 We've talked about public key cryptography, the users have two different keys, a public key and private key and we saw the example in some depth of RSA and we saw that with RSA if we want to have confidentiality, we encrypt with the destination's public key and the destination we decrypt with their private key, we'll see in a bit more depth in the next topic if we want authentication, we want to prove who sent it, we encrypt with the sender's private key and the receiver can decrypt with the sender's public key, so we can use the keys in different order with some algorithms. RSA is a common algorithm used for signatures for digital certificates in websites which we'll see later when we look at key management. There are other algorithms, I just jumped through, there's something called El Gamal crypto system which is used in the digital signature standard and digital signatures are a digital way to represent someone proving it came from them, so the authentication part of public key cryptography and there's another type of mathematical problems that are used in public key cryptography. Remember RSA uses some modular arithmetic and the security of RSA depends upon it being difficult to factor and into the primes, difficult to do discrete logs and so on. There's what's called elliptic curve cryptography which presents a different set of arithmetic to perform, to do operations and leads to other challenges which lead to secure algorithms for public key cryptography but we will not touch upon how they work. They are relatively new compared to the other techniques and in terms of security, new is usually bad. Something that is new, a new design, a new technology or a new standard, people don't trust it until it's been in use a lot. It doesn't mean it's wrong but something that's been around and used a lot mean there's a much larger confidence that there are no holes or weaknesses in it. So that's why many, even though elliptic curve cryptography has been around for many years, it hasn't been as widespread as RSA and other techniques and there's one more. If we go back and it's called the Diffie-Hellman Key Exchange and in fact the, I'm just jumping through some slides, we'll go to Diffie-Hellman in a moment, public key crypto, the first public announcement of an algorithm to do it was by two people, Diffie and Hellman and actually a third one, Merkel and the Diffie and Hellman algorithm which they announced here is still used for different purposes in cryptography today and we'll go through the Diffie-Hellman Key Exchange algorithm today just as a different example of public key cryptography. But note, this is not about confidentiality, confidentiality getting a message secret to the other person and in fact it's not about authentication like proving where the message came from. This is a different purpose of using public key cryptography. This is about exchanging a secret between two people and it's a problem we haven't looked at yet. So far we've assumed with symmetric key cryptography if we need a shared secret key somehow both sides, the send and receiver have that shared secret key. We have a topic later on key distribution about how to get secret keys between people securely. Diffie-Hellman is one way to do it. We'll go through the example here and we'll see it used in practice later. So the aim, two users want to know a shared secret. They want to know some value which only those two users know and then maybe they can use it for symmetric key encryption and we want to exchange that key, that secret key, across a network where someone may intercept the messages. So Diffie-Hellman proposed this many years ago. It's not for secrecy of data. We'll see it as we go through. The security of the Diffie-Hellman key exchange depends upon that it's difficult to solve discrete logarithms. That was one of the problems of RSA as well. So we'll go straight into the algorithm and then we'll go through an example and then look at the how an attacker would try to feed it. It's maybe a little bit small here but you have it on your slides. The algorithm, first at the first block we say there are two public values to get started. Public in that both sides know them. So A wants to, the aim is for A to exchange a secret with B. That secret, for example, the number is known only by AMB and some third party, some malicious user cannot learn that number. That's the aim here. To get started we assume AMB know the two global public elements called Q and alpha. Q is a prime number. Alpha is less than Q and a primitive root of Q. And you may remember from number theory we talked about a primitive root but I'll give you a reminder shortly. So Q and alpha are known by the users plus the attacker can know them. When we say they're public everyone knows them. And what happens is that user A and user B follow some steps and they're almost identical. They're just using different values. First, user A selects a private value X. So user A selects some value, maybe randomly selects it, where it's less than Q. So Q is a prime number. User A selects some private value X, so noted here, XA is less than Q. And then they calculate a public value Y, where Y is calculated from alpha to the power of XA mod Q. And they get a public value called YA. User B does the same thing. Selects a private value X, calculates their public value Y. So in fact we now have XA, YA, XB, YB. What do we do with the Y values? They are public and we call them public values of Y. We exchange with the other side. That is A sends its public value to B and B sends its public value to A. So we exchange the values of Y. And then when A receives B's public value, it calculates YB to the power of XA mod Q to get some value K. And B does the same thing but with the public value of A and the private value of B, mod Q, gets some value of K. And we will show that the two values of K that are calculated at A and B are the same. Because the idea of this algorithm is that A and B need a shared secret. For example, for symmetric key encryption they need to know a secret that no one else knows. And they can't just go up to each other. They need to exchange some messages across a network to do this. So what they do is they exchange the prime number Q and the alpha value. They are public. We can send them across the internet because they are public. It doesn't matter if someone intercepts them. Each user calculates or selects a value X and calculates a value Y. And then they exchange the values of Y. Again, across the internet or a public network, it doesn't matter if someone intercepts. Then they calculate the value of K. And the algorithm is designed such that the two values of K at both A and B will be identical. And that's our shared secret. So to illustrate this we'll go through some examples. And I think I have one example in your lecture notes. Can someone just go through, go forward so you don't have to copy too much down, keep going through. There's some handout on public key cryptography which has a Diffie-Hellman example. We'll go through the example first and then we'll give you a chance to practice yourself. The example that you have, it's printed in your lecture notes, is titled Public Key Cryptography. And if you scroll through there's a Diffie-Hellman example. We'll go through that one first. So we have two users. And these two users are going to communicate across the network. And their aim is to find a value that they both know that no one else knows, a secret value. So for this example we'll choose some numbers. And let's say A starts this. So they choose a value of denoted Q which is a prime number. And in this example we choose 353. And a value alpha which is a primitive root of that prime. What's the definition of a primitive root? If you take three and raise it to the power of one, to the power of two, power of three, power of four, up to the power of 352. And mod by 353, all those numbers, the answers should be distinct. We shouldn't get repetitions in those answers. But if you can't remember that I'll show you another example. I'll give you another example to remind you of the primitive root in a moment. You'll see it. So I know that a primitive root of 353 is three. These are public values. So in fact A could choose them and then tell B what they are, maybe send a message. In addition, A selects a private value, say X, A. And X selected by each user must be less than 353 in this case. So they think they choose a random number, less than 353. And let's say we choose 97. And then A calculates YA. And the way to calculate it is alpha to the power of XA mod Q. Alpha is three, XA is 97, mod 353. And I've calculated before if you use your calculator or your computer you'll find that the answer is 40. Just a calculation. Easy to calculate. It's just an exponentiation with modular arithmetic. So that's possible. And now we send the public values to B. Let's say we send a message across the network where we say Q is 353, alpha is three, and YA is 40. We can send them to B. And because I send across the network we can assume that an attacker may intercept and learn those values. B now knows the value of Q and alpha. And B does the same steps. It selects its value of X. I'll denote as XB. And again its value of X must be less than Q. So let's say for this example we choose, I've got it, 200 and what did I choose? 233. Only because I have the answers. And we calculate at user B the value of Y. Alpha the power of XB mod Q. It's the same alpha, the one that we received to the power of 233. You use your calculator to solve that. Can someone check? I think maybe there's error somewhere in my handouts. Someone check on their calculator? Everyone knows. Now to bring the calculator to the exams, bring to the lectures if you want to follow along, or use your computer. You'll use your calculator to confirm and most likely your handheld calculator will not get an answer. It's too big. But a computer, there are algorithms for calculating exponentials in modular arithmetic much faster than just taking 3 to the power of 233. Remember we can use the properties of modular arithmetic to expand that out and reduce it down. You could actually do it probably by hand. But I've calculated it and I got 248. And now we send that public value back. So we've exchanged 4 values Q, alpha, Y, A and YB. And the malicious user may know them. The last step that A and B perform is that they calculate from their sides their values of K. A, take the received public value YB, raise it to the power of XA, the private value mod by Q. And in fact at the same time B will do that. Using the received public value, the opposite order YA, the private value of B, XB mod Q. YB is 248 here. XA was the value we selected at the start, 97. And here YA, the one received was 40. XB was the value that B chose, 233, mod 353. Calculate both of them. And for this, just to confirm, we'll use a calculator. 248 to the power of 97, mod 353. Correct? 160. And the other one was 40 to the power of 233, mod 353. Also 160. Amazing. And a common exam question prove why it's amazing. It's not so hard to go back and do some substitutions to see why it gives exactly the same value. So, and we may see it after we go through another example. Let's see if we can squeeze them in. So, this is just showing the algorithm how it's used. There's two public values, Q and alpha to start. Q is a prime number. And it should be a large prime number in practice. Because we'll see later that these numbers that we've used in this case are quite simple to break from the attacker's perspective. But it will come down to solving discrete logarithms that the attacker will need to do. And if the numbers are large enough, solving discrete logarithms we already know is too hard. So, Q should be a large prime number. Alpha is a primitive root of Q and it can be small. That's not so important there. YA was calculated by A and sent to B. And YB was calculated by B and sent back to A. That is, we exchange those values. A has its private value, XA, and B has its own private value, XB. Again, they will be large numbers because they need to be less than Q and usually chosen randomly. So, they can be very large numbers and they need to be kept private. The last steps is that they follow the same algorithm to generate their side of K. And it can be easily shown that both sides will produce the exact same value of K, 160 in this case. And that's the secret. A knows K is 160. B knows K is 160. The challenge is, does C, the attacker know that K is 160? Or, if the attacker can intercept these two messages and learns Q, Alpha, YA, and YB and they also know the algorithm, can the attacker find K? That's where the security of this algorithm comes in. Let's go through and see why it's hard for them to find K. Any questions before we go through first a proof and then the attack? Before we go through the proof, then let's give you another example just to make sure you know what you're doing. Let's do it for this example. So, this is mod 19. Can someone tell me an Alpha? Primitive root of 19? Someone did it? 10. Okay. Correct? 10 does it repeat? Looks okay. So, 10 is a primitive root of 19. So, let's choose those values. Q is 19. Alpha is 10. And we will tell the other person those values. They are public. We can tell everyone. And we will calculate our value of X. Sorry, we'll select a value of X. And I will select a value of X. What? Someone? Anyone? 20? 50? What's the limit? It needs to be less than 19. Okay. So, any number less than 19. When we have large numbers, it's not such an issue. We can just choose randomly. But with these small numbers, I think if you choose one, it's not going to work so well. But all right, let's choose 7. And then we calculate YA. X is private. Y is public. Alpha to the power of XA mod Q. And in fact, we can look that up in the table. 10 to the power of 7 mod 19 is 10 to the power of 7. The answer will be 15. Okay. So, we don't need a calculator for that. Send them to be Q, alpha, and YA. Don't tell anyone else your private key. And when I say send, like I asked you to write on a piece of paper, the idea is that we can send this message across a network. And even if someone intercepts it, they shouldn't be able to find the private values. And here we choose a value of X. Someone choose a value. Calculate a value of Y, which will be 10 to the power of 8, mod 15. 10 to the power of 8, mod 15 is 17. And send it back. The result is both A and B know these four values. They know Q. They know alpha. They know YA and YB. You know the values you calculate, and you know the values that you receive from the other person. Last step, calculate K. YB 17 to the power of XA 7, mod 19. And here KB YA 15 to the power of XB 8, mod 19. 7 to the power of 17, mod 19. What did I say? 17 to the power of 7. 17 to the power of 7 is 5, mod 19. And 15 to the power of 8, mod 19. 15 to the power of 8, mod 19 is also 5. So make sure you can perform the steps. That's the first thing for understanding Diffie-Hellman. What does the attacker do? The result is that A and B have a shared secret. That's the aim of this algorithm. A and B know the value. The secret value is 5. What does the attacker do? And why does it work? Try it before Friday. Try given just the public values to find the secret. Given just the blue values in this case, what was YA? 15. Given those values, find K. That's the challenge for the attacker. And on Friday we'll show why that's hard to do.