RSA

1 / 34

# RSA - PowerPoint PPT Presentation

Public Key Crypto RSA. RSA. CSCI284 Spring 2007 GWU Sections 5.1, 5.2.2, 5.3. How does Alice send Bob the decryption key in private key crypto?. If Alice wants it such that anyone can decrypt her messages, but know that they came from her

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' RSA' - abraham-taylor

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Public Key Crypto

• RSA

### RSA

CSCI284 Spring 2007

GWU

Sections 5.1, 5.2.2, 5.3

• If Alice wants it such that anyone can decrypt her messages, but know that they came from her
• Suppose she could make the decryption key available in a public place
• This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284-162/Spring07/GWU/Vora/RSA

• If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way
• Suppose Bob makes his encryption key available publicly
• No one should be able to compute the decryption key from the encryption key
• This is the dual of the previous case

CS284-162/Spring07/GWU/Vora/RSA

Public Key Cryptography

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284-162/Spring07/GWU/Vora/RSA

One-way function

A one-way function is easy in the forward direction, difficult in the reverse direction. Example:

f(x) = xa mod m

CS284-162/Spring07/GWU/Vora/RSA

Trapdoor One-way Function

A trapdoor one-way function is easy in the reverse direction for someone with access to a trapdoor (secret information enabling easy inversion).

Example: if f(x) = xa mod m where gcd(a, (m))= 1, and (m) = pq for primes p and q, knowledge of p or q is a trapdoor

CS284-162/Spring07/GWU/Vora/RSA

RSACocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab 1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

CS284-162/Spring07/GWU/Vora/RSA

Efficient exponentiation(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551involves 50 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284-162/Spring07/GWU/Vora/RSA

Example

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284-162/Spring07/GWU/Vora/RSA

551 mod 7

CS284-162/Spring07/GWU/Vora/RSA

RSA: Key generation

Find p and q (two large random primes)

n pq

(n)  (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find b=a-1mod (n)

Not known how to determine (n) without p and q

One key: (n, a) other key (n, b)

CS284-162/Spring07/GWU/Vora/RSA

Example

CS284-162/Spring07/GWU/Vora/RSA

A Trapdoor One-way Function?
• RSA encryption is believed to be a one-way function with the factorization of n as the trapdoor.
• It is not known if encryption really is one-way
• It is not known if there are other trapdoors
• However, for security, it is certainly required that it not be possible to factor n

CS284-162/Spring07/GWU/Vora/RSA

Security of RSAIs it based on hardness of factoring n?
• It is not known if:
• factoring a product of two primes into its prime components is
• solvable in polynomial time
• NP-complete
• there are other trapdoors to RSA, i.e. other ways of breaking it in general
• Factoring is an easy problem in the quantum computing model.

CS284-162/Spring07/GWU/Vora/RSA

Computational Complexity

Computational complexity of the following operations on x (k bit) and y (l bit), k l:

• x + y
• x – y
• xy
• Floor(x/y) O(l(k-l))
• gcd(x, y) O(k3)

CS284-162/Spring07/GWU/Vora/RSA

Computational Complexity mod n

Computational complexity of the following operations on mod n, where n is a k-bit integer:

• x + y
• x – y
• xy
• x-1
• xc c< n O(k2log c) = O(k3)

CS284-162/Spring07/GWU/Vora/RSA

RSA: Computational complexity
• 512 bit primes, n is 1024 bits
• Encryption: b3 where a plaintext character is b-bits
• Decryption by brute force: 2bb3
• Key generation: Primes? O(b2), O(b3)

CS284-162/Spring07/GWU/Vora/RSA

Encryption of blocks of symbols

Block ABCD…, each symbol is base N (e.g. N=2, 16)

Convert a block of a few symbols to an integer mod n

RSA encrypt

Convert back to base N

Example.

CS284-162/Spring07/GWU/Vora/RSA

RSA Decryption

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

What do we do now?

CS284-162/Spring07/GWU/Vora/RSA

We will need
• Chinese Remainder Theorem (CRT)
• Lagrange’s Theorem

CS284-162/Spring07/GWU/Vora/RSA

CRT: Solve congruences

What is x?

17x  3 mod 101

5x  2 mod 7

CS284-162/Spring07/GWU/Vora/RSA

Chinese Remainder Theorem

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

Proof: Suppose not. Then:

First number = ax + b = Ay + B

Second number = cx + b = Cy + B

(a-c)x = (A-C)y

• y | (a-c)x  y | (a-c) because x and y rel. prime
• a = my + c
• first number = mxy + cx + b = second number modulo xy

CS284-162/Spring07/GWU/Vora/RSA

Determine a number x given x = ai modmi for i = 1 … n

gcd(mi mj ) = 1 ij

Let M = i mi

And Mi = M/mi

Find yi such that yiMi = 1 mod mi

Then x = (I aiyiMi) mod M

Example.

CS284-162/Spring07/GWU/Vora/RSA

So we have shown that:

There is exactly one number that satisfies the congruences, and that it can be determined using the formula provided.

Define : ZM  Zm1  Zm2  ….  Zmr

(x) = (x mod m1 x mod m2 ...…x mod mr)

Example.

CRT is equivalent to saying that  is bijective (one-to-one, i.e. injective; and onto, i.e. surjective)

CS284-162/Spring07/GWU/Vora/RSA

Order of an element

Smallest number such that repeated group operation on the element gives the identity

That is, for any ggroup G with operation ○, i is the smallest number such that

o(g) = i  g○ g ○...○g = group identity

Example

{

i times

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and gG. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - II

Proof: Consider the following relation:

a  b iff axi = b for some i

• is an equivalence relation because:
• axo(x) = a
• If a  bthen b = axi and a = bx-i and b  a
• If a  b and b  c, then b = axi and c = bxj = axi+j and a  c

Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - III

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x  i}

= {a = x1-i  i}

= {xj  j }

Hence o(x) | n

Example, composite n

CS284-162/Spring07/GWU/Vora/RSA

Euler Phi function(number of invertible elements in Zm)

If m = pq,

1, 2, 3, …p, ..2p, ..3p, …qpq numbers divisible by p

1, 2, 3, …q, ..2q, ..3q, …pqp numbers divisible by q

pq only number counted twice. No other numbers.

• pq – p – q + 1 = (p-1)(q-1) invertible elements

CS284-162/Spring07/GWU/Vora/RSA

Can also show previous result using CRT

CS284-162/Spring07/GWU/Vora/RSA

RSA Decryption

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

= x mod n if x Zn* (By Lagrange’s Theorem)

What if x  Zn\Zn*?

CS284-162/Spring07/GWU/Vora/RSA

x xt (n) mod n = ?

For x  Zn\Zn*

Write Zn = ZpX Zq

Use CRT:

x  (x mod p, x mod q)

= wlog (0, d) (because x  Zn\Zn*)

x(n) = (0, d(n)) = (0, 1)

x. x(n) = (0, 1) (0, d(n)) = x

CS284-162/Spring07/GWU/Vora/RSA

A simple inefficient algorithm for generating a prime
• Generate a b-bit random number
• It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b)
• Generate enough and will be done, in O(b) complexity.
• How do you check if it is prime?

CS284-162/Spring07/GWU/Vora/RSA

Eratosthenes Sieve

If want a prime of length b bits, list the numbers 2 to 2b/2

Starting from the beginning, delete all multiples of each prime: delete 4, 6, 8, …; 6, 9, ……

At the end will be left with the primes

Check if these primes divide your randomly generated number

If not, it is prime.

CS284-162/Spring07/GWU/Vora/RSA