The importance of trapdoor functions

RSA algorithm

RSA is named for Rivest, Shamir, and Adleman, the first researchers to publicly describe the approach. To begin, two prime numbers P₁ and P₂ are randomly chosen and multiplied together to find the maximum value or modulus max. A new number pub is selected (0<pub<max) as the public key. Anyone can know the values of pub and max but not P₁ and P₂.

RSA performs encoding by raising each element in a numerically coded version of a plaintext message to the pub power (mod_max). For example, with P₁ = 13 and P₂ = 7, max = 91. With pub = 5, a letter encoded as 67 is encrypted as 67^pub (mod 91): 67 x 67 = 4,489, which is larger than 91, so 4,489 (mod 91) = 30. Using the congruent value 30 for the next multiplication, 30 x 67 = 2,010, and 2,010 (mod 91) = 8. And so on for a total of four times, until 67^5 (mod 91) is found to equal 58. Mathematically, the mod operation can be performed after all the multiplications, but in a real application that uses extremely large numbers, it may be more practical to use congruent values for the intermediate multiplications.

This type of modular multiplication is closely related to the Euclidean algorithm that determines the greatest common divisor between two integers by a process of successive division by the remainder from the previous operation. The Extended Euclidean algorithm calculates an associated factor at each step. It is the final value of this factor, the modular multiplicative inverse, that is the private key—29 in this case. Multiplying 58 by itself 29 times (mod 91) will result in the original 67 being recovered.¹

The modular multiplicative inverse exists if and only if P₁ and P₂ are coprime—they have no common factors. Because P₁ and P₂ are chosen to have hundreds of digits, factoring the product to find P₁ and P₂ is computationally very difficult. Nevertheless, with RSA, I can choose a public key and a pair of prime numbers and tell you and anyone else the resulting max and pub values. You can send me encrypted messages that only I can decode with my private key. Similarly, you can choose your own pub′ and P₁′ and P₂′ values, telling me only the values of pub′ and max′, so that I can send messages that you can decode with your private key. We never have to meet again.

DHM key exchange method

Moving up a level in difficulty, the Diffie-Hellman-Merkle (DHM) method also uses modular arithmetic but involves discrete logarithms instead of factoring. You and I agree to use a certain prime number n as well as a separate base number g, which is specially chosen as a primitive root mod n. This means that for every integer b<n, there is an integer k such that g^k ≡ b (mod n): k is called the discrete logarithm of b to the base g modulo n.

I choose a secret number A and compute g^A mod n, which I send to you using a public communications link. You choose a secret number C and compute g^C mod n, which you send to me also without regard for security. I compute g^CA mod n using my secret integer A, and you compute g^AC mod n using your secret interger C. We both get the same value [(g^A mod n)^C mod n = (g^C mod n)^A mod n = g^CA mod n = g^AC mod n] that we use as a shared symmetric encryption key.²

Knowing n, g, g^A mod n, and g^C mod n, anyone trying to decrypt messages needs to solve a difficult discrete logarithm problem to determine A or C. In practice, n may have 200 to 300 digits and both A and C at least 100.

Elliptic cryptography

Rather than using relatively straightforward modular multiplication or exponentiation to relate the values within a cyclic group, elliptic curve cryptography (ECC) is based on the group of modulo n points that lie on a curve typically described as Y² = X³ + AX + B. When evaluated as a straightforward algebraic equation using real numbers, a curve similar to that in the figure results. However, for cryptographic purposes, the equation is modularly evaluated, resulting in a field of discrete X,Y points.

A straight line drawn through points X₁,Y₁ and X₂,Y₂ will intersect the curve only at one other point X₃,Y₃ (or at infinity, which is included in the set of allowed points). By definition, X₁,Y₁, + X₂,Y₂ = X₃,-Y₃; that is, the sum is defined to be on the side of the curve opposite to the intersection. Doubling a point is defined in the same way as addition, but because only one point is given, the straight line is assumed to be tangent to the curve at that point.

For the curve Y² = X³ + 2x + 2 mod 17, and starting with the point P₁ = (5,1), find P₃ = 2 x P₁. The slope at P₁ is given by s = 3X₁² + 2/(2Y₁) mod 17. The new X₃ = s² -X₁ -X₂ mod 17, and Y₃ = s(X₁ – X₂) -Y₁ mod 17 where X₁ = X₂ = 5 and Y₁ = 1.

The slope s is evaluated as (3 x 5² + 2)/(2 x 1) mod 17 ≡ 9/2 mod 17. Modular division is not straightforward: 9/2 = 9 x 2^-1. The multiplicative inverse of a number Z (mod m) is a value that when multiplied mod m by Z = 1. In this case, the multiplicative inverse exists because 2 and 17 are coprime: 2 x 9 mod 17 ≡ 1, so 9/2 mod 17 ≡ 9 x 9 mod 17 ≡ 13. Similarly evaluating the expressions for X₃ and Y₃ gives P₃ = (6,3): so, 2 x (5,1) = (6,3). In general, the number of discrete points on a curve is close to the modulus value. For this curve, there are 19 points including the point at infinity.³

Similarly, multiplication and exponentiation can be defined on an elliptic curve. And, following the same type of public/private key exchange as used in the DHM method, two parties can establish secure communications. However, when elliptic curve cryptography is used, the much harder problem of finding the discrete logarithm of a random elliptic curve element results—and nobody actually has figured out how to do that in a practical sense. Just how much more difficult this method is can be seen by noting that the RSA algorithm would need a 2,380-bit key to be as secure as a 228-bit ECC key.¹

Other schemes

Rather than rely on modular arithmetic, the family of advanced encryption standard (AES) algorithms uses substitution-permutation operations. Exclusive ORing, swapping rows for columns in arrays, shifting array rows by different amounts, substituting lookup table values, and similar actions are repeated a number of times depending on the length of the key. Decryption runs the steps in the reverse order.

AES is based on work by Rijndael and Rijmen, two Belgian cryptographers, and the NIST specification dates from 2001-2002. The Rijndael algorithm allows key lengths in multiples of 32 bits up to 256, but only lengths of 128, 192, and 256 are implemented in AES. The method is a symmetric key algorithm, so it has the usual problem of secure key distribution. All three key lengths have been approved by the NSA for secret information and the 192-bit and 256-bit key lengths for top secret.⁴

Summary

Encryption algorithms are available at various levels of complexity and security. Discussing a few of the more popular ones has demonstrated the principles underlying them, although necessarily at a very basic level. Those algorithms adopted as government specifications have been extensively studied and often standardized. For example, NIST recommends a series of elliptic curves for government work.⁵

References

1. Sullivan, N., “A (relatively easy to understand) primer on elliptic curve cryptography,” ars technica, October 2013.

2. Rouse, M., “Diffie-Hellman key exchange (exponential key exchange),” TechTarget, August 2007.

3. “Elliptic curve cryptography,” University of California at Santa Barbara, Computer Science Department.

4. “CNSS Policy No. 15 Fact Sheet No. 1,” Committee on National Security Systems, National Institute of Standards and Technology, June 2003.

5. “Recommended Elliptic Curves For Federal Government Use,” National Institute of Standards and Technology, July 1999.