- 99 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' RSA' - abraham-taylor

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

How does Alice send Bob the decryption key in private key crypto?

- If Alice wants it such that anyone can decrypt her messages, but know that they came from her
- Suppose she could make the decryption key available in a public place
- This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284-162/Spring07/GWU/Vora/RSA

How does Alice send Bob the decryption key in private key crypto? contd

- If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way
- Suppose Bob makes his encryption key available publicly
- No one should be able to compute the decryption key from the encryption key
- This is the dual of the previous case

CS284-162/Spring07/GWU/Vora/RSA

Public Key Cryptography

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284-162/Spring07/GWU/Vora/RSA

One-way function

A one-way function is easy in the forward direction, difficult in the reverse direction. Example:

f(x) = xa mod m

CS284-162/Spring07/GWU/Vora/RSA

Trapdoor One-way Function

A trapdoor one-way function is easy in the reverse direction for someone with access to a trapdoor (secret information enabling easy inversion).

Example: if f(x) = xa mod m where gcd(a, (m))= 1, and (m) = pq for primes p and q, knowledge of p or q is a trapdoor

CS284-162/Spring07/GWU/Vora/RSA

RSACocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab 1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

CS284-162/Spring07/GWU/Vora/RSA

Efficient exponentiation(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551involves 50 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284-162/Spring07/GWU/Vora/RSA

Example

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284-162/Spring07/GWU/Vora/RSA

551 mod 7

CS284-162/Spring07/GWU/Vora/RSA

RSA: Key generation

Find p and q (two large random primes)

n pq

(n) (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find b=a-1mod (n)

Not known how to determine (n) without p and q

One key: (n, a) other key (n, b)

CS284-162/Spring07/GWU/Vora/RSA

Example

CS284-162/Spring07/GWU/Vora/RSA

A Trapdoor One-way Function?

- RSA encryption is believed to be a one-way function with the factorization of n as the trapdoor.
- It is not known if encryption really is one-way
- It is not known if there are other trapdoors
- However, for security, it is certainly required that it not be possible to factor n

CS284-162/Spring07/GWU/Vora/RSA

Security of RSAIs it based on hardness of factoring n?

- It is not known if:
- factoring a product of two primes into its prime components is
- solvable in polynomial time
- NP-complete
- there are other trapdoors to RSA, i.e. other ways of breaking it in general
- Factoring is an easy problem in the quantum computing model.

CS284-162/Spring07/GWU/Vora/RSA

Computational Complexity

Computational complexity of the following operations on x (k bit) and y (l bit), k l:

- x + y
- x – y
- xy
- Floor(x/y) O(l(k-l))
- gcd(x, y) O(k3)

CS284-162/Spring07/GWU/Vora/RSA

Computational Complexity mod n

Computational complexity of the following operations on mod n, where n is a k-bit integer:

- x + y
- x – y
- xy
- x-1
- xc c< n O(k2log c) = O(k3)

CS284-162/Spring07/GWU/Vora/RSA

RSA: Computational complexity

- 512 bit primes, n is 1024 bits
- Encryption: b3 where a plaintext character is b-bits
- Decryption by brute force: 2bb3
- Key generation: Primes? O(b2), O(b3)

CS284-162/Spring07/GWU/Vora/RSA

Encryption of blocks of symbols

Block ABCD…, each symbol is base N (e.g. N=2, 16)

Convert a block of a few symbols to an integer mod n

RSA encrypt

Convert back to base N

Example.

CS284-162/Spring07/GWU/Vora/RSA

RSA Decryption

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

What do we do now?

CS284-162/Spring07/GWU/Vora/RSA

Chinese Remainder Theorem

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

Proof: Suppose not. Then:

First number = ax + b = Ay + B

Second number = cx + b = Cy + B

(a-c)x = (A-C)y

- y | (a-c)x y | (a-c) because x and y rel. prime
- a = my + c
- first number = mxy + cx + b = second number modulo xy

CS284-162/Spring07/GWU/Vora/RSA

Determine a number x given x = ai modmi for i = 1 … n

gcd(mi mj ) = 1 ij

Let M = i mi

And Mi = M/mi

Find yi such that yiMi = 1 mod mi

Then x = (I aiyiMi) mod M

Example.

CS284-162/Spring07/GWU/Vora/RSA

So we have shown that:

There is exactly one number that satisfies the congruences, and that it can be determined using the formula provided.

Define : ZM Zm1 Zm2 …. Zmr

(x) = (x mod m1 x mod m2 ...…x mod mr)

Example.

CRT is equivalent to saying that is bijective (one-to-one, i.e. injective; and onto, i.e. surjective)

CS284-162/Spring07/GWU/Vora/RSA

Order of an element

Smallest number such that repeated group operation on the element gives the identity

That is, for any ggroup G with operation ○, i is the smallest number such that

o(g) = i g○ g ○...○g = group identity

Example

{

i times

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and gG. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - II

Proof: Consider the following relation:

a b iff axi = b for some i

- is an equivalence relation because:
- axo(x) = a
- If a bthen b = axi and a = bx-i and b a
- If a b and b c, then b = axi and c = bxj = axi+j and a c

Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - III

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x i}

= {a = x1-i i}

= {xj j }

Hence o(x) | n

Example, composite n

CS284-162/Spring07/GWU/Vora/RSA

Euler Phi function(number of invertible elements in Zm)

If m = pq,

1, 2, 3, …p, ..2p, ..3p, …qpq numbers divisible by p

1, 2, 3, …q, ..2q, ..3q, …pqp numbers divisible by q

pq only number counted twice. No other numbers.

- pq – p – q + 1 = (p-1)(q-1) invertible elements

CS284-162/Spring07/GWU/Vora/RSA

Can also show previous result using CRT

CS284-162/Spring07/GWU/Vora/RSA

RSA Decryption

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

= x mod n if x Zn* (By Lagrange’s Theorem)

What if x Zn\Zn*?

CS284-162/Spring07/GWU/Vora/RSA

x xt (n) mod n = ?

For x Zn\Zn*

Write Zn = ZpX Zq

Use CRT:

x (x mod p, x mod q)

= wlog (0, d) (because x Zn\Zn*)

x(n) = (0, d(n)) = (0, 1)

x. x(n) = (0, 1) (0, d(n)) = x

CS284-162/Spring07/GWU/Vora/RSA

A simple inefficient algorithm for generating a prime

- Generate a b-bit random number
- It is prime with probability 1/ln 2b = 1/(ln2 b) = O(1/b)
- Generate enough and will be done, in O(b) complexity.
- How do you check if it is prime?

CS284-162/Spring07/GWU/Vora/RSA

Eratosthenes Sieve

If want a prime of length b bits, list the numbers 2 to 2b/2

Starting from the beginning, delete all multiples of each prime: delete 4, 6, 8, …; 6, 9, ……

At the end will be left with the primes

Check if these primes divide your randomly generated number

If not, it is prime.

CS284-162/Spring07/GWU/Vora/RSA

Download Presentation

Connecting to Server..