 There are other other algorithms for public key cryptography. We will in this course look at RSA we'll look at one other a little bit later next year and I'm going to skip over a few slides here about the general requirements for public key cryptography We'll use RSA as an example then come back to them at a later date and and return to those concepts developed by reverse Shamir and Adelman in 1978 and they set up or there's a company now RSA security quite large in terms of cryptography and They sell products eventually using RSA and other algorithms. So it's the most widely used public key algorithm It's a block cipher. It operates on a blocks on a block of data Where the plain text must be represented as an integer So if you have to have a JPEG that you want to encrypt with RSA Then you take a block of bits from that image okay, you take some bits and That's an integer those say you take a thousand bits and you get a one thousand bit integer number and that's used in the RSA algorithm that we just saw plain text raised to the power of E mod n and you get your ciphertext and that's the block of ciphertext a bit more a few more details about the algorithm So we encrypt in blocks Same in a any block cipher if we have a large piece of plain text Then we divide into blocks and encrypt one block at a time and there are ways to combine those blocks together similar to the modes of operation for the symmetric ciphers The block Must be the value must be less than n Okay, n is our modulus and will be chosen. So the block must be less. So in practice what you do is let's say n is a 1,024 bit number Okay, if n is a 1,024 bit number then the block Is a size of i bits where i Is chosen such that it to to the power of i is less than n a simpler example if If n is 100 Not 100 bits, but the decimal value of 100 How big is the block? How big should the block be if if n is the decimal value of 100? Then we'd set the block to be how many bits i bits how many? 6 2 to the power of 6 is 64 no 2 to the power of 7 is 128 That is if n is 100 in decimal Then we'd take a normally six bits of plain text as a block Because with six bits we'll always get a number less than 100 In fact 60 60 less than 64 if we had seven bits we may get some numbers greater than 100 and our plain text must be less than n so that's if we have n is And a 1,024 bit number then we can choose the block size and to encrypt we've seen m to the power of e mod n decrypt same algorithm in fact just Change the values of the input c to the power of d mod n. So the same steps It's just here. We use a different value Then for the exponent same n will come to this part in a moment and each user has a public and private key and We normally denote the public key as the two values e and n the pair of values and the private key the two values d and n but note n is Not private Okay, because it because it's the same n if I choose my values of e What did I choose e equal to 4? d equal to 2 n equals to 20 if I choose those values that bad values, but if I did Then I would tell you my value of e equals 4. I Would tell you my value of n equals 20 because I a public so I can tell you my public key I would not tell you my value of d. I must keep that private So even though we write n as part of the private key n is known to other users because it's in the public here as well So the secret value is d and we must keep d secret. Otherwise It no longer is secure So we need to look at why does it what under what conditions does RSA in work? We saw a case where it didn't work where we Decrypted and we got the wrong plaintext. Of course, we cannot allow that so under what conditions What values of e n and d doesn't work and then that will determine how to choose e d and n? note if We substitute this equation for c into the decryption equation So we have two equations here c equals m to the e mod n and M equals c to the d mod n encrypt decrypt Now replace this c with the first equation and That's what we get on this second line here. We get and We'll write it on the board If we take the decryption equation and replace c with m to the power of e mod n That was the value of c all raised to the power of d That's a d mod n That's this equation or here and And the properties of mod is that we can take it out of the brackets here and they it becomes m to the power of e to the power all to the power of d Mod n mod n when we do multiple mods by the same modulus. It's just the same as doing one mod so simply mod n and again a simple property of our Exponential that equals m to the power of e multiply by d mod n so what that says is that If I encrypt using this equation and then decrypt using m equals c to the power of d mod n Then it means that m equals the same value m to the power of ed mod n Under what conditions is this true? That's what we want to find out. We saw a case where it's not true Because what we did is that we had our original m Let's say m1 here We encrypted using our equation and then we decrypted and We got this other m2 5 we get a different m and That was unsuccessful of course That's because the values of ed and n were inappropriate so We want to find values of ed and n such that when you take a number and You raise it to e multiplied by d and mod by n you get that same number back Anyone know when that is true? Look at this equation. Does it look familiar to you? One of the theorems. Okay, if you go back to the theorems We had Fermat's theorem and Euler's theorem and in fact, they're similar Here something is equivalent to the same number raised to the power of e multiplied by d in mod n This was from earlier today We say when we mod n then A is equivalent to age raised to the power of the totion of n plus 1 That was the Euler's theorem Similar structure replace a with m and let's see what Requirements are for that to work. I'm going to go through an example. I'll do it on the board I think you have it printed hopefully at the end of your This topic and your handouts. Let's check So at the end of this topic you have some notes on number theory just to remind you and then a handout on public key cryptography and I'm going to go through that on the board. So you don't have to copy at all You can make notes as you go and we'll turn this off so the the question is when does RSA work and Given the encryption and decryption equations it should work if this is True if m equals m to the power of ed mod n Well under what conditions is that true? That's what we want to find out and we note that There's some similarity between our equation m equals m to the power of ed mod n and Euler's equation here a Equals a or is equivalent to a to the power of the totion of n plus 1 in mod n So let's try and take advantage of that and write our equation in the similar form that is When does this Equation or statement match this one under what conditions? I'll write them both Or we've got the first one This is Euler's equation. I'll just replace a with m We know this is true Okay so Under what conditions is this equation true? when does m equal m to the power of ed Compare the two equations Euler's equation and our one of the RSA Well, maybe easier. What's different between? this and this ed this this exponent here and The totion of n plus 1 okay for them to be the same So for this one to have the form of Euler's equation We would need what we need ed To be equal to the totion of n plus 1 Okay, if it was that would be the same Because if ed equals the totion of n plus 1 then this becomes m equals m to the totion of n plus 1 mod n And we know that's true So this will be true if Ed equals the totion of n plus 1 is that a step clear We want to derive and find out on what values of ed and n to choose So we'll go through these steps to do so and again, this is in your handouts written up a bit more detailed at the end of the the slides there's a handout on Public key cryptography some examples. Okay, so you have it there So we're at the state that we need this to be true when you take What's 8 plus 1 mod 8? what is 9 plus 1 mod 8 a mod 9 Okay, what is x plus 1 mod x one What is the? totion of n plus 1 mod the totion of m one Okay, now let's use that and Here That's mod both sides by the totion of n we can do that we have this Statement here apply the same operation on both sides. So if this is true, that's mod both sides by e times d mod the totion of n So if e times d equals the totion of n plus 1 Then it's also true that e times d mod the totion of n And put it in brackets equals the totion of n Plus one Mod the totion of n. So all I did took this statement and took the mod of both sides What is the right-hand side? From here, it's one the totion of n plus one mod the totion of n is one so now we have the case that our Our original equation will be true if e times d Mod the totion of n Equals one what what does this resemble e times d? Mod the totion of n equals one the multiplicative inverse e times d equals one in the mod of the totion of n Let's make sure everyone can see this So our conditions are now so Again repeat We have this equation. We need this to be true for RSA to work under what conditions conditions is this true well Let's equate it to Euler's theorem and We know Euler's theorem is true So long as the exponent here is the totion of n plus one Here we have e times d So if we set e times d to be the totion of n plus one This will be true So let's do that e times d equals the totion of n plus one in that case RSA will work All I've done now is taken the mod in totion of n of both sides and So ed mod the totion of n and the right-hand side mod the totion of n And we know that the right-hand side can be simplified to just one Totion of n plus one all mod totion of n is just one so now our condition is and we can write this differently e times d is Equivalent to one when we use mod the totion of n That's just a different way that we write the mod we can write it in two ways. Don't write this one down We can write a mod B equals C or A is equivalent to C in mod B Just different different ways to write a modulus here. We say A mod B equals C or we can say a is equivalent to C when we mod both by B That's all I've done here e e times d mod the totion of n equals one or e times d is equivalent to one When we mod both sides by the totion of n What is this and you said it before That's our definition of I don't know Multiplicative inverse if D is the multiplicative inverse of e Then this is true Multiply two numbers and get one as the answer Then they are multiplicative inverses of each other I would have find a good plan what's When does e have a multiplicative inverse when is this true the multiplicative inverse exists when e and the totion of n are relatively prime Okay, because remember back to our original definition Some number has a multiplicative inverse if that number is relatively prime with the modulus So because not all numbers have a multiplicative inverse So now we say for rsa to work our condition is that e is relatively prime With a totion of n that is the the greatest common divisor of e and the totion of n equals one So that's one of our conditions for rsa to work choose a value of n and E such that e is relatively prime with a totion of n No, this is not n. This is the totion of n because if this is true Then we know that we can find some multiplicative inverse. We can find D If it's not true, then we may not be able to find D Okay, so we need e to be relatively prime with the totion of n if that's true There is a multiplicative inverse there is a D that exists and we can find D there are algorithms to find D and We haven't covered it, but Euclid's algorithm Can be used to find D? That is if you know the totion of n and If you choose some e Which is relatively prime with it? There's algorithms to reasonably quickly find the multiplicative inverse. Okay D is The inverse of e That is multiply them together you get one So we've reached one of our conditions for how rsa will work For this to be true Choose e relatively prime with a totion of n and then once you've got that e calculate D Such that e times D was one and then this equation is Equivalent or is in the form of Euler's equation and it will always be true So what we're going to arrive at is the steps that the user must use to choose e, d and n Okay, if you remember back to the example I had before I had an e of 4 a d of 2 and an n of 20. I Chose them. I effectively randomly they didn't work So in fact we need an algorithm for choosing e, d and n Well, what are the conditions of that algorithm? Here's one of them so that when you generate your keys you use this condition Let's stop that part there. There's some conditions Come back to the totion of n is How do we calculate the totion of n? The totion of some number Go the end of our number theory slides. We mentioned today Calculating the totion of a large number is Hard if n is a very large number Then finding its totion is practically impossible Unless we have some Specific value of n. Okay, let's say we choose a large n a random number and it's a thousand bits long Then there are no known ways to calculate the totion of it in a reason reasonable amount of time But we need the totion of n Because we need to find e which is relatively prime with it So now the question is for RSA we need to choose a value of n and We need to choose a value such that it will be easy to calculate the totion of n So what should we choose? How should we choose n? Normally calculating the totion of n is hard except in some cases when is it easy? I didn't write it up there But we saw it recently when is it easy to calculate the totion of n When it's the multiplication of two prime numbers if n equals p times q Where p and q are prime numbers Then we know that the totion of n equals p minus 1 Times q minus 1 so if I choose two prime numbers p and q Multiply them together I get n Then I can quickly calculate the totion of n. It's a simple calculation p minus 1 minus multiplied by q minus 1 so What we need for RSA there are other ways to choose n We do this or we set this requirement so that it's practically easy to generate the keys The user that creates their keys must choose values of n e and d We have a requirement on e We set a requirement on how they should choose n So that it's easy to calculate the totion event of n because we need that here So we require the user to choose two prime numbers p and q multiply them together and Then you get n you can easily determine the totion of n and And then from that you can just choose a value e which is relatively prime with the totion of n and Then there's algorithms to calculate d the multiplicative inverse of e and we know That there will be an inverse of e because it is relatively prime with the totion of n This condition so that's how you choose e d and n to work in RSA You choose two prime numbers Calculate n calculate the totion of n Choose e which is relatively prime with that and then calculate d and you have e e d and n and Because we've followed through these steps our encryption and decryption will always work because we're relying on this form of Euler's equation that is these are equivalent so let's Let's try it with another example and see how to generate those keys So this is really the key generation steps How does a user create their public and private key? We have an example on the handout Okay, we have an example that I'll go through again on the board. It's in the handout So you have it in front of you So instead of choosing any value for e d and n we need to generate values So what we do is we choose p and q Which it must be prime numbers Okay, so in this example, I'm going to choose p equal to 17 and q equal to 11 We'll we'll return later to the security of RSA and they should be large prime numbers But of course in this example, I'm using small ones so we can calculate on the board, but choose two prime numbers Calculate n What's n? Well 17 times 11 187 So now we have our value for n Here n equals p times q next calculate the totion of n the totion of 187 if I give you that in the exam If you try and manually calculate you'll take forever not forever, but you'll take a long time But if you recognize like you know, there wasn't a question in the exam this semester yet if you recognize that 187 is in fact p times q two prime numbers then we know immediately that the totion of 187 is 16 times 10 17 minus 1 times 11 minus 1 160 So this is the steps that you take when you create your own keys Choose the two primes calculate n calculate the totion of n What do you do next? We have n we have the totion of n now choose an e which is relatively prime in this There are multiple values that so they're a multiple ease that you can choose here in this case I'm going to choose seven Small value we can calculate the answer Is it relatively prime with 160? It's a prime number. So the factors of seven or one and seven So is 160 divisible by seven No Therefore they are relatively prime Because remember relatively prime the greatest common divisor is one the divisors of e are one and seven There are many divisors of 160 Any of them seven? No, therefore the greatest common divisor between these two is one they're relatively prime Now you calculate d and running out of space Seven times something equals one in mod 160 We can get rid of this and All right, you can trial try different numbers. So seven times Something equals 100 equals one seven times some number mod 160 Equals one. That's what you're trying to solve find that number or the other words seven times some number either equals 161 is there such a number That is 161 divided by seven. Do we get an integer or you use your calculator? No, I don't think so Actually, maybe you do No, you do 23 seven times 23 140 161 easy one in this case Seven times 23 at a hundred and sixty one hundred and sixty one mod 160 is one Yeah, that's why I had a hundred and sixty one here because when we mod by 160 we want the answer to be one easy D was 23 and Now we have our keys E is seven n is one eight seven That's the public key e and n private key D is 23 n is one eight seven so the generation of the keys and No, the keys in fact used in the example on the in the lecture notes and You can check you can check when you choose any value of m. That's less than n You encrypt and decrypt you always get the plaintext back any questions on how to generate keys so we've gone through two things why or a derivation of the rules for generating the keys and Then we gave an example of how to apply those rules to generate keys You should understand both I think The derivation and the the example that the applying the steps and you'll see past exam questions or even quiz questions Generate the keys for RSA, but for small values like this. This is not so hard With larger values, of course, it's much harder. We need computer support So in RSA Think every user generates their key pair so what each of you does is Follows these steps generates your key of public private key and then you can advertise your public key to everyone else You keep your value of D private So you can tell everyone PU is seven one eight seven But of course you don't tell anyone that D is 23 and Then you encrypt or if someone wants to send to you they encrypt with your public key and you decrypt with your private key Any questions before we look at the harder part? You would follow those steps. So the steps for key generation Are these? Very large one you'd have some software that would do it for you Okay, but exactly those steps for a very for real keys. We need to use larger values We'll see why later, but that is you choose two large prime numbers P and Q So your software chooses two large prime numbers multiplies them together gets n Calculates the totion of n which is very easy. It's just multiply two numbers and then there are algorithms for Finding a number relatively prime so testing if a number is relatively prime with the totion of n So choose an e and in fact in practice You can use the same e as other people So one common value of e is three Okay, even if you have very large values of the prime numbers and n You can choose e would have it e to be three and Someone else can also have the same value of e so long as the values of n are different It's still reasonably secure secure on except in very special cases So you can choose your own value of e but there are also some recommended values because they're better for Implementation and there are algorithms for given e find e Okay, and they're reasonably fast You can write software quite easily to do this. It's just that as the numbers get bigger and bigger It gets slower and slower There are some difficulties in there Choose two large prime numbers is the problem Choosing prime numbers is not easy large prime numbers. Okay Tell me a prime number which is 500 bits in length Then it's not easy to determine Whether a number is prime or not But it turns out that in most cases there are ways to test with reasonable confidence that a number is prime So you randomly choose a number test if it's prime If it and it gives you enough confidence that it's prime then use that and then just choose another one modify them together Any other questions before we? remove some of this okay, the question or the comment is if We calculated D In generating my key and it's in particular my secret value D. I calculated it from e Okay, in this case. I knew e was seven and I calculated D was 23 So if I can do that, then why can't a malicious user and attacker also do that? Because remember a malicious user knows my public values. They know e and n and They want to find D So let's look at how or what the malicious user needs to do to break this By break it. I mean for example find D Was that should be secret or later? We'll see to Find the complaint text given ciphertext Remove this Before we go through that. Let's make a another point. What should be secret D? Of course should be secret When you generate keys you also choose prime numbers p and q They should be secret as well. That's it an important point P and q the values you chose you should not tell anyone and you can but p and q you cannot Now the question is If the attacker knows Let's say the attacker What information do they know? Well What's public they know e equals seven? They know n equals 187 And in the else they know at the start They know the algorithm so they know The steps that were applied to generate the key they don't know D If they find D, then this is insecure. So how do they find D? What's some steps? What I get why find p and q? So we can find the totion five n. Okay, so let's go backwards in our steps. What do we do? To find D to generate D We had e and we had the totion of n and Given those we said that if we have e and the totion of n, then it's relatively easy to find D Okay So if the attacker they know e To find D then they must find the totion of n Because if they can find the totion of n Then give an e they can find D Okay, how do they find the totion of n? Find p and q okay or Two ways So we know n equals 187 The question is now. What is the totion of 187? from the attackers perspective and Two ways to find that what we say the manual approach Let's look at all the numbers from one up to 186 and Compare if they're relatively prime with 187 because by definition we just count those numbers and that gives us the totion of n. So we can manually Let's say we manually calculate With 187 it's easy in fact. It wouldn't take long for a piece of software or even you could do it in an exam just list the numbers from one up to 186 and Determine which ones are relatively prime with 187, but if this was a large number Then and we said at the end of the number theory slides today that Determining the totion manually of a large number is practically impossible So if n is very large 187 is not large, but any of say 1000 bits long Then manually finding the totion of n is considered impossible So if we cannot do that what else can the attacker do I think you said it before Well instead of manually determining the totion of n Find p and q Okay, because once we know p and q it's easy to calculate so To find d there were two approaches one manually determine the totion of n to find p and q How do we find p and q? We've got n. How do we find p and q? What's the the process called and if I don't have the size? Integer factorization as the name Let's show the last slide of our number theory said that there are certain problems in number theory which are Practically impossible to solve if the numbers are large enough and we cannot see it. Yeah First one integer factorization we said that if We have two unknown primes p and q which are multiplied together then given n It's practically impossible to find p and q Which is the challenge for the attacker here? They know and they need to find p and q When n is 187 it's easy Okay, you can try different numbers, and I think some of you did that in the mid-term exam But when n is a 1,000 bit number It would take too long to find p and q. Okay, there are no way No known ways to do that in reasonable time So integer integer factorization Factoring a large number into its primes is considered impossible if the number is large enough If we could do that then we could easily break RSA Because we'd find p and q we'd find the totion of n then we'd find d. Okay. It's no longer secure But we cannot do that if it's large enough similar Manually determining the totion of n calculating Euler's totion With large enough n Manually calculating it is considered impossible Okay, there are no known algorithms that would do it in reasonable time so the attackers task of Solving these two problems becomes very hard if we increase the size of those numbers in This simple example you could solve it But with large numbers you would not be able to and that's where the strength of RSA comes in That we can generate the keys but without knowledge of pq the two primes it's Practically impossible to find out what the secret value d is so the user knows d and The attacker cannot find d can the attacker do anything else What else can they try? So here we tried to find d Two ways we we see if the numbers are large enough they won't work Anything else? Show what we've done Remember how we generated the keys okay p times q totient Relatively prime well That didn't work for the attacker because we couldn't find the totion of n And if we can't find the totion of n Then we can't find d Okay, so that approach doesn't work if our numbers are large enough Yep Will there always be a p and q you choose p and q so yes your first step Here key generation your first step when you generate your own keys choose two to large prime numbers So yes, that's what you start with Then you calculate n So you know p and q as the attacker doesn't know it anything else that we can do log n What about from the encryption equations? again Let's write down our our known Algorithms for encryption and decryption and see if the attacker can take advantage of that c equals m To the e mod n and similar m equals c to the d mod n What can we do? Let's say we have In the past we've obtained a cypher text value and The corresponding plain text we don't know the key But we've been lucky enough that we've intercepted some cypher text and we've somehow found out the the plain text Okay, it's an old message. It doesn't give us any value But what if we know m and c as the attacker What if they know m so See and of course they still know e and n they want to find d Well look at this equation here's an equation with four variables m equals c to the d mod n three of them are known One is unknown easy What is it d Equals the discrete log in base c of of m mod n Here we have an X Exponentials c to the power of d mod n equals m the inverse operation that is find the exponent Find d given m c and n Which is a discrete logarithm? The discrete log base c mod n of m equals d So you just need to solve the discrete logarithm How do they know m? Well, maybe they've determined a they found a plain text From an old message. It's no longer relevant, but they found the plain text ciphertext pair So that's possible in some cases so if they find m c and n solve a discrete logarithm and We said that's impossible another challenge in number theory Is I'll show you that on the board in a moment a third challenge in number theory is to solving discrete logarithms It's practically impossible to factor a number into its primes It's practically impossible to manually determine Euler's totion and it's practically impossible to solve discrete logarithms Practically impossible when the numbers are large enough, okay? so the challenge Solve a discrete logarithm But we understand that if the numbers are large enough we cannot solve that okay, so we see that these these difficult problems in number theory are what make RSA strong in theory There's a solution in practice. It takes too long to find that solution anyone else want to break RSA Any other approaches Brute force what is brute force involved with RSA? How would you brute force? different approaches All right one approach. We're trying to find D Or we want want to decrypt some information for example, so we have What do we have we have this equation we we know a ciphertext we know and The N If we don't know the plaintext a brute force would be try all possible values of D Okay Because and the same with a brute force in any cipher if we just try the different values Eventually, we'll get a value of the plaintext that makes sense So we take our ciphertext Raise it to the power of D Mod by N Where we just choose a random value of D We get some plaintext M If it makes sense Success if it doesn't make sense try a different value of D and keep trying So there's one brute force attack try different values of D How do we prevent that make sure D is large enough? Okay Make sure D is large enough such that we must make many attempts and it takes too long to try them all to find The plaintext so the size of D is important in this case Anything else that we can try similar here We've got the inverse operation We know C We know E we know N find M, which is a discrete logarithm except it's slightly different We're trying to find the base when we know the index same difficulty as it is as the finding D So this equation we can write We have a challenge find M given the ciphertext E and N and again It comes down to solving a discrete logarithm, which is too hard if the numbers are large enough There may be a few others that we've we haven't covered the idea is to look at what the attacker knows They know the algorithm They know the public information and then what steps do they have to take to try and find the secret information the plaintext or the key or the private key in particular D and It turns out in all cases So long as we have numbers large enough There are no known techniques which which will do it in reasonable time and RSA today is considered secure with large enough numbers any questions on Those things we've gone through for RSA today What you should take from this today. Okay understand the basic equation Understand how to generate keys the steps The lecture notes describe those steps in more detail. Okay, you have them in the slides Be able to generate the keys. I'll give you some quiz examples of generating keys simple ones understand Although it's removed how Why we need those steps to generate keys Why is it that we need to Choose e relatively prime with the totion of N So there's steps that we derive there And then eventually we will return next In two yeah next week What can the attacker do to try and break it So what Opportunities does the attacker have to try and break RSA and eventually in all cases you lead to you'll find problems Which are too hard so long as the numbers are large enough and that is enough for today on RSA Let's stop there. I Hope what you see so the last thing I hope what you see is the the the beauty in RSA in that Here's the encryption algorithm The most simplest equation you can see in any cipher almost simpler than Caesar cipher in writing it down and Yet secure Let's stop. Well, I'll give you some examples next week, but How long will it take to take if the numbers are large enough it will take you forever? Hundreds of years thousands of years, okay? On the simpler method you'll do that in an exam. Okay on the simple numbers Yes Yes, yes, sim simple simple algorithm, but it's as secure as the other algorithms. Okay, correct