181 The cryptosystems we are about to cover in this chapter are called public key cryp-tosystems. All the cipher systems we’ve looked at so far have been secret key schemes.
This is the classical view of cryptography; it means that both the enciphering key and deci-phering key must be kept secret, for knowing one is equivalent to knowing the other. For example, consider a block affine transformation
C⬅aP+b(modm)
where (a,m) = 1. The enciphering key are the numbers a,m, and b. If an unauthorized user captured these values, she could certainly encrypt messages to you, but even worse (obvi-ously), she can easily derive the decryption key a⬘(wherea⬘is an inverse of a modulo m) and decrypt any messages.
With public key cryptography, the situation is somewhat different. Public key means that two keys are involved: a public key used for enciphering, and a private key used for deci-phering. But knowing the encryption key is not equivalent to knowing the decryption key, and this is the crucial difference. With public key cryptography, each user generates a pub-lic key, which they distribute to everyone, and a private key, which they do not divulge to anyone. Anyone who wants to send a message to some user must look up their public encryp-tion key and use it to encrypt the message. On the receiving end, the user decrypts the mes-sage with their private key. No one else can decrypt because only the intended recipient knows the private key, and the private key is very difficult to calculate from the encryption key.
10.1 THE RABIN CIPHER
The encryption process of the following cipher, known as the Rabin cipher, involves pro-ducing ciphertext Cfrom plaintext Pas follows:
C⬅P2(modn). (0 ≤P< n, 0 ≤C<n) (†)
Herenis the product of two distinct large primes, say pandq, both congruent to 3 mod-ulo 4. At current levels of computing power, nshould be at least 1024 bits in length. The
public key in this cipher is n. What is not made public is the prime factorization of n; that is, the two primes pandqare kept secret. These two values are necessary for decryption;
thus, they are the private key.
The enciphering process is described in (†). Anyone knowing the value of ncan send mes-sages. Now, in order to decipher, we must solve the congruence
C⬅P2(modn)
for the plaintext P. We know from previous work that these solutions are obtained by form-ing the two congruences
C⬅P2(modp) C⬅P2(modq)
and solving them. We then combine these solutions using CRT to obtain solutions for P. Thus, we can only solve (†) for Pby factoring the modulus n=pq(at least, no other way to solve these congruences is known). This is why the prime factors of nare kept secret. Only the individual possessing them can decipher. From proposition 31, we get the solution(s) to (†) as
P⬅⫾(zqqp⬘ ⫾wppq⬘) (mod n)
wherez=C(p⫹1)/4,w=C(q⫹1)/4,qp⬘is an inverse of qmodulop, and pq⬘is an inverse of p moduloq.
The obvious drawback to this method is that solving such congruences can produce four distinct square roots PforC. That is, it reports four possible plaintext messages during the decryption phase. If the message is text, it is easy to identify the correct one; it’s the one that doesn’t look like garbage! However, if the message is some type of binary stream, for exam-ple, the messages must be tagged in some way so this tag will reappear in the decryption process.
Why is it that we can reveal the value of nto everyone? We know that if someone man-ages to factor ninto its prime factors pandq, our cryptosystem and we will be, metaphor-ically, up the creek without a paddle! Anyone knowing pandqcan decrypt; the question is, how easy is it to factor n? If nis the product of two sufficiently large primes (say a few hundred digits each), then it is nearly impossible to factor nin a reasonable period of time.
In fact, it will take somewhere on the order of a few billion years! We may find this hard to believe since we routinely factor integers in our math classes, but we simply don’t appre-ciate the size of the numbers involved here. Indeed, factoring has become a huge study involving many techniques, some of which we shall study in upcoming chapters.
E
XAMPLE.
To see how the Rabin cipher works, we use the ordinary alphabet A = 00, B = 01, . . . , Z = 25. We will use a block size of four characters. With our choice of alphabet and block size, the largest possible block corresponds to ZZZZ = 25252525. We must pick a mod-ulusngreater than this, and furthermore, nmust be the product of 2 primes congruent to 3 modulo 4. Let p= 6911 and q= 6947. (You may wish to verify that pandqare both primes of the form 4k+ 3.) These two values are the private key, and must not be made public. We10.1 The Rabin Cipher 183
then compute n= 6911 ⭈6947 = 48010717. The value of ncan be made known to anyone, and in fact is necessary for encryption.
We wish to encipher the message SHOOT NOW GEEK
which we will regroup into blocks of four letters each, SHOO TNOW GEEK
then convert the characters into their numerical equivalents. Leading zeros are important:
18071414 19131422 06040410.
Notice that should our messages not be evenly divisible into blocks of size 4, we should use some type of padding scheme. We proceed to encrypt the first block:
C⬅180714142
⬅1339280 (mod 48010717)
This residue is the first ciphertext block. The second block we encrypt as follows:
C⬅191314222
⬅22338923 (mod 48010717) and the third as:
C⬅60404102
⬅40412478 (mod 48010717) The transmitted enciphered message is the sequence of numbers 01339280 22338923 40412478.
Now, if you have done the job right and haven’t told anyone about the two secret num-bers,p= 6911, and q= 6947, you should be the only individual able to decrypt. (Of course, in this example, n= 48010717 is easily factorable into n= 6911 ⭈6947; in reality we would use a much larger block size, and much larger primes.) To decrypt the first enciphered block, you must solve the congruence
1339280⬅P2(mod 48010717)
forP. Using the Chinese Remainder Theorem, we derive the four roots
→ P⬅18071414 (mod 48010717) P⬅16274554 (mod 48010717) P⬅29939303 (mod 48010717) P⬅31736163 (mod 48010717).
The correct root is marked. We decrypt the second block by solving 22338920⬅P2(mod 48010717)
forP. We get the following roots, with the correct one again marked:
P⬅39784853 (mod 48010717) P⬅28879295 (mod 48010717) P⬅8225864 (mod 48010717)
→ P⬅19131422 (mod 48010717).
We solve this third congruence
40412478⬅P2(mod 48010717) forPto decrypt the third block. The roots we obtain are:
P⬅36711428 (mod 48010717)
→ P⬅6040410 (mod 48010717) P⬅11299289 (mod 48010717) P⬅41970307 (mod 48010717).
You can surely see the problem of deciding between four roots during decryption. In this case, deciding was easy because of our alphabet (no character ≥26). In general, how do we know which solution for Pis the correct one? The answer is, if we didn’t write the message, we don’t know. The correct root may be any of the four roots, and there is no way of know-ing in advance which one it will be. This poses a problem for this cryptosystem: What if two (or more) roots could both be construed as a valid message? One solution may be to tag the blocks with special character(s) which do not otherwise appear in the messages. For instance, in our example we use only the characters A = 00 through Z = 25; we could use the num-ber 26 to tag the beginning of each block, as in:
SHOO TNOW GEEK converts to
28705651 20676817 47296051.
Now, in front of each block, we place the tag, 26:
2628705651 2620676817 2647296051
and encipher this message. Thus, the block size of the enciphered message is greater than that of the plaintext. This is not a problem; many cipher systems exhibit different plain-text/ciphertext block sizes. When we decrypt, the tags will reappear, which we then remove from the message and convert back to characters. Similar tagging schemes can be used for messages that use ASCII character encoding and Unicode. You should remember that some messages, however, are not text at all, but may be any type of binary stream whatsoever.