1 / 34

RSA - PowerPoint PPT Presentation

Public Key Crypto RSA. RSA. CSCI284 Spring 2007 GWU Sections 5.1, 5.2.2, 5.3. How does Alice send Bob the decryption key in private key crypto?. If Alice wants it such that anyone can decrypt her messages, but know that they came from her

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about ' RSA' - abraham-taylor

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

RSA

CSCI284 Spring 2007

GWU

Sections 5.1, 5.2.2, 5.3

• If Alice wants it such that anyone can decrypt her messages, but know that they came from her

• Suppose she could make the decryption key available in a public place

• This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284-162/Spring07/GWU/Vora/RSA

• If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way

• Suppose Bob makes his encryption key available publicly

• No one should be able to compute the decryption key from the encryption key

• This is the dual of the previous case

CS284-162/Spring07/GWU/Vora/RSA

Public Key Cryptography crypto? contd

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284-162/Spring07/GWU/Vora/RSA

One-way function crypto? contd

A one-way function is easy in the forward direction, difficult in the reverse direction. Example:

f(x) = xa mod m

CS284-162/Spring07/GWU/Vora/RSA

Trapdoor One-way Function crypto? contd

A trapdoor one-way function is easy in the reverse direction for someone with access to a trapdoor (secret information enabling easy inversion).

Example: if f(x) = xa mod m where gcd(a, (m))= 1, and (m) = pq for primes p and q, knowledge of p or q is a trapdoor

CS284-162/Spring07/GWU/Vora/RSA

RSA crypto? contdCocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab 1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

CS284-162/Spring07/GWU/Vora/RSA

Efficient exponentiation crypto? contd(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551involves 50 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284-162/Spring07/GWU/Vora/RSA

Example crypto? contd

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284-162/Spring07/GWU/Vora/RSA

5 crypto? contd51 mod 7

CS284-162/Spring07/GWU/Vora/RSA

RSA: Key generation crypto? contd

Find p and q (two large random primes)

n pq

(n)  (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find b=a-1mod (n)

Not known how to determine (n) without p and q

One key: (n, a) other key (n, b)

CS284-162/Spring07/GWU/Vora/RSA

Example crypto? contd

CS284-162/Spring07/GWU/Vora/RSA

A Trapdoor One-way Function? crypto? contd

• RSA encryption is believed to be a one-way function with the factorization of n as the trapdoor.

• It is not known if encryption really is one-way

• It is not known if there are other trapdoors

• However, for security, it is certainly required that it not be possible to factor n

CS284-162/Spring07/GWU/Vora/RSA

Security of RSA crypto? contdIs it based on hardness of factoring n?

• It is not known if:

• factoring a product of two primes into its prime components is

• solvable in polynomial time

• NP-complete

• there are other trapdoors to RSA, i.e. other ways of breaking it in general

• Factoring is an easy problem in the quantum computing model.

CS284-162/Spring07/GWU/Vora/RSA

Computational Complexity crypto? contd

Computational complexity of the following operations on x (k bit) and y (l bit), k l:

• x + y

• x – y

• xy

• Floor(x/y) O(l(k-l))

• gcd(x, y) O(k3)

CS284-162/Spring07/GWU/Vora/RSA

Computational Complexity mod n crypto? contd

Computational complexity of the following operations on mod n, where n is a k-bit integer:

• x + y

• x – y

• xy

• x-1

• xc c< n O(k2log c) = O(k3)

CS284-162/Spring07/GWU/Vora/RSA

RSA: Computational complexity crypto? contd

• 512 bit primes, n is 1024 bits

• Encryption: b3 where a plaintext character is b-bits

• Decryption by brute force: 2bb3

• Key generation: Primes? O(b2), O(b3)

CS284-162/Spring07/GWU/Vora/RSA

Encryption of blocks of symbols crypto? contd

Block ABCD…, each symbol is base N (e.g. N=2, 16)

Convert a block of a few symbols to an integer mod n

RSA encrypt

Convert back to base N

Example.

CS284-162/Spring07/GWU/Vora/RSA

RSA Decryption crypto? contd

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

What do we do now?

CS284-162/Spring07/GWU/Vora/RSA

We will need crypto? contd

• Chinese Remainder Theorem (CRT)

• Lagrange’s Theorem

CS284-162/Spring07/GWU/Vora/RSA

CRT: Solve congruences crypto? contd

What is x?

17x  3 mod 101

5x  2 mod 7

CS284-162/Spring07/GWU/Vora/RSA

Chinese Remainder Theorem crypto? contd

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

Proof: Suppose not. Then:

First number = ax + b = Ay + B

Second number = cx + b = Cy + B

(a-c)x = (A-C)y

• y | (a-c)x  y | (a-c) because x and y rel. prime

• a = my + c

• first number = mxy + cx + b = second number modulo xy

CS284-162/Spring07/GWU/Vora/RSA

Determine a number crypto? contdx given x = ai modmi for i = 1 … n

gcd(mi mj ) = 1 ij

Let M = i mi

And Mi = M/mi

Find yi such that yiMi = 1 mod mi

Then x = (I aiyiMi) mod M

Example.

CS284-162/Spring07/GWU/Vora/RSA

So we have shown that: crypto? contd

There is exactly one number that satisfies the congruences, and that it can be determined using the formula provided.

Define : ZM  Zm1  Zm2  ….  Zmr

(x) = (x mod m1 x mod m2 ...…x mod mr)

Example.

CRT is equivalent to saying that  is bijective (one-to-one, i.e. injective; and onto, i.e. surjective)

CS284-162/Spring07/GWU/Vora/RSA

Order of an element crypto? contd

Smallest number such that repeated group operation on the element gives the identity

That is, for any ggroup G with operation ○, i is the smallest number such that

o(g) = i  g○ g ○...○g = group identity

Example

{

i times

CS284-162/Spring07/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element crypto? contd

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and gG. Then the order of g divides n.

CS284-162/Spring07/GWU/Vora/RSA

Proof: Consider the following relation:

a  b iff axi = b for some i

• is an equivalence relation because:

• axo(x) = a

• If a  bthen b = axi and a = bx-i and b  a

• If a  b and b  c, then b = axi and c = bxj = axi+j and a  c

Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n

CS284-162/Spring07/GWU/Vora/RSA

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x  i}

= {a = x1-i  i}

= {xj  j }

Hence o(x) | n

Example, composite n

CS284-162/Spring07/GWU/Vora/RSA

Euler Phi function crypto? contd(number of invertible elements in Zm)

If m = pq,

1, 2, 3, …p, ..2p, ..3p, …qpq numbers divisible by p

1, 2, 3, …q, ..2q, ..3q, …pqp numbers divisible by q

pq only number counted twice. No other numbers.

• pq – p – q + 1 = (p-1)(q-1) invertible elements

CS284-162/Spring07/GWU/Vora/RSA

Can also show previous result using CRT crypto? contd

CS284-162/Spring07/GWU/Vora/RSA

RSA Decryption crypto? contd

Show that fK and gK are inverses

f(g(x))

= xba mod n

= xt(n)+1 mod n

= x xt (n) mod n

= x mod n if x Zn* (By Lagrange’s Theorem)

What if x  Zn\Zn*?

CS284-162/Spring07/GWU/Vora/RSA

x x crypto? contdt (n) mod n = ?

For x  Zn\Zn*

Write Zn = ZpX Zq

Use CRT:

x  (x mod p, x mod q)

= wlog (0, d) (because x  Zn\Zn*)

x(n) = (0, d(n)) = (0, 1)

x. x(n) = (0, 1) (0, d(n)) = x

CS284-162/Spring07/GWU/Vora/RSA

• Generate a b-bit random number

• It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b)

• Generate enough and will be done, in O(b) complexity.

• How do you check if it is prime?

CS284-162/Spring07/GWU/Vora/RSA

Eratosthenes Sieve crypto? contd

If want a prime of length b bits, list the numbers 2 to 2b/2

Starting from the beginning, delete all multiples of each prime: delete 4, 6, 8, …; 6, 9, ……

At the end will be left with the primes

Check if these primes divide your randomly generated number

If not, it is prime.

CS284-162/Spring07/GWU/Vora/RSA