> zy|@N(
nA/0DTimes New Roman(0(:A 0 DTimes New Roman (Hebrew)(:A 0 DComic Sans MSn (Hebrew)(:A 0 B0DTimesSans MSn (Hebrew)(:A 0 @DSymbolans MSn (Hebrew)(:A 0 PDArialans MSn (Hebrew)(:A 0 "`DCentury Gothic (Hebrew)(:A 0 "@.
@n?" dd@ @@``4,um%-7
0AApf3?/ @h,ʚ;Zd8ʚ;g4bdbd@:A 0ppp@<4!d!dl$ 0^<4ddddl$ 0^<4BdBdl # 0h___PPT2001D<4X0___PPT10
pp^___PPT9@8! ?%CekpDiffie and Hellman (76) New Directions in Cryptography 9,Split the Bob s secret key K to two parts:
KE , to be used for encrypting messages
to Bob.
KD , to be used for decrypting messages
by Bob.
KE can be made public
(public key cryptography,
assymetric cryptography)+Z)Z%Z)ZuZCGCGOC
G(CGCGOC
G(CGCGOAEAE
ACf<Integer Multiplication & Factoring as a One Way Function."=<$$=T$Excerpts from RSA paper (CACM, 1978)$%
@
The era of electronic mail may soon be uopn us; we must
ensure that two important properties of the current paper
mail system are preserved: (a) messages are private, and (b)
messages can be signed. We demonstrate in this paper how
to build these capabilities into an electronic mail system.
At the heart of our proposal is a new encryption method.
This method provides an implementation of a public-key
cryptosystem, an elegant concept invented by Diffie and
Hellman. Their article motivated our research, since they
presented the concept but not any practical implementation
of such system. Rb ZZ* gThe Multiplicative Group Zpq*`@DC K$C G hExponentiation in Zpq*`@DC K$C G iExponentiation in Zpq*`@DC K$C G jRSA Public Key Cryptosystem Let N=pq be the product of two primes
Choose e such that gcd(e,f(N))=1
Let d be such that de1 mod f(N)
The public key is (N,e)
The private key is d
Encryption of MZN* by C=E(M)=Me mod N
Decryption of CZN* by M=D(C)=Cd mod N ZCGCG%CGCGCGC$$Z 1 l#Constructing an instance of RSA PKC& Alice first picks at random two large primes, p and q.
Alice then picks at random a large d that is relatively prime to (p-1)(q-1) ( gcd(d,f(N))=1 ).
Alice computes e such that de1 mod f(N)
Let N=pq be the product of p and q.
Alice publishes the public key (N,e).
Alice keeps the private key d, as well as the primes p, q and the number f(N), in a safe place.k ZC GCG CGCGCC GCGGCGCGCGCCGCGCCGCGCGCGC
GCG@ > mA Small ExampleLet p=47, q=59, N=pq=2773. f(N)= 46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 is
the inverse of 157 mod 2668.
For N =2773 we can encode two letters per
Block, using a two digit number per letter:
blank=00, A=01,B=02,& ,Z=26.
Message: ITS ALL GREEK TO ME is encoded
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500.'AEAEAEAEAAE AEAEAEXAEAEAEAEAA
A;G@ "oA Small Example[N=2773, e=17 (10001 in binary).
ITS ALL GREEK TO ME is encoded as
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)
The whole message (10 blocks) is encrypted as
0948 2342 1084 1444 2663 2390 0778 0774 0219 1655
Indeed 0948d=0948157=920 (mod 2773), etc.Z\nEAEAEAA;G
AEAGAEO,AEK(AEK(C(K(C(K(C(K(AEAE4AE1GEAO0AK$AE
A\q #RSA as a One Way Trapdoor Function.:$$$
$$$X
Trap-Door OWF& $Definition: f:DR is a trap-door one way function if there is a trap-door s such that:
Without knowledge of s, the function f is a one way function
Given s, inverting f is easy
Example: fg,p(x) = gx mod p is not a trap-door one way function.
Example: RSA is a trap-door OWF.W ZZ Zb Z&Z
?t 4 r!Attacks on RSA& LFactor N=pq. This is believed hard
unless p, q have some bad properties. To
Avoid such primes, it is recommended to
Take p, q large enough (100 digits each).
Make sure p, q are not too close together.
Make sure both (p-1), (q-1) have large
prime factors (to foil Pollard s rho algorithm).N%" T" }" 1" EAEAAEAELAEAEAEAEAEAEAEAEAEAEAE-AE
A@ RBasic Scheme
PA public key encryption scheme includes the following elements:
A private key k
A public key k
An encryption algorithm, which is a trap door OWF. The trap-door info is the private key
Public key is published
Encryption uses the public key (anyone can encrypt)
Decryption requires the private keyN@ Zy Zp Z@yp@] . ^Properties of RSA&
The requirement (e,j(n))=1 is important for uniqueness
Finding d, given p and q is easy. Finding d given only n and e is assumed to be hard (the RSA assumption)
The public exponent e may be small. Typically its value is either 3 (problematic) or 216+1
Each encryption involves several modular multiplications. Decryption is longer.@L ZS& aReal World usage +Two words:
Key Exchange, ,, bDigital Signatures cModel A public key analog of MAC
A digital signature scheme includes the following elements:
A private key k
A public key k
A signature algorithm
Public key is published
Signature requires private key
Verification requires public key zW Z6 ZY ZW6+&t p d
Ramifications Commercial anyone can sign a contract, check, statement etc.
Signatures are necessary for e-commerce
Legal digital signatures can be binding in a court of law (unlike MACs)
Legal signature laws of various types are appearing & 6 SEl-Gamal Encryption& RConstructed by El-Gamal in 1985
Similar to DH
Alice publishes p, g as public parameters
Alice chooses x as a private key and publishes gx mod p as a public key
Encryption of mZp by sending (gy mod p, mgxy mod p) or (gy mod p, m+gxy mod p)
Requires two exponentiations per each block transmitted.* Z
&
A p '
B /p ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@ " @ ` n?" dd@ @@``PR @ ` `p>>l(
6l "P
X Click to edit Master title style!! (
0q "
RClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level!
S @
0/ "` `H@___PPT9"@
j*
0 "`
^*
0 "``
^* T
<vh@ ? Default Design$
0p4(
0d P
X*
0L
d* d
c$ ?
0
@
RClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level!
S
6l `P
X*
6ň `
V*H
0h ? 3380___PPT10.`DN~(
0و
^* 6
0 ߈ P `H@___PPT9"@
n*$
6L `
^*
6t `P
`* H
0h ? ̙3380___PPT10.PR0J(
0` PH@___PPT9"
Z Introduction to Modern Cryptography
Lecture 7
RSA Public Key CryptoSystem
One way Trapdoor Functions|`7&G$%(($$$$?$ @`Z
B"vdh@ ?
H@(
r
S40
r
S0
<O
@H
0h ? d
\(
r
SǖP
<ϖRfb
I
<l p
p,qZ((((
<@
P8
N=pqZ((((& vb
NGHIH b֬ԔH@vb
NZGHIPԔ
H8
<
Y O
\hard
<l4 ?
\easy (
<
h
>Q.: Can a public key system be based
on this observation ?????B? : > H
0h ?/@
T$(
Tr
T SP+`@
r
T S$,0P
H
T0h ?
r j (
cx<0e0e "`
<t$6
@(
0AQDD
HLet p and q be two large primes.
Denote their product N = pq .
The multiplicative group ZM* =Zpq* contains
all integers in the range [1,pq-1] that are
relatively prime to both p and q.
The size of the group is
f(pq) = (p-1) (q-1) = N - (p+q) + 1,
so for every x Zpq*, x(p-1)(q-1) = 1.%C G C G +C G C G C G O$G C G O$G #C C$G C G C$$C G C G C C$C G C G C G C G C G C G C G C G C G O$G C G K O K O K C G C D
@`H
0h ?
( (
L
cO0e0e "`
<R6
@F
0UQD
Motivation: We want to exponentiation for
encryption.
Let e be an integer, 1 < e < (p-1) (q-1).
Question: When is exponentiation to the eth
power, x --> xe, a one-to-one op in Zpq* ? %C O(C G C G C G C G C G -C G K C G C G O(C(C G O$G C ( @`H
0h ?
H (
c^0e0e "`
<a6
@n
06QD
@Claim: If e is relatively prime to (p-1)(q-1)
then x --> xe is a one-to-one op in Zpq*
Constructive proof: Since gcd(e, (p-1)(q-1))=1,
e has a multiplicative inverse mod (p-1)(q-1).
Denote it by d, then ed=1 + C(p-1)(q-1).
Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =x
meaning y --> yd is the inverse of x-->xe QEDA
C G C G C G C G C G O(C(C C(C G O$G C G C G C G C G C G C G C G #C G C G C G C G C G C G C G C G C G C G C G O(C(C C(G O(C G O(C O(C G O K O K O K O K C G C G O(G C G O(G A @`H
0h ? $
d( \D
x
c$:0 @
x
c$T;0P
,
<d}
> The above mentioned method should not be confused with the
exponentiation technique presented by Diffie and Hellman to solve
the key distribution problem .8 Z@c + H
0h ?
0( Є
x
c$ŉ``P
x
c$dƉ
H
0h ?
@(
l
CtӉ`@
l
CHԉp
H
0h ?
P$(
r
S؉`@
r
Sى
H
0h ?
c[ (
r
ShfP
<gRfX
I
<A!
ox2((
<@E@8
xe mod NN (0(& vb
NZGHIPԔ
<K
Y O
\hard
<D4 O
\easy vb
NZGHIPԔ
P
<Q`
Easy with trapdoor info ( d )F vb
NGHIH b֬ԔH@H
0h ??`
d$(
dr
d S<[P
r
d S\
H
d0h ?
.( P1'%
l
C"p
Cd(`
"p`PpH
0h ?
D$(
Dr
D SfP
r
D Shg
H
D0h ?
0|$(
|r
| SdpP
r
| S8q
H
|0h ?
@$(
r
SPP
r
S$
H
0h ? p P(
x
c$pp
H
0h ?
`$(
r
S<P
r
S
H
0h ?
p$(
r
SP
r
S
H
0h ?
H$(
Hr
H SؤP
r
H S
H
H0h ?
0xp`(
R
3
v
#ӈ
@
"H
0h ? 33r HNA*^R0XqX^a kWϪ(chDs}Lf2*W
mSrM(
nA/0DTimes New Roman0:A 0DTimes New Roman (Hebrew):A 0 DComOh+'08`h
Administrative DetailsNivfiatist167Microsoft PowerPoints@0OJ
@j?6@
G4g
<-v--@ !--x--@ !--z--@ !'--|--@ !9--~--@ !J----@ !V----@ !e----@ !p----@ ! |----@ ! ----@ !----@ ! ----@ ! ----@ ! ----@ !----@ !----@ ! ----@ !----@ ! ----@ ! ----@ !----@ !----@ ! ----@ !----@ ! ----@ !----@ !----@ ! ----@ !----@ ! ----@ ! &----@ !/----@ !5----@ !:----@ ! @----@ !I----@ !O----@ ! U----@ !^----@ !c----@ ! i----@ !r----@ ! x----@ !----@ !----@ !----@ ! ----@ ! ----@ !----@ !----@ ! ----@ ! ----@ ! ----@ ! ----@ !----@ !----@ ! ----@ !----@ !----@ !
----@ !----@ !(----@ !6----@ !E----@ !W----@ !h----@ !----@ !&----@ !*---'@BComic Sans MS-. <2
H#Introduction to Modern Cryptography-."System-@Times New Roman-. 2
?NLecture !
2
?7 .-@Times New Roman-. 2
1 2
4.
.-@Times New Roman-. 02
MRSA Public Key CryptoSystem!#
#
!%.-@Times New Roman-. 2
2 2
4.
.-@Times New Roman-. 2
MOne way $
$
.-@Times New Roman-. ?2
Trapdoor.-@Times New Roman-. 2
Functions.-mes New Roman-. 2
> Functions.-Sn (Hebrew):A 0"`DCentury Gothic (Hebrew):A 0"@.
@n?" dd@ @@``<4vm%-7
0AApf3?/ @h,ʚ;Zd8ʚ;g4bdbd :A 0ppp@<4!d!dL$ 0*<4ddddL$ 0*<4BdBdL # 0h___PPT2001D<4X0___PPT10
pp^___PPT9@8! ?%{CekpDiffie and Hellman (76) New Directions in Cryptography 9,Split the Bob s secret key K to two parts:
KE , to be used for encrypting messages
to Bob.
KD , to be used for decrypting messages
by Bob.
KE can be made public
(public key cryptography,
assymetric cryptography)+Z) Z% Z) Zu ZCGCGOC
G(CGCGOC
G(CGCGOAEAE
ACf<Integer Multiplication & Factoring as a One Way Function."=<$$=T$Excerpts from RSA paper (CACM, 1978)$%
% The era of electronic mail may soon be uopn us; we must
ensure that two important properties of the current paper
mail system are preserved: (a) messages are private, and (b)
messages can be signed. We demonstrate in this paper how
to build these capabilities into an electronic mail system.
At the heart of our proposal is a new encryption method.
This method provides an implementation of a public-key
cryptosystem, an elegant concept invented by Diffie and
Hellman. Their article motivated our research, since they
presented the concept but not any practical implementation
of such system. Rb ZZ* gThe Multiplicative Group Zpq*`@DC K$C G hExponentiation in Zpq*`@DC K$C G iExponentiation in Zpq*`@DC K$C G jRSA Public Key Cryptosystem Let N=pq be the product of two primes
Choose e such that gcd(e,f(N))=1
Let d be such that de1 mod f(N)
The public key is (N,e)
The private key is d
Encryption of MZN* by C=E(M)=Me mod N
Decryption of CZN* by M=D(C)=Cd mod N ZCGCG%CGCGCGC$$Z 1 l#Constructing an instance of RSA PKC$ Alice first picks at random two large primes, p and q.
Alice then picks at random a large d that is relatively prime to (p-1)(q-1) ( gcd(d,f(N))=1 ).
Alice computes e such that de1 mod f(N)
Let N
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXY}[\]^_`abcdefghjklmnopqrstuvwx{~Root EntrydO)
Current User,SummaryInformation(ZhPowerPoint Document(XDocumentSummaryInformation8iic Sans MSn (Hebrew):A 0B0DTimesSans MSn (Hebrew):A 0@DSymbolans MSn (Hebrew):A 0PDArialans MSn (Hebrew):A 0"`DCentury Gothic (Hebrew):A 0"@.
@n?" dd@ @@``<4vm%-7
0AApf3?/ @h,ʚ;Zd8ʚ;g4LdLd :A 0ppp@<4!d!dL$ 04<4ddddL$ 04<4BdBdL # 0h___PPT2001D<4X0___PPT10
ppf___PPT9H@!(?%GCekpDiffie and Hellman (76) New Directions in Cryptography 9,Split the Bob s secret key K to two parts:
KE , to be used for encrypting messages
to Bob.
KD , to be used for decrypting messages
by Bob.
KE can be made public
(public key cryptography,
assymetric cryptography)+Z)Z%Z)ZuZCGCGOC
G(CGCGOC
G(CGCGOAEAE
ACf<Integer Multiplication & Factoring as a One Way Function."=<$$=T$Excerpts from RSA paper (CACM, 1978)$%
% The era of electronic mail may soon be uopn us; we must
ensure that two important properties of the current paper
mail system are preserved: (a) messages are private, and (b)
messages can be signed. We demonstrate in this paper how
to build these capabilities into an electronic mail system.
At the heart of our proposal is a new encryption method.
This method provides an implementation of a public-key
cryptosystem, an elegant concept invented by Diffie and
Hellman. Their article motivated our research, since they
presented the concept but not any practical implementation
of such system. Rb ZZ* gThe Multiplicative Group Zpq*`@DC K$C G hExponentiation in Zpq*`@DC K$C G iExponentiation in Zpq*`@DC K$C G jRSA Public Key Cryptosystem Let N=pq be the product of two primes
Choose e such that gcd(e,f(N))=1
Let d be such that de1 mod f(N)
The public key is (N,e)
The private key is d
Encryption of MZN* by C=E(M)=Me mod N
Decryption of CZN* by M=D(C)=Cd mod N ZCGCG%CGCGCGC$$Z 1 l#Constructing an instance of RSA PKC$ Alice first picks at random two large primes, p and q.
Alice then picks at random a large d that is relatively prime to (p-1)(q-1) ( gcd(d,f(N))=1 ).
Alice computes e such that de1 mod f(N)
Let N=pq be the product of p and q.
Alice publishes the public key (N,e).
Alice keeps the private key d, as well as the primes p, q and the number f(N), in a safe place.k ZC GCG CGCGCC GCGGCGCGCGCCGCGCCGCGCGCGC
GCG@ 8 mA Small ExampleLet p=47, q=59, N=pq=2773. f(N)= 46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 is
the inverse of 157 mod 2668.
For N =2773 we can encode two letters per
Block, using a two digit number per letter:
blank=00, A=01,B=02,& ,Z=26.
Message: ITS ALL GREEK TO ME is encoded
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500.'AEAEAEAEAAE AEAEAEXAEAEAEAEAA
A;G@ "oA Small Example[N=2773, e=17 (10001 in binary).
ITS ALL GREEK TO ME is encoded as
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)
The whole message (10 blocks) is encrypted as
0948 2342 1084 1444 2663 2390 0778 0774 0219 1655
Indeed 0948d=0948157=920 (mod 2773), etc.Z\nEAEAEAA;G
AEAGAEO,AEK(AEK(C(K(C(K(C(K(AEAE4AE1GEAO0AK$AE
A\q #RSA as a One Way Trapdoor Function.:$$$
$$$X
Trap-Door OWF $Definition: f:DR is a trap-door one way function if there is a trap-door s such that:
Without knowledge of s, the function f is a one way function
Given s, inverting f is easy
Example: fg,p(x) = gx mod p is not a trap-door one way function.
Example: RSA is a trap-door OWF.W ZZ Zb Z ?@ M r!Attacks on RSA FFactor N=pq. This is believed hard unless p, q have some bad properties. To Avoid such primes, it is recommended to
Take p, q large enough (100 digits each).
Make sure p, q are not too close together.
Make sure both (p-1), (q-1) have large prime factors (to foil Pollard s rho algorithm).&w " " EAE AEAEGAAEAEAEAEAEAEAEAEAEAEAE,AE
A@
RBasic Scheme
PA public key encryption scheme includes the following elements:
A private key k
A public key k
An encryption algorithm, which is a trap door OWF. The trap-door info is the private key
Public key is published
Encryption uses the public key (anyone can encrypt)
Decryption requires the private keyN@ Zy Zp Z@yp) ^Properties of RSA The requirement (e,j(n))=1 is important for uniqueness
Finding d, given p and q is easy. Finding d given only n and e is assumed to be hard (the RSA assumption)
The public exponent e may be small. Typically its value is either 3 (problematic) or 216+1
Each encryption involves several modular multiplications. Decryption is longer.@L ZSL SEl-Gamal Encryption& RConstructed by El-Gamal in 1985
Similar to DH
Alice publishes p, g as public parameters
Alice chooses x as a private key and publishes gx mod p as a public key
Encryption of mZp by sending (gy mod p, mgxy mod p) or (gy mod p, m+gxy mod p)
Requires two exponentiations per each block transmitted.* Z
&
A p %
B aReal World usage +Two words:
Key Exchange, ,, bDigital Signatures cModel A public key analog of MAC
A digital signature scheme includes the following elements:
A private key k
A public key k
A signature algorithm
Public key is published
Signature requires private key
Verification requires public key zW Z6 ZY ZW6+ d
Ramifications Commercial anyone can sign a contract, check, statement etc.
Signatures are necessary for e-commerce
Legal digital signatures can be binding in a court of law (unlike MACs)
Legal signature laws of various types are appearing & 6 /p 0N(
0L` PH@___PPT9"
^ Introduction to Modern Cryptography
Lecture 7
RSA Public Key CryptoSystem
One way Trapdoor Functions` 7 &G$%(($$$$?$ @`Z
B"vdh@ ?
d$(
dr
d SP
r
d S
H
d0h ?
.( P1'%
l
C\Vp
V
CW0`V
"p`PpH
0h ? r Xerm۲rxM(
nA/0DTimes New Roman0:A 0DTimes New Roman (Hebrew):A 0 DComic Sans MSn (Hebrew):A 0B0DTimesSans MSn (Hebrew):A 0@DSymbolans MSn (Hebrew):A 0PDArialans M
՜.+,0h
$On-screen ShowPacket Technologies ltd.icaX{
Times New RomanTimes New Roman (Hebrew)Comic Sans MSTimesSymbolArialCentury GothicDefault DesignSlide 19Diffie and Hellman (76) New Directions in Cryptography=Integer Multiplication & Factoring as a One Way Function.%Excerpts from RSA paper (CACM, 1978)The Multiplicative Group Zpq*Exponentiation in Zpq*Exponentiation in Zpq*RSA Public Key Cryptosystem$Constructing an instance of RSA PKCA Small ExampleA Small Example$RSA as a One Way Trapdoor Function.Trap-Door OWFAttacks on RSA
Basic SchemeProperties of RSAEl-Gamal EncryptionReal World usageDigital SignaturesModelRamificationsFonts UsedDesign Template
Slide Titles_Xfiatfiat=pq be the product of p and q.
Alice publishes the public key (N,e).
Alice keeps the private key d, as well as the primes p, q and the number f(N), in a safe place.k ZC GCG CGCGCC GCGGCGCGCGCCGCGCCGCGCGCGC
GCG@ 8 mA Small ExampleLet p=47, q=59, N=pq=2773. f(N)= 46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 is
the inverse of 157 mod 2668.
For N =2773 we can encode two letters per
Block, using a two digit number per letter:
blank=00, A=01,B=02,& ,Z=26.
Message: ITS ALL GREEK TO ME is encoded
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500.'AEAEAEAEAAE AEAEAEXAEAEAEAEAA
A;G@ "oA Small Example[N=2773, e=17 (10001 in binary).
ITS ALL GREEK TO ME is encoded as
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)
The whole message (10 blocks) is encrypted as
0948 2342 1084 1444 2663 2390 0778 0774 0219 1655
Indeed 0948d=0948157=920 (mod 2773), etc.Z\nEAEAEAA;G
AEAGAEO,AEK(AEK(C(K(C(K(C(K(AEAE4AE1GEAO0AK$AE
A\q #RSA as a One Way Trapdoor Function.:$$$
$$$X
Trap-Door OWF $Definition: f:DR is a trap-door one way function if there is a trap-door s such that:
Without knowledge of s, the function f is a one way function
Given s, inverting f is easy
Example: fg,p(x) = gx mod p is not a trap-door one way function.
Example: RSA is a trap-door OWF.W ZZ Zb Z ?@ M r!Attacks on RSA FFactor N=pq. This is believed hard unless p, q have some bad properties. To Avoid such primes, it is recommended to
Take p, q large enough (100 digits each).
Make sure p, q are not too close together.
Make sure both (p-1), (q-1) have large prime factors (to foil Pollard s rho algorithm).&w " " EAE AEAEGAAEAEAEAEAEAEAEAEAEAEAE,AE
A@
RBasic Scheme
PA public key encryption scheme includes the following elements:
A private key k
A public key k
An encryption algorithm, which is a trap door OWF. The trap-door info is the private key
Public key is published
Encryption uses the public key (anyone can encrypt)
Decryption requires the private keyN@ Zy Zp Z@yp) ^Properties of RSA The requirement (e,j(n))=1 is important for uniqueness
Finding d, given p and q is easy. Finding d given only n and e is assumed to be hard (the RSA assumption)
The public exponent e may be small. Typically its value is either 3 (problematic) or 216+1
Each encryption involves several modular multiplications. Decryption is longer.@L ZSL SEl-Gamal Encryption& RConstructed by El-Gamal in 1985
Similar to DH
Alice publishes p, g as public parameters
Alice chooses x as a private key and publishes gx mod p as a public key
Encryption of mZp by sending (gy mod p, mgxy mod p) or (gy mod p, m+gxy mod p)
Requires two exponentiations per each block transmitted.* Z
&
A p %
B aReal World usage +Two words:
Key Exchange, ,, bDigital Signatures cModel A public key analog of MAC
A digital signature scheme includes the following elements:
A private key k
A public key k
A signature algorithm
Public key is published
Signature requires private key
Verification requires public key zW Z6 ZY ZW6+ d
Ramifications Commercial anyone can sign a contract, check, statement etc.
Signatures are necessary for e-commerce
Legal digital signatures can be binding in a court of law (unlike MACs)
Legal signature laws of various types are appearing & 6 /p
H@(
r
S10
1
r
S101
<1O
@H
0h ? r kUmXr