivest, Adi Shamir, and Leonard Adleman in 1978, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM 21 (2):pp. 120-126, 1978.
Key Generation
- Choose random primes p and q with log₂p ≈ log₂q ≈ ℓ/2
- Compute n = pq and φ(n) = (p-1)(q-1)
- Choose e where 1 < e < φ(n) and gcd(e, φ(n)) = 1
- Compute d = e⁻¹ mod φ(n)
Encryption/Decryption
- Message space: 𝕫ₙ* = {m ∈ 𝕫 | 0 ≤ m < n, gcd(m,n)=1}
- Encryption: 𝒞 = mᵉ mod n
- Decryption: m = 𝒞ᵈ mod n
Correctness of RSA
Assuming gcd(m,n)=1.
- By definition of E and D:
D((n,d),E((n,e),m))=D((n,d),mᵉ mod n)=(mᵉ mod n)ᵈ mod n = mᵉᵈ mod n
- By definition of e and d, we have ed = 1 mod φ(n).
- Since gcd(e, φ(n))=1, Euler's Theorem guarantees that
med=m1+kφ(n)=m1(mφ(n))k=m mod n
Implementation Challenges
- Large prime generation
There is a determnistic primality test (PRIMES is in P, 2002), but it is much less efficient than the known best probabilisitc tests, so we use the probabilistic tests in practice. (Probabilistic primality tests such as the Miller-Rabin test are run many times with different randomness to shrink the probability of failure below an acceptable threshold.)
- Modular exponentiation (Square-and-Multiply algorithm)
- Efficient gcd computation (Extended Euclidean Algorithm)
3. Elliptic Curve Cryptography
Ground Concept: Diffie-Hellman Key Exchange
Diffie-Hellman key exchange works in every group.
Key exchange between Alice and Bob:
- Pick a group G and an element P in G whose order is large prime q.
- Alice: Pick a random x in Z/qZ and send xP to Bob.
- Bob: Pick a random y in Z/qZ and send yP to Alice.
- Now they both use xyP=y(xP)=x(yP) as their shared key.
Discrete log problem
The Diffie-Hellman key exchange mechanism is thought to be secured (against traditional computers) due to discrete log problem: Given P and aP, find a.
Diffie-Hellman Assumptions
- Computational Diffie-Hellman assumption (CDH)
For a,b in Z/pZ and given P, aP and bP, it is computationally infeasible to determine abP.
- Decisional Diffie-Hellman assumption (DDH)
For a,b in Z/pZ and given P, aP and bP and either abP or cP for a random c in Z/pZ, it is computationally infeasible to determine whether you were given abP or cP.
- Discrete Logarithm assumption (DLOG)
For a in Z/pZ and given P, aP, it is computationally infeasible to determine a.
Key Components
- curve equation: y² = x³ + ax + b over finite field 𝔽ₚ
note: elliptic curve lacks an identity element to form a group. so we add one o to form a group.
e={(x,y): y2=x3+ax+b} ∪ {o}
here, the identity has the following properties:
for any p,q in a group e:
- if q=o, then p+q=p. if p=0, then p+q=q
- for p=(xp,yp) and q=(xq,yq), if xp=xq and yp=-yq, then p+q=o.
- group operations: point addition/doubling
- scalar multiplication: q = kp (double-and-add algorithm)
Common Curves
- NIST P-256: y² = x³ - 3x + b over Z/pZ
where
- p = 2256-2224+2192+296-1
This special structure (of 256 bits) allows an efficient modular arithmetics.
- b=41058363725152142129326129780047268409114441015993725554835256314039467401291
- Curve25519: y² = x³ + 486662x² + x over Z/pZ
Elgamal Public Key Encryption in Elliptic Curve
- Set up:
- Choose a single, globally public elliptic curve E
- Choose a single, globally public element P in E of large prime order q
- Key generation:
- Choose a random x in Z/qZ
- Set pk = xP and sk = x
- Encryption: Given m in E
- Choose a random r in Z/qZ
- Set E(m)=(rP, m+r(pk))
- Decryption:
- Given a ciphertext (c1,c2)\in E2, compute D(c1,c2)=c2-xc1