- 160 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' RSA' - cooper-beard

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Advanced CryptographyCSCI 297/later 381

- Theory of secrecy: hard problems and crypto
- Elliptic curves
- Electronic Cash and Anonymous Credentials
- PRNGs
- Not much Cryptanalysis, Shannon secrecy

CS284/Spring04/GWU/Vora/RSA

Advanced Crypto: Grading

- HWs, presentations, class participation, project
- Half lecture, half seminar style course. Each student reads and presents about 3 papers during the course.

CS284/Spring04/GWU/Vora/RSA

CS297: Electronic Voting

- Crypto, Security, Systems, Political requirements of e-voting
- Part lecture, part seminar, with project and participation through volunteering in 2004 election.
- Students can register only through instructor permission: instructor is Jonathan Stanton.

CS284/Spring04/GWU/Vora/RSA

Projects?

- Presentations on:
- 27th April, Tuesday, 6:10-7:40 (make-up day) and
- 28th April, Wednesday, 6:10-7:40 (another make-up day)

- Presentations consist of 10 mins demos/presentations + 5 mins. questions
- Schedule will be given next week
- Make sure you have tested the PC in the room and loaded your software before class starts.

CS284/Spring04/GWU/Vora/RSA

Project evaluations: 25%

- 5%: proposal (those who have not submitted should do so asap, their marks will be multiplied by 0.6, i.e. maximum mark will be 3%)
- 5% presentation
- 5% questions
- 5% if working demo (this goes for questions for theory projects)
- 5% how interesting/difficult it is

CS284/Spring04/GWU/Vora/RSA

How does Alice send Bob the decryption key in private key crypto?

- If Alice wants it such that anyone can decrypt her messages, but know that they came from her
- Suppose she could make the decryption key available in a public place
- This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284/Spring04/GWU/Vora/RSA

How does Alice send Bob the decryption key in private key crypto? contd

- If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way
- Suppose Bob makes his encryption key available publicly
- No one should be able to compute the decryption key from the encryption key
- This is the dual of the previous case

CS284/Spring04/GWU/Vora/RSA

Public Key Cryptography crypto? contd

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284/Spring04/GWU/Vora/RSA

Consider: given c = f(m), f public. Should be decrypted only by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

CS284/Spring04/GWU/Vora/RSA

PKC from another pov by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- f(m) is a one-way function, because f(m) is computationally easy, but finding m from f(m) should be difficult without the key
- However, finding m with the key, or on knowing g, should be easy too.
- f(m) is a one-way function with a trapdoor – the private key

CS284/Spring04/GWU/Vora/RSA

Aside: Computational Complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- NP problems are those in which one can check a given solution in polynomial time
- An NP-complete problem is one which, if solved in polynomial time, can be used to solve all other NP problems in polynomial time.
- Thus, if an NP-complete problem is solved in polynomial-time, P (set of all problems solvable in polynomial time) = NP (set of all problems for which solutions can be checked in polynomial time)

CS284/Spring04/GWU/Vora/RSA

Aside: Computational Complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

There are problems not known to have polynomial-time solutions which are also not known to be NP-complete: i.e. they are difficult, but perhaps not among the most difficult

CS284/Spring04/GWU/Vora/RSA

Aside: different grades of difficulty by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- If m can be found from f(m) in polynomial time, i.e. the number of operations required are a polynomial in the size of the input (the number of bits in the keys), f(m) is not one-way in the most popular computational model: probabilistic polynomial-time.
- If an algorithm for finding f(m) in polynomial time is not known to the public, f(m) might be one-way, and might be usable for crypto

CS284/Spring04/GWU/Vora/RSA

Aside: different grades of difficulty contd by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- If other very difficult problems (NP-complete problems) in computer science can be solved if m can be found from f(m), i.e. the problem is NP-hard, f(m) is most likely to be one-way.
- It is not known if one-way functions exist. They exist only if P ≠ NP

CS284/Spring04/GWU/Vora/RSA

RSA by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?Cocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab 1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

Show that fK and gK are inverses

CS284/Spring04/GWU/Vora/RSA

Need: Some group theory by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

What is a group?

- A set of elements G with
- An additive operation such that
- G is closed under the operation, i.e. if a, b G, so does a b
- The operation is associative, i.e. (a b) c = a (b c)
- An identity exists and is in G, i.e.
- e G, s.t. e g = g e = g
- Every element has an inverse in G, i.e.
g G g-1 G s.t g g-1 = e

CS284/Spring04/GWU/Vora/RSA

Multiplicative and additive groups by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- The group operation can be addition or multiplication
- Consider Zn
- Is it a multiplicative group? Additive?
Fact: Zp* for prime p is cyclic, generated by a primitive element

{1, , 2, … p-1}

Examples of Zn - multiplicative and additive groups, prime and composite n, primitive elements

CS284/Spring04/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284/Spring04/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - II by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Proof: Consider the following relation:

a b iff axi = b for some i

- is an equivalence relation because:
- axo(x) = a
- If a bthen b = axi and a = bx-I and b a
- If a b and b c, then b = axi and c = bxj = axi+j and a c
Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n

CS284/Spring04/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - III by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x i}

= {a = x1-i i}

= {xj j }

Hence o(x) | n

Example, composite n

CS284/Spring04/GWU/Vora/RSA

Back to RSA by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n

= x mod n if x Zn*

What if x Zn\Zn*? Need much more math.

CS284/Spring04/GWU/Vora/RSA

x by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?t (n) mod n = ?

Write Zn = ZpX Zq

True by Chinese Remainder Theorem:

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

x (x mod p, x mod q) = wlog (0, d) = (0, j)

x(n) = (0, (n)j) = (0, 1)

x. x(n) = (0, 1) (0, j) = x

CRT isomorphism examples, by hand, small composite n

CS284/Spring04/GWU/Vora/RSA

Back to RSA: Key generation by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Find p and q (two large random primes)

n pq

(n) (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find a-1mod (n)

Without p and q cannot determine (n)

One key: (n, a) other key (n, b); Example

CS284/Spring04/GWU/Vora/RSA

Security of RSA by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?Is it based on hardness of factoring n?

- It is not known if:
- factoring a product of two primes into its prime components is
- solvable in polynomial time
- NP-complete

- there are other trapdoors to RSA, i.e. other ways of breaking it in general

- factoring a product of two primes into its prime components is
- Factoring is an easy problem in the quantum computing model.

CS284/Spring04/GWU/Vora/RSA

Computational Complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Computational complexity of the following operations on x (k bit) and y (l bit), k l:

- x + y
- x – y
- xy
- Floor(x/y) O(l(k-l))
- gcd(x, y) O(k3)

CS284/Spring04/GWU/Vora/RSA

Euclidean Algorithm by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

gcd(m, n) /* m > n */

(a, b) := (m, n) /* Initialize */

while (b0) (a, b) := (b, a – b*q) /*Where q = a/b */

return(a)

Complexity?

CS284/Spring04/GWU/Vora/RSA

Computational Complexity mod n by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Computational complexity of the following operations on mod n, where n is a k-bit integer:

- x + y
- x – y
- xy
- x-1
- xc c< n O(k2log c) = O(k3)

CS284/Spring04/GWU/Vora/RSA

Efficient exponentiation by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551 involves 51 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284/Spring04/GWU/Vora/RSA

Example by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284/Spring04/GWU/Vora/RSA

5 by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?51 mod 7

CS284/Spring04/GWU/Vora/RSA

RSA: Computational complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- 512 bit primes, n 1024 bits
- Encryption: b3 where a plaintext character is b-bits
- Decryption by brute force: 2bb3
- Key generation: Primes? O(b2), O(b3)

CS284/Spring04/GWU/Vora/RSA

PRIME by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- The book presents probabilistic algorithms for determining if a number is prime.
- Two years ago, undergraduate students and their adviser showed that determining if a number is prime can be done in deterministic polynomial time
- We will not discuss any of these in class.

CS284/Spring04/GWU/Vora/RSA

A simple inefficient algorithm by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- Generate a b-bit random number
- It is prime with probability 1/ln 2b = 1/(ln2 b) = O(1/b)
- Generate enough and will be done, in O(b) complexity.

CS284/Spring04/GWU/Vora/RSA

Factoring: Pollard by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?p-1 algorithm

- Suppose we know that:
- for p a prime dividing n
- every prime power that divides p-1 is B
- (p-1) | B!

- Further: 2p-1 1 (mod p) (Why?)
- Hence 2B! (mod n) 2B! (mod p) 1 (mod p)
- And p | 2B! -1
- Hence p | gcd(2B! -1, n), which divides n
- gcd(2B! -1, n) non-trivial factor of n

CS284/Spring04/GWU/Vora/RSA

Pollard by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?p-1 contd.

POLLARD p-1 FACTORING (n, B)

a 2

for j 2 to B

a aj mod n

d gcd(a-1, n)

if 1 < d < n

return(d)

else

return(failure)

CS284/Spring04/GWU/Vora/RSA

Example by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

CS284/Spring04/GWU/Vora/RSA

Complexity: Pollard p-1 by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

- B-1 modular exponentiations, each requiring (logn)2logB operations
- (logn)3 for Euclidean
- If B of O(log n), polynomial, but probbaility of success low.
- For good RSA security, p-1 should not have small factors.

CS284/Spring04/GWU/Vora/RSA

Download Presentation

Connecting to Server..