UNTANGLING PUBLIC-KEY CRYPTOGRAPHY

The key to secure communications

1. Alice and Bob both generate a public/private key pair.

2. Alice generates two messages, one indicating heads and the other indicating tails. These messages should contain some unique random string, so that she can verify their authenticity later on in the protocol. Alice encrypts both messages with her public key and sends them to Bob.

3. Bob, who cannot read either message, chooses one at random. He encrypts it with his public key and sends it back to Alice.

4. Alice, who can not read the message sent back to her, decrypts it with her private key and then sends it back to Bob.

5. Bob decrypts the message with his private key to reveal the results of the coin toss. He sends the decrypted message to Alice.

6. Alice reads the result of the coin toss and verifies that the random string is correct.

7. Both Alice and Bob reveal the public and private keys so that both can verify that the other did not cheat.

Figure 1: Fair coin tosses using PKC

This protocol is self-enforcing. Either party can immediately detect cheating on the part of the other party, and no trusted third-party is required to participate in either the actual protocol or any adjudication after the protocol has been completed. To see how this works, let's try to cheat.

If Alice wanted to cheat and force heads, she has three potential ways of affecting the outcome. One, she could encrypt two "heads" messages in step #2. Bob would discover this when Alice revealed her key pair at step #7. Two, she could incorrectly decrypt the message in step #4. However, she could not figure out how to decrypt the message to force another message, only gibberish. Bob would discover this in step #5. Three, she could lie about the validity of the message in step #6. Bob would discover this also in step #7, when Alice could not prove that the message was not valid. Of course, Alice could refuse to participate in the protocol at any step, at which point Alice's attempted deception would be immediately obvious to Bob.

If Bob wanted to cheat and force tails, his options are just as poor. He could incorrectly encrypt a message at step #3, but Alice would discover this when she looked at the final message at step #6. He could improperly perform step #5, but this would also result in gibberish, which Alice would discover at step #6. He could claim that he could not properly perform step #5 because of some cheating on the part of Alice, but this form of cheating would be discovered at step #7. Finally, he could send a tails message to Alice at step #5 regardless of the message he decrypted, but Alice would immediately be able to check the message for authenticity at step #6.

Mental Poker. A similar protocol allows Alice and Bob to play poker with each other. Instead of Alice making and encrypting two messages. one for heads and one for tails, she makes 52 messages, one for each card in the deck. Bob chooses five messages at random, encrypts them with his public key, and then sends them back to Alice. Alice decrypts the messages and sends them back to Bob, who decrypts them to determine his hand. He then sends five more messages to Alice, who decrypts them to determine her hand. During the game, additional cards can be dealt to either player by repeating the same procedure. At the end of the game. Alice and Bob both reveal their key pairs so that both can be assured that the other did not cheat.

Bit Commitment. Let's say Alice wants to commit to a prediction, but does not want to reveal that prediction to Bob until sometime later. Bob, on the other hand, wants to make sure that Alice cannot change her mind after she has committed to her prediction. Magicians like to use sealed envelopes handed to random members of the audience, but PKC can provide a method immune from any sleight of hand. First, both Alice and Bob each generate some random bit strings. Bob hands Alice his string. Alice creates a message consisting of her random string, the bit (or number of bits) she wishes to commit to, and Bob's random string. She then encrypts it with her public key and sends the result back to Bob. Bob cannot decrypt the message, so he does not know what the bit is. If the message did not contain Alice's random string, he would be able to encrypt all possible messages with Alice's public key and compare them with what Alice handed him. Alice's secret random string prevents him from using this attack to determine her bit. When it comes time for Alice to reveal her bit, she decrypts it using her private key. Bob then ensures himself that the bit is valid by checking that his random string is accurate. If the message did not contain Bob's random string, Alice could secretly decrypt the message she handed Bob with a variety of keys until she found one that gave her a bit other than the one she committed to. Bob's random string prevents her from using this trick to change her mind.

Oblivious Transfer. Imagine a situation in which Alice sends Bob two messages. Bob has a 50 percent chance of receiving either one message or the other (but not both), and Alice has no way of knowing which message he received. This may not sound very useful at first glance, but bear with me for a moment. First, the protocol:

1. Alice generates two public-key key pairs, or four keys in all. She sends both public keys to Bob.

2. Bob chooses a key in a conventional cryptographic algorithm (DES, for example). He picks one of Alice's public keys at random and encrypts his DES key with it. He sends the encrypted key to Alice without telling her which of her public keys he used to encrypt it.

3. Alice decrypts Bob's key with both of her private keys. In one of the cases, she uses the correct key and successfully decrypts Bob's DES key. In the other case, she uses the wrong key and only manages to generate a meaningless pile of bits that nonetheless looks like a random DES key. She has no idea which is which.

4. Alice encrypts one message with each of the DES keys she generated in the previous step (one real and one meaningless) and sends them to Bob.

5. Bob attempts to decrypt both of Alice's messages, but successfully decrypts only one of them. At this point the oblivious transfer is complete. Bob has received one of the two messages (the one encrypted in his DES key), and Alice has no way of knowing which.

6. After the protocol is complete and the results of the transfer can be made public, Alice must give Bob her private keys so that he can verify that she did not cheat. After all, she could have encrypted the same message with both keys in step #4.

The protocol is secure against an attack by Alice because she has no way of knowing which of the two DES keys is the real one. It is secure against an attack by Bob because there is no way he can get Alice's private keys to determine the DES key with which the other message was encrypted. This may still seem like nothing more than a more complicated way to flip coins over a modem, but it has some far reaching implications when used in more complicated protocols.

Simultaneous Contract Signing. Alice and Bob want to enter into a contract. They've agreed on the wording, but neither wishes to sign without making sure the other signs as well. This would be no problem face to face, but doing the same thing over a communications channel requires an intricate protocol:

1. Alice and Bob both randomly select 100 pairs of DES keys. There is nothing special about the pairs; they are just grouped in sets of two for the protocol.

2. Alice and Bob both generate a pair of messages. "This is the left half of my signature" and "This is the right half of my signature," for example. The messages will probably also include a digital signature of the contract, as defined previously, and a time stamp. The contract is considered signed if the other party can produce both halves of this signature pair.

3. Alice and Bob both encrypt their message pairs in each of the DES key pairs, the left message with the left key in the pair and the right message with the right key in the pair.

4. Alice and Bob send each other their pile of 200 encrypted messages, making sure the other knows which messages are which halves of which pairs.

5. Alice and Bob send each other every key pair using the oblivious transfer protocol. That is, Alice sends Bob either the left key or the right key of each of the 100 pairs, and Bob does the same. Now both Alice and Bob have the encrypted half of each signature pair, but neither he nor she knows which halves the other one has.

6. Alice and Bob both decrypt the halves they can, and make sure that the decrypted messages are valid.

7. Alice and Bob each send each other the first bits of all 200 DES keys.

8. Alice and Bob repeat step #7 for the second bits of all 200 DES keys, then for the third bits, and so on until all the bits of all the DES keys have been transferred.

9. Alice and Bob decrypt the remaining halves of the message pairs and the contract is signed.

Why does all this work? Let's assume Alice wants to cheat and see what happens. In steps #4 and #5, Alice could disrupt the protocol by sending Bob nonsense bit strings. Bob would catch this in step #7, when he tried to decrypt whatever half he received. Bob could then stop safely, because Alice could not decrypt the encrypted halves that Bob sent her. If Alice were very clever, she could disrupt only half the protocol. She could send the left half of each pair correctly, but send a gibberish string for the right half. Bob has only a 50 percent chance of receiving the right half, so half the time she could get away with it. However, this only works if there is one key pair. If there were only two pairs, she could get away with this sort of deception 25 percent of the time. That is why there are 100 key pairs in this protocol. Alice has to correctly guess the outcome of 100 oblivious transfer protocols. She only has a 1 in 2100 chance of doing this, so Bob can safely assume that if he didn't catch her deception in step #7, then there was none.

Alice could also send Bob random bits in step #8. Bob won't know that she is sending him random bits until he receives the whole key and tries to decrypt the message halves. But again Bob has probability on his side. He has already received half of the keys, and Alice does not know which half. Alice is sure to send him a nonsense bit to a key he has already received, and he will immediately know that Alice is trying to deceive him.

Maybe Alice will just go along with step #8 until she has enough bits of the keys to break the DES messages, and then stop transmitting bits. DES has a 56-bit-long key. If she receives 40 of the bits, she only has to try 65,536 keys in order to read the message--certainly within the realm of a computer. But Bob will have exactly the same number of bits of her keys (or one less bit at the most), so he can do the same thing. Alice has no real choice but to continue the protocol.

Certified Mail. The same simultaneous oblivious transfer protocol used for contract signing could also be used for computer certified mail. Alice sends Bob the decryption key for some document, which she does not want to release unless Bob sends her some message indicating receipt. Bob, on the other hand, does not want to give Alice a receipt without getting the document. Oblivious transfer can solve this problem without having to resort to a trusted third party to enforce the protocol.

Algorithms

There are a number of approaches to implementing PKC, some of which I'll describe in this section. However, I'll play fast and loose with complexity theory, but only in the interest of comprehensibllity. For those of you who want the whole story, check the references. For everyone else, if the newspapers ever report that P = NP, ignore most of this section.

MerkLe-Hellman Knapsacks. The knapsack problem was one of the first proposed candidates for a public-key algorithm. The problem is simply stated: Given a list of different weights and the total weight of a closed knapsack, determine which particular weights are in the knapsack. For example, the list of different weights might be (9, 13, 15, 16, 18). If the total weight of the knapsack is 43, then the weights in the knapsack would be (9, 16, 18). In general, this problem cannot be solved except by brute force analysis. However, a certain subclass of the problem can be solved easily. Called "superincreasing knapsacks," they are knapsack problems where the list of different weights are such that each weight is greater than the sum of all previous weights: for example (1, 3, 6, 12, 25). Ralph Merkle and Martin Hellman designed a public-key algorithm around a method of transforming a superincreasing knapsack problem, which is easy to solve, into a conventional knapsack problem, which is hard to solve. The public key uses the conventional knapsack problem, and the private key uses the transformation method. This protocol has been broken.

The RSA Algorithm. Of all the public-key algorithms proposed over the years, RSA is by far the easiest to understand and implement and the most popular. (See the accompanying text box entitled "Public-Key Cryptography Meets the Real World.") Named after the three inventors, Ron Rivest, Adi Shamir, and Leonard Adelman, who first introduced the algorithm in 1978, it has since withstood years of extensive cryptoanalysis. Although the analysis neither proved or disproved security, it does indicate a confidence level in the theoretical underpinnings of the algorithm.

RSA gets its security from the difficulty of factoring large numbers. The public and private keys are functions of a pair of very large (100 to 200 digits or even larger) prime numbers. The algorithm calculates both keys from the prime numbers, and determining one key from the other is conjectured to be equivalent to factoring the product of the two primes.

To generate the two keys, choose two large prime numbers, p and q. Compute the product n=p*q. Then randomly choose the public key, e, such that e has no factors in common with (p-1)*(q-1). The easiest way to do this is to select another prime number for e, one larger than either (p-1) or (q-1). Finally, compute the private key, d, such that e*d=1(mod(p-11)*(q-1)). In other words, d=e^-1(mod(p-1)*(q-1)). An algorithm for this computation, developed by Euclid, is given in Figure 2. The numbers e and n are the public key; the numbers d and n are the private key. The two primes, p and q, are no longer needed, but should not be revealed.

Figure 2. (a) Algorithm to compute d such that e * d (mod n)=1; (b) sample run.

    (a)

    inverse (a, n)
    {
          g[0] = n;
          g[1] = a;
          v[0] = 0;
          v[1] = 1;
          i = 1;
          do {
               g[i]+1 = g[i]-1 mod gi;
               v[i]+1 = v[i]-1 - (g[i]-1 div g[i]) * g[i];
               i ++;
          }
          while (g != 0);
          if (v[i]-1 >= 0) return v[i]-1;
          else return v[i]-1 + n;
          }

    (b)

    i    g[i] v[i]

    0    3220 0
    1    79
    1     2
    60   -40
    3    19
    41     4
    3    -163
    5    1    1019
    6    0

To encrypt a message m, first divide it into numerical blocks such that each block has a unique representation modulo n (with binary data, choose the largest power of 2 less than n). That is, if both p and q are hundred-digit primes, then n will have about 200 digits, and each message block, rm, should be 200 digits long. The encrypted message, c, will be made up of similarly sized message blocks c of about the same length. The encryption formula is simply c_i = m₁^e (mod n).

To decrypt a message, take each encrypted block c_i and compute m_i = c_i^d (mod n). Because cd = (m_i^e)^d = m_i^ed = m_i^{(k(p-1)*(q-1)+1)} = m_i*m_i^{(k(p-1)*(q-1))} = m_i*1 = m_i, all (mod n), the formula recovers the message. The message could just as easily have been encrypted with d and decrypted with e: the choice is arbitrary. I'll spare you the number theory as to why this works; most any current text on cryptography will go into it in detail.

A short example will probably go a long way to making this clearer. If p = 47 and q = 71, then n = p*q=3337. The encryption key e must have no factors in common with (p-1)*(q-1) = 46*70 = 3220. Choose e (at random) to be 79. In that case, d = 71_-1 (mod 3220) = 1019. Figure 1 shows how this number was calculated. Publish e and n, and keep d secret. Discard p and q.

To encrypt the message m = "DRDOBBS" = 6882326879666683, first break it into small blocks. Three-digit blocks work nicely in this case. The message will be encrypted in six blocks, m_i, where, m₁ = 688, m₂ = 232, m₃ = 687, m₄ = 966, m₅ = 668 and m₆ = 3. The first block is encrypted as 68879 (mod 3337) = 1570 = c₁. Performing the same operation on the subsequent blocks generates an encrypted message c = 1570 2756 2714 2276 2423 158.

Decrypting the message requires performing the same exponentiation using the decryption key of 1019. So, 15701019 (mod 3337) 688 = m₁. The rest of the message can be recovered in this manner.

If factoring a 200-digit number takes forever, how much easier can it be to find 100 digit prime numbers? Not much, if you use factoring methods to find these primes. However, there are a number of tests that can determine if a number is prime with a confidence of over 50 percent (possibly more). If a number n passes two of these tests, then the confidence rises to 75 percent. The chances of the number failing 10 tests are less than 1 in 1024. Here is the algorithm with the number of tests set at 100:

1. Choose a random number, n, to test.

2. Make sure that n is not divisible by any small primes. Testing 2, 3, 5, 7, and 11 will speed up the algorithm significantly.

3. Choose 100 random numbers, a₁, a₂ ... a₁₀₀ from the interval [1..n-1].

4. Calculate a_i^(n-1)/2 = 1 (mod n) for all ai = ai..a100.

5. If a_i^(n-1)/2 = 1 (mod n) for all i, then n is composite.

If a_i^(n-1)/2! = 1 or -1 (mod n) for all i, then n is composite.

If a_i^(n-1)/2 = 1 or -1 (mod n) for all i, then n is prime.

This test will fail to accurately determine if a number is either prime or composite 1 in 2¹⁰⁰ tries, or about 1 in 10³⁰. If for some reason you need more confidence that the number is prime, choose a larger number of random numbers to test against. On the other hand, if you consider that the odds of the number being composite are less than the odds of you getting killed the next time you drive your car, you might not worry about it so much.

It is conjectured that the security of RSA depends wholly on the problem of factoring large numbers. Certainly that is the most obvious means of attack. Any adversary will have the public key, c, and the modulo, n. In order to find the decryption key, d, he has to factor n. Right now the best factoring algorithms take on the order of O(e^{sqrt(ln n*ln(ln n))}) steps to solve. If n is a 200-bit number, factoring will take on the order 2.7*10¹¹ steps; for a 664-bit (200-digit) n, on the order or 1.2*10²³ steps. Assuming a computer can perform a million steps per second (a generous assumption, considering some of the steps include long division with these monster numbers), it will take 3.8* 10⁹ years to factor a 664-bit number. If someone discovers a faster factoring algorithm or if someone finds another way to break RSA, then the whole scheme will fall apart. However, people have been working on factoring algorithms since the invention of mathematics, and it is unlikely that any such algorithms are waiting to be discovered. Even if computing power increased a million-fold, factoring a 664-bit number will still take almost four thousand years. If you need more security, increase the length of n by a couple dozen bits.

El Gamal. A variant of the El Gamal public-key algorithm has been proposed as a digital signature standard. (See "Public-Key Cryptography Meets the Real World.") To generate a key pair, first choose a prime p, and q = a prime divisor of p-1. Compute g = h^(p-1)/q mod p, where h is any integer 0<h<p such that h^(p-1)/q mod p>1. The three numbers, p, q, and g are public, and can be common to an entire group of users. The private key, x, is a random integer less than q. The public key, y, is g^x mod p.

To sign a message m, first generate a random integer, k, less than q. This integer must be different for each different signature. The digital signature consists of two numbers: r = (g^k mod p) mod q, and s = (k^-1(m+xr)) mod q. In reality, m will more likely be the hash of a much longer message.

To verify a signature, compute v = ((g^{(m(s-1 mod q) mod q)}*y^{(r(s-1 mod q) mod 1)}) mod p) mod q. If v = r, then the signature is verified. Enough math for today; check the references if you need proof that this works.