Public Key Crypto
Download
1 / 34

RSA - PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on

Public Key Crypto RSA. RSA. CSCI284 Spring 2007 GWU Sections 5.1, 5.2.2, 5.3. How does Alice send Bob the decryption key in private key crypto?. If Alice wants it such that anyone can decrypt her messages, but know that they came from her

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' RSA' - abraham-taylor


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

RSA

CSCI284 Spring 2007

GWU

Sections 5.1, 5.2.2, 5.3


How does alice send bob the decryption key in private key crypto
How does Alice send Bob the decryption key in private key crypto?

  • If Alice wants it such that anyone can decrypt her messages, but know that they came from her

    • Suppose she could make the decryption key available in a public place

    • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284-162/Spring07/GWU/Vora/RSA


How does alice send bob the decryption key in private key crypto contd
How does Alice send Bob the decryption key in private key crypto? contd

  • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way

    • Suppose Bob makes his encryption key available publicly

    • No one should be able to compute the decryption key from the encryption key

    • This is the dual of the previous case

CS284-162/Spring07/GWU/Vora/RSA


Public key cryptography
Public Key Cryptography crypto? contd

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284-162/Spring07/GWU/Vora/RSA


One way function
One-way function crypto? contd

A one-way function is easy in the forward direction, difficult in the reverse direction. Example:

f(x) = xa mod m

CS284-162/Spring07/GWU/Vora/RSA


Trapdoor one way function
Trapdoor One-way Function crypto? contd

A trapdoor one-way function is easy in the reverse direction for someone with access to a trapdoor (secret information enabling easy inversion).

Example: if f(x) = xa mod m where gcd(a, (m))= 1, and (m) = pq for primes p and q, knowledge of p or q is a trapdoor

CS284-162/Spring07/GWU/Vora/RSA


Rsa cocks 73 rivest shamir adleman 76
RSA crypto? contdCocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab 1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

CS284-162/Spring07/GWU/Vora/RSA


Efficient exponentiation from memon notes
Efficient exponentiation crypto? contd(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551involves 50 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284-162/Spring07/GWU/Vora/RSA


Example
Example crypto? contd

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284-162/Spring07/GWU/Vora/RSA


5 51 mod 7
5 crypto? contd51 mod 7

CS284-162/Spring07/GWU/Vora/RSA


Rsa key generation
RSA: Key generation crypto? contd

Find p and q (two large random primes)

n pq

(n)  (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find b=a-1mod (n)

Not known how to determine (n) without p and q

One key: (n, a) other key (n, b)

CS284-162/Spring07/GWU/Vora/RSA


Example1
Example crypto? contd

CS284-162/Spring07/GWU/Vora/RSA


A trapdoor one way function
A Trapdoor One-way Function? crypto? contd

  • RSA encryption is believed to be a one-way function with the factorization of n as the trapdoor.

  • It is not known if encryption really is one-way

  • It is not known if there are other trapdoors

  • However, for security, it is certainly required that it not be possible to factor n

CS284-162/Spring07/GWU/Vora/RSA


Security of rsa is it based on hardness of factoring n
Security of RSA crypto? contdIs it based on hardness of factoring n?

  • It is not known if:

    • factoring a product of two primes into its prime components is

      • solvable in polynomial time

      • NP-complete

    • there are other trapdoors to RSA, i.e. other ways of breaking it in general

  • Factoring is an easy problem in the quantum computing model.

CS284-162/Spring07/GWU/Vora/RSA


Computational complexity
Computational Complexity crypto? contd

Computational complexity of the following operations on x (k bit) and y (l bit), k l:

  • x + y

  • x – y

  • xy

  • Floor(x/y) O(l(k-l))

  • gcd(x, y) O(k3)

CS284-162/Spring07/GWU/Vora/RSA


Computational complexity mod n
Computational Complexity mod n crypto? contd

Computational complexity of the following operations on mod n, where n is a k-bit integer:

  • x + y

  • x – y

  • xy

  • x-1

  • xc c< n O(k2log c) = O(k3)

CS284-162/Spring07/GWU/Vora/RSA


Rsa computational complexity
RSA: Computational complexity crypto? contd

  • 512 bit primes, n is 1024 bits

  • Encryption: b3 where a plaintext character is b-bits

  • Decryption by brute force: 2bb3

  • Key generation: Primes? O(b2), O(b3)

CS284-162/Spring07/GWU/Vora/RSA


Encryption of blocks of symbols
Encryption of blocks of symbols crypto? contd

Block ABCD…, each symbol is base N (e.g. N=2, 16)

Convert a block of a few symbols to an integer mod n

RSA encrypt

Convert back to base N

Example.

CS284-162/Spring07/GWU/Vora/RSA


Rsa decryption
RSA Decryption crypto? contd

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

What do we do now?

CS284-162/Spring07/GWU/Vora/RSA


We will need
We will need crypto? contd

  • Chinese Remainder Theorem (CRT)

  • Lagrange’s Theorem

CS284-162/Spring07/GWU/Vora/RSA


Crt solve congruences
CRT: Solve congruences crypto? contd

What is x?

17x  3 mod 101

5x  2 mod 7

CS284-162/Spring07/GWU/Vora/RSA


Chinese remainder theorem
Chinese Remainder Theorem crypto? contd

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

Proof: Suppose not. Then:

First number = ax + b = Ay + B

Second number = cx + b = Cy + B

(a-c)x = (A-C)y

  • y | (a-c)x  y | (a-c) because x and y rel. prime

  • a = my + c

  • first number = mxy + cx + b = second number modulo xy

CS284-162/Spring07/GWU/Vora/RSA


Determine a number x given x a i mod m i for i 1 n
Determine a number crypto? contdx given x = ai modmi for i = 1 … n

gcd(mi mj ) = 1 ij

Let M = i mi

And Mi = M/mi

Find yi such that yiMi = 1 mod mi

Then x = (I aiyiMi) mod M

Example.

CS284-162/Spring07/GWU/Vora/RSA


So we have shown that
So we have shown that: crypto? contd

There is exactly one number that satisfies the congruences, and that it can be determined using the formula provided.

Define : ZM  Zm1  Zm2  ….  Zmr

(x) = (x mod m1 x mod m2 ...…x mod mr)

Example.

CRT is equivalent to saying that  is bijective (one-to-one, i.e. injective; and onto, i.e. surjective)

CS284-162/Spring07/GWU/Vora/RSA


Order of an element
Order of an element crypto? contd

Smallest number such that repeated group operation on the element gives the identity

That is, for any ggroup G with operation ○, i is the smallest number such that

o(g) = i  g○ g ○...○g = group identity

Example

{

i times

CS284-162/Spring07/GWU/Vora/RSA


Lagrange s theorem on the order of a group element
Lagrange’s theorem on the order of a group element crypto? contd

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and gG. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284-162/Spring07/GWU/Vora/RSA


Lagrange s theorem on the order of a group element ii
Lagrange’s theorem on the order of a group element - II crypto? contd

Proof: Consider the following relation:

a  b iff axi = b for some i

  • is an equivalence relation because:

    • axo(x) = a

    • If a  bthen b = axi and a = bx-i and b  a

    • If a  b and b  c, then b = axi and c = bxj = axi+j and a  c

      Hence, the cosets of this relation partition the group and are of equal size.

      Example: the relation for some x and composite n

CS284-162/Spring07/GWU/Vora/RSA


Lagrange s theorem on the order of a group element iii
Lagrange’s theorem on the order of a group element - III crypto? contd

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x  i}

= {a = x1-i  i}

= {xj  j }

Hence o(x) | n

Example, composite n

CS284-162/Spring07/GWU/Vora/RSA


Euler phi function number of invertible elements in z m
Euler Phi function crypto? contd(number of invertible elements in Zm)

If m = pq,

1, 2, 3, …p, ..2p, ..3p, …qpq numbers divisible by p

1, 2, 3, …q, ..2q, ..3q, …pqp numbers divisible by q

pq only number counted twice. No other numbers.

  • pq – p – q + 1 = (p-1)(q-1) invertible elements

CS284-162/Spring07/GWU/Vora/RSA


Can also show previous result using crt
Can also show previous result using CRT crypto? contd

CS284-162/Spring07/GWU/Vora/RSA


Rsa decryption1
RSA Decryption crypto? contd

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

= x mod n if x Zn* (By Lagrange’s Theorem)

What if x  Zn\Zn*?

CS284-162/Spring07/GWU/Vora/RSA


X x t n mod n
x x crypto? contdt (n) mod n = ?

For x  Zn\Zn*

Write Zn = ZpX Zq

Use CRT:

x  (x mod p, x mod q)

= wlog (0, d) (because x  Zn\Zn*)

x(n) = (0, d(n)) = (0, 1)

x. x(n) = (0, 1) (0, d(n)) = x

CS284-162/Spring07/GWU/Vora/RSA


A simple inefficient algorithm for generating a prime
A simple inefficient algorithm for generating a prime crypto? contd

  • Generate a b-bit random number

  • It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b)

  • Generate enough and will be done, in O(b) complexity.

  • How do you check if it is prime?

CS284-162/Spring07/GWU/Vora/RSA


Eratosthenes sieve
Eratosthenes Sieve crypto? contd

If want a prime of length b bits, list the numbers 2 to 2b/2

Starting from the beginning, delete all multiples of each prime: delete 4, 6, 8, …; 6, 9, ……

At the end will be left with the primes

Check if these primes divide your randomly generated number

If not, it is prime.

CS284-162/Spring07/GWU/Vora/RSA


ad